工控安全之华润燃气敏感环境竟然未走专线可导致内网渗透
<!--StartFragment--><div class="wybug_detail" style="margin:0px;padding:0px;color:#000000;font-family:Verdana, "font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
为什么不继续的原因<br style="margin:0px;padding:0px;" />
1.专门挑凌晨渗透躲着管理员 结果遇到管理员在打牌...我错了 果断提交啊<br style="margin:0px;padding:0px;" />
华润和武钢合作的管理员挺敬业..<br style="margin:0px;padding:0px;" />
IES-E1000 型号产品 由积成电子股份有限公司<br style="margin:0px;padding:0px;" />
比SCADA更加齐全 全新的智能系统
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06012604d3d92118096b16c6bf8e6137876e808b.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/06012604d3d92118096b16c6bf8e6137876e808b.png" alt="0.png" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
先来个SCADA弱口令实时数据压压惊<br style="margin:0px;padding:0px;" />
http://222.210.108.226:6101/CDLF/app_page/MainApp.html<br style="margin:0px;padding:0px;" />
admin/123456
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06013235400d05bfe065ec3731d5399476b8838c.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/06013235400d05bfe065ec3731d5399476b8838c.png" alt="1x6.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/0601324866f79d7707ef2560f41c3789de65edda.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/0601324866f79d7707ef2560f41c3789de65edda.png" alt="1x5.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
内网入口:<br style="margin:0px;padding:0px;" />
http://27.17.51.78:8400 监控平台弱口令<br style="margin:0px;padding:0px;" />
admin/123456<br style="margin:0px;padding:0px;" />
上传getshell
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06012956a8e9487478f19410d031808158b3738f.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/06012956a8e9487478f19410d031808158b3738f.png" alt="1x.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
但没那么简单 目录都没有<br style="margin:0px;padding:0px;" />
burp转发后出现文件名 之后猜解目录 存在 /svg/$filename$
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/060131026ce3856dbfbaded8c0bbb74b91fc02c9.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/060131026ce3856dbfbaded8c0bbb74b91fc02c9.png" alt="xad.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
提权OK
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06013120f35268f27d8ef2b4955d3966021f519e.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/06013120f35268f27d8ef2b4955d3966021f519e.png" alt="1xad.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
因为所以JSP马都跳转login.jsp<br style="margin:0px;padding:0px;" />
大马因为带了cookies能进<br style="margin:0px;padding:0px;" />
所以用了lcx转发<br style="margin:0px;padding:0px;" />
首先查询mssql内有没有关于 IES-E1000系统平台的口令
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/060135144ae467e95e718c7a1d84f6fc9e56a91f.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/060135144ae467e95e718c7a1d84f6fc9e56a91f.png" alt="hjkll.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
张/123456 还是123456 - - 工控安全弱口令太多啊<br style="margin:0px;padding:0px;" />
登入系统
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/060135522578ccb4eb3878fe57d14c2506fbec31.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/060135522578ccb4eb3878fe57d14c2506fbec31.png" alt="ghj.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
实时数据和人机对话(之前也有白帽子提交过 人机对话就意味着能操控机器了)
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06013705815659cc3b5936a045383f8206928656.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/06013705815659cc3b5936a045383f8206928656.png" alt="fghj.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/060138009debf252b8e152a07084d006228ba17b.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/060138009debf252b8e152a07084d006228ba17b.png" alt="xxgga.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
同网段 xp 是运维人员的主机 密码同服务器<br style="margin:0px;padding:0px;" />
172.1.13.10/11
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/060140219c7c1a67d1985096d2f7383bdf08c92e.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/060140219c7c1a67d1985096d2f7383bdf08c92e.png" alt="ffsdf.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
172.1.13.101 admin/12345<br style="margin:0px;padding:0px;" />
海康威视 终究逃不过
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/060144181b26102f6e52d2ce50761b825133fa99.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/060144181b26102f6e52d2ce50761b825133fa99.png" alt="fff.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
</div>
<h3 class="detailTitle" style="margin:15px auto 0px;padding:5px 0px 0px;font-size:14px;font-weight:normal;width:950px;text-indent:10px;word-break:break-all;overflow-wrap:break-word;border-left:5px solid #999999;color:#000000;font-family:Verdana, "font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;orphans:2;text-align:left;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
漏洞证明:
</h3>
<div class="wybug_poc" style="margin:0px;padding:0px;color:#000000;font-family:Verdana, "font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06014156fed2c728be532eb5bdc5b2891d5748ca.png" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201508/06014156fed2c728be532eb5bdc5b2891d5748ca.png" alt="ghj.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201508/06014213d9f90ebbfde94a0ff1472aff90986844.png" target="_blank" style="margin:0px;padding:0px;color:#FF6600;text-decoration:underline;"><img src="https://w.hundan.org/articles/attach/201508/06014213d9f90ebbfde94a0ff1472aff90986844.png" alt="xxgga.PNG" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
</div>
<!--EndFragment-->
页:
[1]