admin 发表于 2022-3-31 03:48:36

工控安全之港华燃气某地区一次内网渗透(各种实时同步敏感信息泄露)

<!--StartFragment-->
<h3 class="wybug_title" style="margin:0px auto;padding:5px 0px 0px;font-size:14px;font-weight:normal;width:950px;text-indent:10px;word-break:break-all;overflow-wrap:break-word;color:#000000;font-family:Verdana, &quot;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;orphans:2;text-align:left;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
        <!--StartFragment-->
        <div class="wybug_detail" style="margin:0px;padding:0px;color:#000000;font-family:Verdana, &quot;font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        港华燃气是香港中华煤气有限公司为全面拓展和管理中国境内业务,在中国内地设立的附属机构。<br style="margin:0px;padding:0px;" />
确实有一处系统更先进是美国的 dynac 华润和中燃都没配置<br style="margin:0px;padding:0px;" />
但是遗憾猜不到口令<br style="margin:0px;padding:0px;" />
http://www.zhihuiranqi.com/html/pc/third/rqjjfarqjjfarqxljcxt.html<br style="margin:0px;padding:0px;" />
这是系统官网从中看到图片中的清晰地址<br style="margin:0px;padding:0px;" />
之前google出一些地址,无头绪的时候 翻阅了官网涨了知识也发现了这处信息泄露
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/202021161e910c0425b60b46a0c7855f65cb38b4.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/202021161e910c0425b60b46a0c7855f65cb38b4.png" alt="dwag.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
是港华燃气公司山东济南的系统D1000数据采集<br style="margin:0px;padding:0px;" />
根据图中暴露了用户名 ghgas<br style="margin:0px;padding:0px;" />
猜密码123456成功<br style="margin:0px;padding:0px;" />
http://218.56.58.36:8401/log-form.action
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/2022001140b675a4457b4b0589fc77f92d0c960f.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/2022001140b675a4457b4b0589fc77f92d0c960f.png" alt="wdad.png" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
济南地区各个锅炉的地点
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220101a9ecc2cf06b5a4945a852160be3b1498.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220101a9ecc2cf06b5a4945a852160be3b1498.png" alt="fawfwe.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
根据以往经验 马上判断 8400一定有生产系统<br style="margin:0px;padding:0px;" />
而且端口13XX 必须有映射出来 且数据库密码还是默认<br style="margin:0px;padding:0px;" />
后台admin/123456<br style="margin:0px;padding:0px;" />
http://218.56.58.36:8400<br style="margin:0px;padding:0px;" />
getshell
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220421083e97fa50ba762e2094f9d0b9c7702b.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220421083e97fa50ba762e2094f9d0b9c7702b.png" alt="dwafa.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
所有报表服务器均和查看
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/2022044641b08c05fc30ee0f21a24f8e2aabadc2.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/2022044641b08c05fc30ee0f21a24f8e2aabadc2.png" alt="dwagh.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
提权成功
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220608093a34cf2dd37d1ff29dc6f55c2a6115.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220608093a34cf2dd37d1ff29dc6f55c2a6115.png" alt="dawx.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
查看3389映射
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220638cf10256c7808ebe127729b6fd906f9fd.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220638cf10256c7808ebe127729b6fd906f9fd.png" alt="dwadfbb.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
1314<br style="margin:0px;padding:0px;" />
连接入服务器<br style="margin:0px;padding:0px;" />
IESE1000
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220712f0844d56c6f97f2b429f3989e242a806.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220712f0844d56c6f97f2b429f3989e242a806.png" alt="fwafahj.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
账号/密码
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220759486f28ba76c1fe4f9ab5a7a9be96161e.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220759486f28ba76c1fe4f9ab5a7a9be96161e.png" alt="wawttw.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
人机交互
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/202207378352e165db43ff807262d4494c0a07fb.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/202207378352e165db43ff807262d4494c0a07fb.png" alt="dwadgh.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
扫描内网可通过weshell代理<br style="margin:0px;padding:0px;" />
只要将文件上传到js脚本就可以直接调用无需通过必须登录
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20220946b6f95f0ef72d0d3ff6cc9dc11ccaaa48.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20220946b6f95f0ef72d0d3ff6cc9dc11ccaaa48.png" alt="wdag.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
192.168.1.11 可下载
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/2022423361fd3a123d2984d4543014d081a627ad.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/2022423361fd3a123d2984d4543014d081a627ad.png" alt="wdag.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
8080端口还有一个dynac集成中控scada默认密码没试出来<br style="margin:0px;padding:0px;" />
根据百度在用的厂商国内也只有港华<br style="margin:0px;padding:0px;" />
根据netstat -ano<br style="margin:0px;padding:0px;" />
有一个办公网络连接到1433服务器<br style="margin:0px;padding:0px;" />
10.39.16.X<br style="margin:0px;padding:0px;" />
都开有139/445
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/20224806de382d89119c3bc6f4b2462b61e17c88.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/20224806de382d89119c3bc6f4b2462b61e17c88.png" alt="fwaf.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br style="margin:0px;padding:0px;" />
可进行下一步
                </p>
        </div>
        <h3 class="detailTitle" style="margin:15px auto 0px;padding:5px 0px 0px;font-size:14px;font-weight:normal;width:950px;text-indent:10px;word-break:break-all;overflow-wrap:break-word;border-left:5px solid #999999;color:#000000;font-family:Verdana, &quot;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;orphans:2;text-align:left;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
                漏洞证明:
        </h3>
        <div class="wybug_poc" style="margin:0px;padding:0px;color:#000000;font-family:Verdana, &quot;font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br />
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/2022423361fd3a123d2984d4543014d081a627ad.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/2022423361fd3a123d2984d4543014d081a627ad.png" alt="wdag.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
                <p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <br />
                </p>
                <p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
                        <a href="https://w.hundan.org/articles/attach/201508/202207378352e165db43ff807262d4494c0a07fb.png" target="_blank" style="margin:0px;padding:0px;color:#FF6600;text-decoration:underline;"><img src="https://w.hundan.org/articles/attach/201508/202207378352e165db43ff807262d4494c0a07fb.png" alt="dwadgh.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
                </p>
        </div>
<!--EndFragment--> <br />
</h3>
<!--EndFragment-->
页: [1]
查看完整版本: 工控安全之港华燃气某地区一次内网渗透(各种实时同步敏感信息泄露)