Vulnerabilities on major platforms of China wide meiyi vbox vendors

Source: Internet
Author: User

Vulnerabilities on major platforms of China wide meiyi vbox vendors

Detailed description:

WTI manages the platform SQL injection and weak passwords on the cloud platform, allowing you to control all vbox products online. A large number of ports are exposed.

**. ** The weak password of the cloud media platform can be used to control a large number of devices.

**. ** SQL Injection exposes a large number of sensitive ports and remote ARP hijacking

**. ** Weak password, a large number of port database information, and remote connection

First, http: // **. **/login

This is the cloud media platform. A weak password fzce/fzce1234 was revealed and found:


 


Http: // **. **/admin/login. aspx

SQL Injection: injection at tusername

Code Region
POST /admin/login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/admin/login.aspxCookie: ASP.NET_SessionId=ef1tpyjbj0qpnxtmjuohv2e5Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 233__VIEWSTATE=%2FwEPDwUKMTA4MzU1NjA4N2RkRnb4zXsRnFaFD5QYBk2TjtvQSXnQQ6Hn4qwNo9WElDM%3D&__EVENTVALIDATION=%2FwEWBAKPi%2Br7CALyj%2FOQAgKVqs78BwL9kpmPAUHHL82XtJ7NqhK6TIUqokUPxBCTGvqWKQreGe6%2Bui3v&tbUserName=admin&tbUserPwd=dsfsdf&btnOk=.


The database does not need to be written. The dba permission is used to view the database permission, and the OS-shell Permission can also be used.
 


After whoami:
 


Website physical path exposed:
 


If you have the path, you can write a Trojan, but check the following ports and find that all the sensitive ports such as 1433 and 3389 are exposed to the public network, directly create a user Diver $/Diver123 (I forgot to delete the user, but also ask the Administrator to delete it) Remote Desktop, connect to the database through 1433 (sa/zgmy1 + 1), etc, in the data center, if the gateway is 129, arp spoofing can be performed. I didn't test it here (please do not check my water meter ).

After the Remote Desktop is mounted, it is found that 140 also has a database. After checking the port, 3306 is open to the outside, and the database password (root/root!) is obtained !) Then, you can remotely connect to all the websites on 140. (The cloud media service is also available, but this function seems to be more available and can be uploaded to any file, it is estimated that the migration is ready)

, And want to manually operate the udf to raise the right, the result is blind, can not write in, drunk!

Proof of vulnerability:

First, **. **/login

This is the cloud media platform. A weak password fzce/fzce1234 was revealed and found:


Http: // **. **/admin/login. aspx

SQL Injection: injection at tusername

Code Region
POST /admin/login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/admin/login.aspxCookie: ASP.NET_SessionId=ef1tpyjbj0qpnxtmjuohv2e5Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 233__VIEWSTATE=%2FwEPDwUKMTA4MzU1NjA4N2RkRnb4zXsRnFaFD5QYBk2TjtvQSXnQQ6Hn4qwNo9WElDM%3D&__EVENTVALIDATION=%2FwEWBAKPi%2Br7CALyj%2FOQAgKVqs78BwL9kpmPAUHHL82XtJ7NqhK6TIUqokUPxBCTGvqWKQreGe6%2Bui3v&tbUserName=admin&tbUserPwd=dsfsdf&btnOk=.

The database does not need to be written. The dba permission is used to view the database permission, and the OS-shell Permission can also be used.

After whoami:

Website physical path exposed:


If you have the path, you can write a Trojan, but check the following ports and find that all the sensitive ports such as 1433 and 3389 are exposed to the public network, directly create a user Diver $/Diver123 (I forgot to delete the user, but also ask the Administrator to delete it) Remote Desktop, connect to the database through 1433 (sa/zgmy1 + 1), etc, in the data center, if the gateway is 129, arp spoofing can be performed. I didn't test it here (please do not check my water meter ).

After the Remote Desktop is mounted, it is found that 140 also has a database. After checking the port, 3306 is open to the outside, and the database password (root/root!) is obtained !) Then, you can remotely connect to all the websites on 140. (The cloud media service is also available, but this function seems to be more available and can be uploaded to any file, it is estimated that the migration is ready)

Solution:

Do not expose ports to the public network, filter SQL statements, delete test accounts, enhance user passwords, and revoke database permissions.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.