Vulnerabilities on major platforms of China wide meiyi vbox vendors
Detailed description:
WTI manages the platform SQL injection and weak passwords on the cloud platform, allowing you to control all vbox products online. A large number of ports are exposed.
**. ** The weak password of the cloud media platform can be used to control a large number of devices.
**. ** SQL Injection exposes a large number of sensitive ports and remote ARP hijacking
**. ** Weak password, a large number of port database information, and remote connection
First, http: // **. **/login
This is the cloud media platform. A weak password fzce/fzce1234 was revealed and found:
Http: // **. **/admin/login. aspx
SQL Injection: injection at tusername
Code Region
POST /admin/login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/admin/login.aspxCookie: ASP.NET_SessionId=ef1tpyjbj0qpnxtmjuohv2e5Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 233__VIEWSTATE=%2FwEPDwUKMTA4MzU1NjA4N2RkRnb4zXsRnFaFD5QYBk2TjtvQSXnQQ6Hn4qwNo9WElDM%3D&__EVENTVALIDATION=%2FwEWBAKPi%2Br7CALyj%2FOQAgKVqs78BwL9kpmPAUHHL82XtJ7NqhK6TIUqokUPxBCTGvqWKQreGe6%2Bui3v&tbUserName=admin&tbUserPwd=dsfsdf&btnOk=.
The database does not need to be written. The dba permission is used to view the database permission, and the OS-shell Permission can also be used.
After whoami:
Website physical path exposed:
If you have the path, you can write a Trojan, but check the following ports and find that all the sensitive ports such as 1433 and 3389 are exposed to the public network, directly create a user Diver $/Diver123 (I forgot to delete the user, but also ask the Administrator to delete it) Remote Desktop, connect to the database through 1433 (sa/zgmy1 + 1), etc, in the data center, if the gateway is 129, arp spoofing can be performed. I didn't test it here (please do not check my water meter ).
After the Remote Desktop is mounted, it is found that 140 also has a database. After checking the port, 3306 is open to the outside, and the database password (root/root!) is obtained !) Then, you can remotely connect to all the websites on 140. (The cloud media service is also available, but this function seems to be more available and can be uploaded to any file, it is estimated that the migration is ready)
, And want to manually operate the udf to raise the right, the result is blind, can not write in, drunk!
Proof of vulnerability:
First, **. **/login
This is the cloud media platform. A weak password fzce/fzce1234 was revealed and found:
Http: // **. **/admin/login. aspx
SQL Injection: injection at tusername
Code Region
POST /admin/login.aspx HTTP/1.1Host: **.**.**.**User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://**.**.**.**/admin/login.aspxCookie: ASP.NET_SessionId=ef1tpyjbj0qpnxtmjuohv2e5Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 233__VIEWSTATE=%2FwEPDwUKMTA4MzU1NjA4N2RkRnb4zXsRnFaFD5QYBk2TjtvQSXnQQ6Hn4qwNo9WElDM%3D&__EVENTVALIDATION=%2FwEWBAKPi%2Br7CALyj%2FOQAgKVqs78BwL9kpmPAUHHL82XtJ7NqhK6TIUqokUPxBCTGvqWKQreGe6%2Bui3v&tbUserName=admin&tbUserPwd=dsfsdf&btnOk=.
The database does not need to be written. The dba permission is used to view the database permission, and the OS-shell Permission can also be used.
After whoami:
Website physical path exposed:
If you have the path, you can write a Trojan, but check the following ports and find that all the sensitive ports such as 1433 and 3389 are exposed to the public network, directly create a user Diver $/Diver123 (I forgot to delete the user, but also ask the Administrator to delete it) Remote Desktop, connect to the database through 1433 (sa/zgmy1 + 1), etc, in the data center, if the gateway is 129, arp spoofing can be performed. I didn't test it here (please do not check my water meter ).
After the Remote Desktop is mounted, it is found that 140 also has a database. After checking the port, 3306 is open to the outside, and the database password (root/root!) is obtained !) Then, you can remotely connect to all the websites on 140. (The cloud media service is also available, but this function seems to be more available and can be uploaded to any file, it is estimated that the migration is ready)
Solution:
Do not expose ports to the public network, filter SQL statements, delete test accounts, enhance user passwords, and revoke database permissions.