Information Leakage from multiple important departments due to the theft of iron's intranet roaming in China (redis + ssh-keygen Authentication-free login case)

Information Leakage from multiple important departments due to the theft of iron's intranet roaming in China (redis + ssh-keygen Authentication-free login case)

What Sparks will redis face when it encounters ssh?
Http://antirez.com/news/96
Http://zone.wooyun.org/content/23759
China iron's internal network roaming has fallen into multiple important departments, including hikvision cameras, Alibaba Cloud Security webpage tamper-proofing systems, and multiple Huawei firewalls ....

I am still trying to learn about Intranet penetration. When I write it in some places, I should take notes .. Scalpers

Everything starts here ....

IP: **. ** China Railway Construction Blue letter System
 

The server opens port 6379, which is the default port of apsaradb for redis. It is accessed without authorization and can be connected remotely.
 

Then, the general idea is to find the physical path of the website and then obtain the webshell through backup. However, the physical path of the website is not found, but the port scan finds that port ssh22 is opened on the server, so you can get the shell through the connection method in the Problem description,

First, use ssh-keygen to generate private and public keys. After the generated public key is copied to the remote machine, you can log on to the remote machine using ssh instead of the password.
 

Indicates the Public Key generated in the red circle. We only need to upload this public key to the "/root/. ssh/" directory of the target server and rename it authorized_keys. After that, we can directly log on to the target server without entering the user name and password.

But how can I copy files through redis? In fact, you only need to copy the content in id_rsa.pub. See the figure for details.

First, let's take a look at the content in id_rsa.pub.
 

We only need to back up the content in the form of a single-statement Trojan to/root /. ssh/directory. Of course, the backup name must be changed to uthorized_keys. It is best to add a space and press enter before and after the public key content, otherwise, it seems that other contents of the database will be affected.
 

 

PS (then I found that I was not the first to come in, because I found that the location and name of the file backup are already the same, and it is the previous public key content, I replaced it only when I came in. I followed the previous article written by a foreigner. Later, when I tested it, the Public Key was replaced. It's hard to continue. So I set a password for the redis database as hamapi without permission, so don't hit me ...) Redis sets the password config set requirepass test123 to query the password config get requirepass

After saving the file by using the save command, you can log on remotely through ssh without a password,
 

Now that you have ssh and root permission on the Intranet, how can we continue?

Establish a socket5 connection through ssh, and then configure proxychains locally to continue Intranet penetration.

Ssh creates a socke5 connection to ssh-f-N-D **. **: 7777 root @**.**.**.**


Next, we will scan the Intranet segment, collect information, and then combine the weak password with the password of the iron-built account on wooyun.

After a simple test, the result is displayed directly.


1. First, the mysql account password on the stepping stone server is leaked, and external connections are allowed to leak a large amount of information.

**. ** Mysql account lanxin password crcc_t20150428
 

2. There are still multiple linux servers with redis and all of them are empty passwords. As a result, remote ssh can be used in the same way,
 

Affected server
 

**.**.**.**: 6379**.**.**.**: 6379**.**.**.**: 6379**.**.**.**: 6379**.**.**.**: 6379**.**.**.**: 6379

3,

**. ** Tomcat weak password admin Server fell

 

 

4,

**.**.**.**40  admin  123456

Hikvision camera, no plug-ins installed, can't see ,..
 

5,

China Railway Construction collaborative management system **. **: 8080 weak password account, all passwords are 123456 yuan gywanggxyanglinglixiaohong

Address book
 

Work Management System .....
 

5,

**. ** The weak password sunps 123456 in the enterprise production plan statistics management system

 

6,

Http: // **. ** 64. Security Risk check system weak password libin 123456

 

 

 

7. weak passwords of multiple Huawei SUG5530 firewalls

**. ** Weak password admin @ 123

This is a little dangerous ..

8,

**. **: 8080 weak password in the Information System of China Railway Construction Project 123456789 1234561 1234567758521 123456987654321 123456 lili 123456 yangling 12345611 123456 andy 1234569 123456

9,

Http: // **. ** 51: 8080/admin Blue Shield web page tamper-proofing system

Threats to the security of the main site and other sites

China Railway Construction-CN

China-Africa

Iron City Supervisor

Tie Jian Youth Network

Tie Jian Finance

International Group

China Tie Jian-EN
 

 

10,

Weak apusic password http: // **. ** 31: 6890/admin/protected/index. jsp admin

 

11. Others

Weak ftp Password

**. ** 6

**. ** In oracle 123456

**. ** 32 oracle
 

 

 

Hidden Danger sampling system **. **/login. do? ReqCode = init libin123456
 

 

Solution:

Tired .. Sleepy. Sleeping ..