用友某重要系统严重漏洞(泄露源码、员工账号密码等等)

2015-04-20T00:00:00
ID SSV:93325
Type seebug
Reporter Root
Modified 2015-04-20T00:00:00

Description

简要描述:

通过一个废弃系统成功入侵并发现泄露大部分应有源码等

详细说明:

首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令

<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

系统存在注入

<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

通过注入获取数据 拿到admin密码并登陆

<img src="https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

在后台上传shell

<img src="https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

找到配置文件 并进行数据库连接

<img src="https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

收集下员工表,

<img src="https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png" alt="9.png" width="600" onerror="javascript:errimg(this);">

来到用友tkr系统 利用之前搜集的账号密码尝试登录发现某些用户可以登录

<img src="https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png" alt="10.png" width="600" onerror="javascript:errimg(this);">

可以利用上传知识页面进行shell上传

<img src="https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png" alt="12.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png" alt="13.png" width="600" onerror="javascript:errimg(this);">

,审计登录源码发现该系统存在万能密码 ,利用该密码 可以登录任意用户

<img src="https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png" alt="18.png" width="600" onerror="javascript:errimg(this);">

protected void btnLogin_Click(object sender, EventArgs e) { string URL = "Default.aspx"; if (!String.IsNullOrEmpty(Request.QueryString["PreviouseURL"])) URL = Server.UrlDecode(Request.QueryString["PreviouseURL"]); string UserName = TextBox1.Text.Trim(); string Password = TextBox2.Text.Trim(); bool IsSuccessful = false; string Remark = ""; //涓囪兘瀵嗙爜鐧诲綍 if (!String.IsNullOrEmpty(UserName) && Password == "tkr*123") { Authority.Instance.LoginByDomainAccount(UserName); Response.Redirect(URL); } else { SEAPersonService PersonService = new SEAPersonService(); PersonInfo psn = new PersonInfo(); if (rdoType1.Checked) { psn = PersonService.LoginByDomainAccountWithPassword("pdomain", UserName, Password); } else { psn = PersonService.LoginByUserName(UserName, Password); }

该系统涉及用友所有产品,基本涉及全部源码,不过需要自己去寻找

<img src="https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png" alt="15.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png" alt="16.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png" alt="17.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令

<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

系统存在注入

<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

通过注入获取数据 拿到admin密码并登陆

<img src="https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

在后台上传shell

<img src="https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

找到配置文件 并进行数据库连接

<img src="https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

收集下员工表,

<img src="https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png" alt="9.png" width="600" onerror="javascript:errimg(this);">

来到用友tkr系统 利用之前搜集的账号密码尝试登录发现某些用户可以登录

<img src="https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png" alt="10.png" width="600" onerror="javascript:errimg(this);">

可以利用上传知识页面进行shell上传

<img src="https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png" alt="12.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png" alt="13.png" width="600" onerror="javascript:errimg(this);">

,审计登录源码发现该系统存在万能密码 ,利用该密码 可以登录任意用户

<img src="https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png" alt="18.png" width="600" onerror="javascript:errimg(this);">

protected void btnLogin_Click(object sender, EventArgs e) { string URL = "Default.aspx"; if (!String.IsNullOrEmpty(Request.QueryString["PreviouseURL"])) URL = Server.UrlDecode(Request.QueryString["PreviouseURL"]); string UserName = TextBox1.Text.Trim(); string Password = TextBox2.Text.Trim(); bool IsSuccessful = false; string Remark = ""; //涓囪兘瀵嗙爜鐧诲綍 if (!String.IsNullOrEmpty(UserName) && Password == "tkr*123") { Authority.Instance.LoginByDomainAccount(UserName); Response.Redirect(URL); } else { SEAPersonService PersonService = new SEAPersonService(); PersonInfo psn = new PersonInfo(); if (rdoType1.Checked) { psn = PersonService.LoginByDomainAccountWithPassword("pdomain", UserName, Password); } else { psn = PersonService.LoginByUserName(UserName, Password); }

该系统涉及用友所有产品,基本涉及全部源码,不过需要自己去寻找

<img src="https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png" alt="15.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png" alt="16.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png" alt="17.png" width="600" onerror="javascript:errimg(this);">