2014-06-01:细节已通知厂商并且等待厂商处理中
2014-06-06:厂商已经确认,细节仅向厂商公开
2014-06-16:细节向核心白帽子及相关领域专家公开
2014-06-26:细节向普通白帽子公开
2014-07-06:细节向实习白帽子公开
2014-07-16:细节向公众公开
...........
详细说明:..............
漏洞证明:问题出自一个登陆页面
http://oa.ca-sme.org/online_pass.asp
data:password=123123&operate=loginClient&username=123123
Target: http://oa.ca-sme.org/online_pass.asp
Host IP:119.255.195.35
Web Server: Microsoft-IIS/6.0
Powered-by: ASP.NET
DB Server: MSSQL 2000 with error
Resp. Time(avg):88 ms
Current User: dbo
Sql Version: Microsoft SQL Server 2000 - 8.00.2039 (Intel X86)
May 3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
Current DB: OA
System User: sa
Host Name: CASME-SERVER01
Server Name: CASME-SERVER01
master
tempdb
model
msdb
pubs
Northwind
ECWork
emedb_new
OA
sme_data
smeData
expert
new_crm
eme
smecollege
casme_db
![QQ截图20140601122422.png](http://www.wooyun.org/upload/201406/011224074bb94fc2a0d053bd4abdf0d4aa770391.png)
![QQ截图20140601122500.png](http://www.wooyun.org/upload/201406/0112244627d32cf031d7f12b6127ed1fcebb5266.png)
使用第二幅图的密码登陆 我登陆了一个 李子彬的 用户名 lzb 密码 1211
并且发表了一个日志
http://oa.ca-sme.org/online_job_log_content.asp?id=21635&page=1
上传了一个后门程序
http://oa.ca-sme.org/files_upload/2014060134656mumaasp.asp 密码 mumaasp.com
![QQ截图20140601122834.png](http://www.wooyun.org/upload/201406/011228146f8aebd6c68a10abbb714a8601f181bb.png)
在C盘里 发现了一个 vlan.txt 的文本
下载了之后发现是疑似内网的东西 具体什么用途 我不知道
192.168.1.39001D09203D6Ecasme-server01
192.168.1.1EC6C9F158582casme-server01
119.255.195.35001D09203D6Ccasme-server01
192.168.1.105C63BFEACDF9casme-server01
192.168.1.29940C6D259ACDcasme-server01
192.168.1.1032C59E57975D6casme-server01
192.168.1.12700110AF03134casme-server01
192.168.1.129A0D3C1E6C630casme-server01
192.168.1.1552C59E5785C24casme-server01
192.168.1.1562C59E578CB29casme-server01
192.168.1.19020DCE6943349casme-server01
192.168.1.2191CFA6858F3E9casme-server01
192.168.1.2200C722CFA7FDDcasme-server01
192.168.1.230000FE235BF41casme-server01
192.168.1.223E41F13B3E4FCcasme-server01
192.168.1.174D067E5032267casme-server01
192.168.1.157ECA86B80476Fcasme-server01
192.168.1.109B045CB009926casme-server01
192.168.1.110C89CDCF6BA51casme-server01
192.168.1.128D43D7E226BBAcasme-server01
192.168.1.123D43D7E259664casme-server01
192.168.1.1524437E6CF5FC6casme-server01
192.168.1.1347427EA6273F1casme-server01
192.168.1.239D43D7E23FA28casme-server01
192.168.1.122F04DA2F85B45casme-server01
192.168.1.202D43D7E2590C8casme-server01
192.168.1.161D43D7E1B579Acasme-server01
192.168.1.200D43D7E258E24casme-server01
192.168.1.23500237D76FB88casme-server01
192.168.1.1067427EA6339D1casme-server01
192.168.1.179D43D7E1B580Dcasme-server01
192.168.1.132F0DEF10A4A9Dcasme-server01
192.168.1.164D43D7E1C502Acasme-server01
192.168.1.109D43D7E2590E7casme-server01
192.168.1.112D43D7E226A28casme-server01
192.168.1.1333C970E9A79A0casme-server01
192.168.1.1537427EA3ABA72casme-server01
192.168.1.23600237D765C01casme-server01
192.168.1.204ECA86B80476Ccasme-server01
192.168.1.2104437E6CF5FBFcasme-server01
192.168.1.75D43D7E2593D9casme-server01
192.168.1.116D43D7E1C5051casme-server01
192.168.1.1057427EA62453Ccasme-server01
192.168.1.114001EC929384Ecasme-server01
192.168.1.231D43D7E1C5064casme-server01
192.168.1.447427EA6318ACcasme-server01
192.168.1.2437427EA623A23casme-server01
192.168.1.121C89CDCF6BD52casme-server01
192.168.1.15400163567D360casme-server01
192.168.1.99D43D7E258E2Acasme-server01
192.168.1.2227427EA3AB7DCcasme-server01
192.168.1.107D43D7E1B5787casme-server01
![QQ截图20140601123137.png](http://www.wooyun.org/upload/201406/01123118e81fd7584d10471ba9008513a4d1eb99.png)
通过红框里的功能疑似可以添加系统用户
方法二 直接用穿山甲的
command的功能添加
查看端口开放的命令返回的结果
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 119.255.195.35:80 175.44.156.177:44743 ESTABLISHED
TCP 119.255.195.35:80 175.44.156.177:44773 ESTABLISHED
