The getshell Intranet roaming caused by no verification at a backend of the Travel Network

The getshell Intranet roaming caused by no verification at a backend of the Travel Network

The website's backend does not have authentication access and can use getshell, which then causes the entire intranet to fall.

Expose the upload interface in a place similar to the background, and then use 00 to intercept the upload.

First, the vulnerability appears in the following ways:
 

Burp packet capture data:
 

The uploaded file is saved in the current directory as focus_x.txt, where x is controllable.

You can write a trojan in recommendTitle, and then use 00 truncation to bypass the txt suffix check and upload a simple shell.

Executed some commands.

 

 

 

34. Several servers should be loaded later, and they will be connected with a kitchen knife.



10.10.0.103
 

10.10.0.95
 

10.10.0.108
 

10.10.0.102
 

Take a look at netstat
 

Zabbix_agent found

Then the shell rebounded to a server, and the session was saved with tmux.



The next day, I forwarded the Intranet. zabbix is not a weak password. It seems that the security awareness of O & M is better than that of youku Tudou XD.

Find a WordPress and check the user name.
 

 

I found a phpmyadmin with a universal password. Then I tried again and found the weak password root/root.


 

I wrote shell and went to the kitchen knife and found some amazing things.


 

 

Pwdump7.exe



Administrator: 500: A1A072F580871DC3B14FD58A657A9CA6: B29B766F15B2656ECBDA4BD4D9162879 :::

Guest: 501: no password *********************: 31D6CFE0D16AE931B73C59D7E0C089C0 :::

Admin: 1003: 32CE7A3887D3C2BFAAD3B435B51404EE: AF8E92EBC4D8A71C21BDA8F29C7338CD :::

_ Vmware_user __: 1006: no password *********************: no password *********************:::

Wps: 1008: 640D673C94B89529AAD3B435B51404EE: 79366b32ee1e36ef16ffb708fd5f5ba8 :::

Postgres: 1011: A1A072F580871DC3B14FD58A657A9CA6: B29B766F15B2656ECBDA4BD4D9162879 :::

Pentest: 1013: C170CDC8BAD80F1A2430574B6E34A817: C90D069B9B5EBA845349B042DBAF1BC3 :::



Administrator tuniu2906
 

Another server with weak passwords

10.10.10.120

Administrator tuniu520
 

Financial statement?

Run the mssql command.

172.22.0.110

Username: siweb

Password: siweb
 

There should be a lot of databases in this machine ~ XD

If you dump it, isn't it a big pants? It's just that this dog is too cool and has no zuosi.



So tired ~

Solution:

The security awareness of development is too poor, the background is exposed, and the Code also has bugs. Do you think the Intranet can be secure due to various weak passwords on the Intranet?

Unfortunately, the dog forgot to put the backdoor for two days and was busy with other things. As a result, after a week, 403 of the backend cannot be accessed from outside. Otherwise, you can continue to explore the Intranet.

Give developers a unified class, at least do not use weak passwords everywhere.