One Sina Intranet roaming (involving internal sensitive systems and part of user data)

One Sina Intranet roaming (involving internal sensitive systems and part of user data)

 

218.30.108.200

218.30.108.170

Both ip addresses have the Sina podcast background management system.

170 this ip address scans a probe. The path is obtained.

200 try to log on and find injection. Use 'or 1 = 1 # login successful


 

It seems that you cannot get the shell when logging on, and the scanner finds an admin.tar.gz

Download the source code.

Shell is obtained through the audit source code.
 

$appr_userid = get_my_session('admin_id');$appr_name = get_my_session('admin_name');$filelog = "/data0/vshare/logs/44logs/delmd5logs/".date('Ymd')."_delvideomd5result.log";exec("/usr/local/php/bin/php del_same_md5_video_with_vid.php {$vid} {$appr_userid} {$appr_name} >> {$filelog} &");

Exec is used and $ appr_userid is included. You only need to add the Administrator name as malicious code to get the shell. (The field is limited to 32, but the shell is finally obtained)




 

After reading the configuration file, I found some of the account data of the podcast. Most of them are empty passwords, and it is estimated that they are directly logged on.

It is estimated that there are more than 39000000.
 

 

The rssocks proxy is used to access the Intranet, and several ip segments can be accessed. Scanning ip segments does not dare to open a large thread for fear of detecting things.



After scanning some systems, we found that some systems all require uniform logon, while all logon uses the account and password of the mailbox. That is to say, finding the mailbox password can open a breakthrough.



Search for the mailbox Suffix in the social engineering database, matching a lot. And the account and password in the system database.

A page is scanned later. There are many web sites on it. An internal forum found that dz6 has a vulnerability, but you need to log on. After testing the test/test log on successfully, the system obtains the administrator password and the background uses the plug-in to obtain the shell.
 

A large number of mailbox passwords are stored in the database. (login using ladp seems to be invalid)

Decryption one by one... Login Failed... nearly decrypted more than 100, only one login was successful




 

 

With this, you can access many systems. At the same time, I know why so many accounts cannot log on. It turns out that there is a password expiration mechanism ..


 

 

 

 

 

 

 

 

If you have an address book to further collect accounts, you can obtain more permissions by brute-force cracking.


 

------------------------

The qingjia.erp.sina.com.cn system can be uploaded at will, but the shell cannot be obtained due to configuration reasons, which also causes some source code leaks/application/config/app_config.php and many Intranet svn leaks.


 

I have collected a lot of information in the Transaction Tracking System.

I use rsync as the keyword

Some ip addresses are found.

It seems that some of them are unlimited.

Post a few
 

10.75.1.8010.13.0.15810.13.0.15710.73.14.4610.75.1.80 10.73.14.4510.55.40.3210.75.1.80

There are some source code for the management system.
 

 

Some important business source code, and even weibo (but it seems to be early )..

The source code contains a lot of database connection information and interfaces. I tried to connect, but he refused to connect to this ip address.

I wanted to audit it and forget it again. If it goes deeper, the harm will be even greater ..
 

Solution:

Enhanced Filtering