If a service of Tongcheng tourism is improperly configured, getshell enters the Intranet and the Intranet Structure is leaked.

If a service of Tongcheng tourism is improperly configured, getshell enters the Intranet and the Intranet Structure is leaked.

Http: // 61.155.159.159/cacti/

Cacti System

61.155.159.159 ftp blank password access
 

ftp> ls229 Entering Extended Passive Mode (|||12888|)150 Opening ASCII mode data connection for file list-rw-r--r--   1 root     root       653445 Jun 26  2014 6.7-nconf-tianyan-memcached.20140626.tgzdrwxr-xr-x   2 root     root         4096 Jun 17  2014 AUTOdrwxr-x---   5 mysql    yunwei       4096 Jun 27  2014 DBI-1.609-rw-r--r--   1 root     root       510309 Feb 25  2014 DBI-1.609.tar.gzdrwxr-xr-x   3 root     root         4096 Jun 17  2014 FTPdrwxr-xr-x   3 ftp      ftp          4096 Dec 26 02:01 ftp-rw-r--r--   1 root     root            0 Dec 25 22:59 move_log.log-rw-r--r--   1 root     root          441 Jan 22  2013 my.cnf-rw-r--r--   1 root     root     23595610 Jun 17  2014 mysql-5.5.3-m3.tar.gzdrwxr-xr-x   5 1000     1000         4096 Jun 27  2014 mysqlsla-2.03-rw-r--r--   1 root     root        33674 Nov 11  2008 mysqlsla-2.03.tar.gz226 Transfer completeftp> ls ftp229 Entering Extended Passive Mode (|||50775|)150 Opening ASCII mode data connection for file list-rw-r--r--   1 ftp      ftp        137364 Jan 16  2014 DBD-mysql-4.026.tar.gz-rw-r--r--   1 ftp      ftp       1643615 Dec 11  2013 cacti-20131211160701.sql.gzdrwxr-xr-x   6 1000     users        4096 Jun 18  2014 cacti-spine-0.8.7g-rw-r--r--   1 ftp      ftp        592801 Jul  9  2010 cacti-spine-0.8.7g.tar.gz-rw-r--r--   1 ftp      ftp       7200529 Aug 30  2013 httpd-2.2.22.tar.gz-rw-r--r--   1 ftp      ftp       4716070 Sep  5  2013 libiconv-1.13.1.tar.gz-rw-r--r--   1 ftp      ftp       1335178 Sep  5  2013 libmcrypt-2.5.8.tar.gz-rw-r--r--   1 ftp      ftp        471915 Sep  5  2013 mcrypt-2.6.8.tar.gz-rw-r--r--   1 ftp      ftp        931437 Sep  5  2013 mhash-0.9.9.9.tar.gz-rw-r--r--   1 ftp      ftp      23595610 Sep  4  2013 mysql-5.5.3-m3.tar.gz-rw-r--r--   1 ftp      ftp       5955981 Jul 19  2012 net-snmp-5.6.2.tar.gz-rw-r--r--   1 ftp      ftp        201339 Sep  5  2013 php-5.2.17-fpm-0.5.14.diff.gz-rw-r--r--   1 ftp      ftp      11801597 Sep  5  2013 php-5.2.17.tar.gz-rw-r--r--   1 ftp      ftp       1345477 Jul  5  2010 rrdtool-1.4.4.tar.gz226 Transfer completeftp>

Download the cacti-20131211160701. SQL .gz File
 

Solve the admin password cacti @ 17u



After logging in, run the cacti command to execute getshell.
 

The cacti system monitors most important internal network O & M systems.
 

 

With cacti nagios and zabbix, it is also an essential part of Intranet monitoring.

The native mysql has a nagios database, which also has an Intranet Structure.

View local configuration

/Usr/local/nagios/etc/nrpe. cfg

Locate nagios location



Allowed_hosts = 127.0.0.1, 61.155.159.159, 172.16.6.7, 61.155.159.211, 192.168.2.211





127.0.0.1, 61.155.159.159, 172.16.6.7, for the Local Machine

61.155.159.211, 192.168.2.211 is the nagios Machine

Access
 

Native's

401 authentication is required to open a nagios app.

You can guess the nagios password Based on the cacti password.



Nagios/nagios @ 17u



And all ngios killer
 

So how much can xxxx @ 17u kill on the Intranet?

Solution:

Disable unauthorized access to a strong Intranet Password