Shen LAN software broadband Billing System Vulnerability

Source: Internet
Author: User
Tags cvss score

CVSS Score: (AV: R/AC: L/Au: NR/C: C/A: C/I: N/B: N) Score: 9.43 (maximum 10 points, high risk)
That is, remote attacks and attacks are difficult and do not require user authentication. They completely affect confidentiality and availability without affecting integrity.
Technical difficulty coefficient: 1.0 (generally, google hack is one of the important auxiliary methods for application detection)
Impact Hazard coefficient: 1.1 (generally, involving the newly launched Campus Network Management System)
Overall score: 9.43*1.0*1.1 = 10.37
CNVD original vulnerability certificate No. CNVD-YCIW-201204078948
Available on CNVD website
 
 
This vulnerability is caused by Shen LAN software's default password management and account maintenance ~
 
First, I get the system's background password through some means, and then ~
 
Shen LAN broadband billing system generally sets up three linux servers, one authentication server, one database server, and one system log server. By default, SSH remote access (port 22) is enabled for all ip addresses ), system Management backend (port 80), user backend Management port (port 8080), Database Management port (Port 8899), database connection port (Port 3306), and user self-service port (Port 8800)
 
When you get the Srun3000 broadband billing system and set the default password, you can go in and configure its system settings.
 
Http://www.bkjia.com t/login. php
 
(Most users have not modified the system's background password. I have tried a few things and I can only enter one)
 
Then CNERT said the vulnerability was not universal.
 
 
 
I. background settings
Http: // target/login. php
 
The system authentication includes the authentication server and database server. During default installation, the Administrator installs the web System and the mysql database system at the same time (or the software itself integrates the two ), generally, administrators do not know the configuration and think that databases and remote connections are bound to the authentication server (web Server) to restrict others' management of databases. Of course, some do not have ip binding at all. However, even if the ip address is bound, we can break through when the system does not change the default system password. We only need to delete the bound ip address or add our own ip address. The funny thing is that the database name, user name (root or icc), Database Password, and database server address are stored in the system settings. Right-click the source file to view the database password, which is stored in the value.
 
Ii. phpMyadmin
Http: // target: 8899
 
Go to the phpmyadmin interface and log in to the database by getting the username and password. The password I obtained for the first time is icc and the permission is not high. But now that we know the phpmyadmin path, why not guess its root password? Why not guess the root password. Well, the password is really easy to guess. the root password is successfully logged in (and later found that the log server stores the root account password ).
 
The information in the database is so exciting that you know ~
 
The password is encrypted by md5, but generally the password is very simple. After md5 decryption, the admin password is easily obtained. At the same time, I found that the mysql database has several built-in users, including all privates. Then I first tried mysql to export a single-statement Trojan and tried to expose several absolute system paths
 
/Srun3/php5/lib/php/
/Srun3/srun/phpMyAdmin/
/Srun3/srun/phpMyAdmin2/
/Srun3/srun/web/cannot be created (sa permission) during export. It seems that the mysql configuration file has been optimized by developers, resulting in a trojan export failure and the shell cannot be uploaded.
 
3. User Management Background
Http://www.bkjia.com: 8080
 
Go to the user's background management page and find several upload pages, including import recharge cards and import users. However, those imports are exported to the database and cannot be used. There is also a publishing announcement page, which provides the ability to upload images or attachments and download images remotely. First, try to upload the php file, display the unsupported format, view the uploaded source code, and fail to see any useful code. action directs to douser. php
 
I cannot break through Server Authentication. In addition, the image will be automatically renamed after the image is uploaded, and it seems that you cannot break through the shell ==,
 
 
 
Iv. ssh remote
After learning about the network management password, the average person's habits, especially the network management of colleges and universities, are not very secure. Why don't we try these passwords remotely. Okay, I'm lucky ~
 
 
 
 
 
After going in, I found Shen LAN encrypted the source code ~
 
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.