One successful test of Sohu and sogou Intranet roaming

One successful test of Sohu and sogou Intranet roaming
0x01:

During the early tests on sohu network, a large number of sohu IP addresses were collected. For specific cases, refer to my previous cases. This is not the focus.

0x02:

Perform in-depth mining based on the collected ip addresses and obtain the following ip addresses:

220.181.61.204. Actually, it corresponds to the domain name app.m. TV .sohu.com (which was also confirmed later)

At that time, regular file leaks and other vulnerabilities were not found during Forum mining.

However, when we tested the weak password of uc_server, we found that the founder's password was 123456789.

The uc_server background of the ip address is successfully entered:

After winning the background, I tried to submit it. However, if I didn't try to dig deeper, how could I know what kind of result would I get? This is also a constant encouragement from Jianxin and crazy dogs.

0x03:

After uc_server is taken down, the Administrator's password can be reset. I reset the Administrator's password here (according to the file operations, this site has indeed been discarded, the testing process should be conducted without affecting any business as much as possible ). Get the reset administrator password and log on to the discuz background.

0x04:

At that time, I tried the shell method in the discuz background that wooyun had publicly disclosed, and the results were not satisfactory. So I began to conduct in-depth research and conduct local tests, the disucz background getshell of the fish in the south of the Yangtze River is found to have some problems, http://wooyun.org/bugs/wooyun-2010-045677 in this place

The test result of the fish market in Jiangnan is production. html, but I have not found it on the website. So I started to test it. htm generation, and finally succeeded in winning the webshell of the site:

0x05:

With webshell, the website has exclusive conditions, including Intranet addresses and Internet addresses, and tries to perform Intranet penetration. Due to security risks, the website does not escalate permissions, only test with Apache permissions (in fact, this Linux kernel already has a corresponding exp ).

A php Proxy: http://zone.wooyun.org/content/11096 is enabled

Build an nginx locally to connect to the Intranet:

0x06: Because Sohu and sogou are connected via the Intranet, sogou is also lying down and shot:

Previously, Sohu's security staff told me that they wanted to lay down the Intranet ip address during the release, and I also covered up the appropriate information here. Of course, if you have any questions, feel free to pm My QQ or SMS on the site.

0x07: not only is the Intranet simple, but some key business systems also leak sensitive information with weak passwords and even unauthorized access. Details: vulnerability proof

Proof of vulnerability:

The webpage development department platform, including the tracking system:

Zabbix injection also exists:

Uno management system:

Sogou found:

It can cover a test in the online environment:

Sogou's feedback Background:

Zen Road:

I will not tell you that the Administrator account password here is a weak password:

 

The above system is still operating.

Sohu internal O & M system:

You can submit, modify, and edit online deployment:

 

That's all .. Only responsible for the disclosure process. Finally, if Sohu has any questions about this report, he can come to pm. I will not be anonymous.

A successful test of Sohu & amp; sogou Intranet roaming