TCP 119.255.195.35:80 175.44.156.177:44783 ESTABLISHED
TCP 119.255.195.35:80 175.44.156.177:44864 ESTABLISHED
TCP 119.255.195.35:135 108.186.6.106:1772 ESTABLISHED
TCP 119.255.195.35:139 0.0.0.0:0 LISTENING
TCP 119.255.195.35:3389 103.31.241.157:1416 ESTABLISHED
TCP 119.255.195.35:3389 147.255.109.122:2543 ESTABLISHED
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1028 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1029 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1038 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1039 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1040 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1050 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1051 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1052 127.0.0.1:1433 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1027 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1028 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1029 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1038 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1039 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1040 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1050 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1051 ESTABLISHED
TCP 127.0.0.1:1433 127.0.0.1:1052 ESTABLISHED
TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING
TCP 192.168.1.39:139 0.0.0.0:0 LISTENING
TCP 192.168.1.39:1032 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1034 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1035 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1036 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1042 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1043 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1044 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1046 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1047 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1048 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1054 192.168.1.39:1433 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1032 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1034 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1035 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1036 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1042 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1043 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1044 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1046 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1047 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1048 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:1054 ESTABLISHED
TCP 192.168.1.39:1433 192.168.1.39:2498 ESTABLISHED
TCP 192.168.1.39:2498 192.168.1.39:1433 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1434 *:*
UDP 119.255.195.35:123 *:*
UDP 119.255.195.35:137 *:*
UDP 119.255.195.35:138 *:*
UDP 127.0.0.1:123 *:*
UDP 192.168.1.39:123 *:*
UDP 192.168.1.39:137 *:*
UDP 192.168.1.39:138 *:*
3389端口居然是开的
我用了大家都知道的命令添加了一个用户 并且添加到系统管理员组了
远程桌面计算机
oa.ca-sme.org
用户名 123123 password 123123
通过查看远程桌面 至少发现几个问题
一、存在网盘上传软件 如 纳米盘的米人软件
![QQ截图20140601124100.png](http://www.wooyun.org/upload/201406/011240423ef950013cd4c6cffbacaf3f7b2f7bff.png)
二、存在QQ软件 (可通过QQ导出数据库)
![QQ截图20140601124230.png](http://www.wooyun.org/upload/201406/01124212c6588d3dee59690f257d79ac98afd385.png)
很多同服网站因此而全沦陷
![QQ截图20140601124426.png](http://www.wooyun.org/upload/201406/011244212edf33c7b745d2403e72ab3685b72f4f.png)
修复方案:
.............
版权声明:转载请注明来源 雅柏菲卡@乌云漏洞回应 厂商回应:
危害等级:高
漏洞Rank:12
确认时间:2014-06-06 10:31
厂商回复:CNVD确认并复现第一层风险(未进行渗透),由CNVD通过whois信息以及网站公开联系方式向网站管理单位通报。
最新状态:暂无
版权与免责声明:
凡注明稿件来源的内容均为转载稿或由网友用户注册发布,本网转载出于传递更多信息的目的;如转载稿涉及版权问题,请作者联系我们,同时对于用户评论等信息,本网并不意味着赞同其观点或证实其内容的真实性;