VULHUB ™

### 简要描述： 通过一个废弃系统成功入侵并发现泄露大部分应有源码等 ### 详细说明： 首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令 [<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg) [<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png) [<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png) 系统存在注入 [<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600"...

### 简要描述： 通过一个废弃系统成功入侵并发现泄露大部分应有源码等 ### 详细说明： 首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令 [<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg) [<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png) [<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png) 系统存在注入 [<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png) [<img src="https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png) [<img src="https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png) 通过注入获取数据 拿到admin密码并登陆 [<img src="https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png) 在后台上传shell [<img src="https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png) 找到配置文件 并进行数据库连接 [<img src="https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png) 收集下员工表， [<img src="https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png) 来到用友tkr系统 利用之前搜集的账号密码尝试登录发现某些用户可以登录 [<img src="https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png) 可以利用上传知识页面进行shell上传 [<img src="https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png) [<img src="https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png) [<img src="https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png) ，审计登录源码发现该系统存在万能密码 ，利用该密码 可以登录任意用户 [<img src="https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png) ``` protected void btnLogin_Click(object sender, EventArgs e) { string URL = "Default.aspx"; if (!String.IsNullOrEmpty(Request.QueryString["PreviouseURL"])) URL = Server.UrlDecode(Request.QueryString["PreviouseURL"]); string UserName = TextBox1.Text.Trim(); string Password = TextBox2.Text.Trim(); bool IsSuccessful = false; string Remark = ""; //涓囪兘瀵嗙爜鐧诲綍 if (!String.IsNullOrEmpty(UserName) && Password == "tkr*123") { Authority.Instance.LoginByDomainAccount(UserName); Response.Redirect(URL); } else { SEAPersonService PersonService = new SEAPersonService(); PersonInfo psn = new PersonInfo(); if (rdoType1.Checked) { psn = PersonService.LoginByDomainAccountWithPassword("pdomain", UserName, Password); } else { psn = PersonService.LoginByUserName(UserName, Password); } ``` 该系统涉及用友所有产品，基本涉及全部源码，不过需要自己去寻找 [<img src="https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png) [<img src="https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png) [<img src="https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png) ### 漏洞证明： 首先该系统存在弱口令 http://vip.ufida.com.cn/nccsm/HomePage.aspx test1 123456 还存在大量123456的弱口令 [<img src="https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg" alt="弱口令账户.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174250e7f977b67486b87b2c8da19ce6c6e6ae.jpg) [<img src="https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201743048b0ad669fc4f13ad55e1d251824becda.png) [<img src="https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174322ccb8c5495b70b0788022286bdfaa4df5.png) 系统存在注入 [<img src="https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174347c7ba1e099ca9919344b8563c9a8c7a70.png) [<img src="https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174358362baa94f8e3a6acfb5d0c293d5c6a1e.png) [<img src="https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174413a1b34c82a4f2c2b2263f24a716a6a183.png) 通过注入获取数据 拿到admin密码并登陆 [<img src="https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174518025c6bf39b16607342910d5f4e7666af.png) 在后台上传shell [<img src="https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201745411947e5853a7267bcfb564f3da3e2daf1.png) 找到配置文件 并进行数据库连接 [<img src="https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201746123a66a22efffec9421e68c169f8b60854.png) 收集下员工表， [<img src="https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2017461802b794ca3e00134d6b8ac149c9bff850.png) 来到用友tkr系统 利用之前搜集的账号密码尝试登录发现某些用户可以登录 [<img src="https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png" alt="10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20174845324ecac837c783a1c216e6a9b987726f.png) 可以利用上传知识页面进行shell上传 [<img src="https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201748562be4d59d84a7642395b72f50ec4e41f0.png) [<img src="https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749476d2083bdc424eaf8c36476a31c653049.png) [<img src="https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png" alt="13.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201749552710bc10bdbdd6588fdc0c56842eac0f.png) ，审计登录源码发现该系统存在万能密码 ，利用该密码 可以登录任意用户 [<img src="https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175031b9e40e3dc1b4682b19e7481cf422acbf.png) ``` protected void btnLogin_Click(object sender, EventArgs e) { string URL = "Default.aspx"; if (!String.IsNullOrEmpty(Request.QueryString["PreviouseURL"])) URL = Server.UrlDecode(Request.QueryString["PreviouseURL"]); string UserName = TextBox1.Text.Trim(); string Password = TextBox2.Text.Trim(); bool IsSuccessful = false; string Remark = ""; //涓囪兘瀵嗙爜鐧诲綍 if (!String.IsNullOrEmpty(UserName) && Password == "tkr*123") { Authority.Instance.LoginByDomainAccount(UserName); Response.Redirect(URL); } else { SEAPersonService PersonService = new SEAPersonService(); PersonInfo psn = new PersonInfo(); if (rdoType1.Checked) { psn = PersonService.LoginByDomainAccountWithPassword("pdomain", UserName, Password); } else { psn = PersonService.LoginByUserName(UserName, Password); } ``` 该系统涉及用友所有产品，基本涉及全部源码，不过需要自己去寻找 [<img src="https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175148da25f96a38521b97a1962d8679a77ff6.png) [<img src="https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/20175154374e4578deb8e175ed937630b51296be.png) [<img src="https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png" alt="17.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/201751598d72c96e13e6bee146a67ca194b6bd21.png)