漏洞标题 LOCKet(臻到科技)漏洞可以被内部网络直接渗透(Mail leak/Getshell/Gitlab/Redis会导致服务器崩溃) 相关制造商 Zenzet.com 漏洞作者 爱上平顶山 提交时间 2016-05-04 13: 15 公共时间 2016-06-18 18: 00 漏洞类型 重要的敏感信息泄露 危险等级 高 自我评估等级 20 漏洞状态 制造商已确认 标签标签 敏感信息披露 漏洞详细信息 臻到技术 安全团队招募人员〜 1, http://blog.zenzet.com: 8010/wordpress / 博客123456789a
可以根据插件插件直接编写shell
内联网: /> uname -a Linux ubuntu-14-04-3 3.19.0-25-generic#26~14.04.1-Ubuntu SMP Fri Jul 24 21: 16: 20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux />使用ifconfig Eth0链接封装:以太网HWaddr 00: 0c: 29: 02: 1a: 20 Inet addr: 192.168.10.161 Bcast: 192.168.10.255掩码: 255.255.255.0 Failure when receiving data from the peer UP LOOPBACK RUNNING MTU: 65536公制: 1 RX数据包: 610735383错误: 0丢弃: 0溢出: 0帧: 0 TX包: 610735383错误: 0丢弃: 0溢出: 0载波: 0 碰撞: 0 txqueuelen: 0 RX字节: 52625363320(52.6 GB)TX字节: 52625363320(52.6 GB) /> arp -a ? (192.168.10.32)at 94: eb: cd: 53: d7: bd [ether] on eth0 Zenzet(192.168.10.39)at a0: 99: 9b: 04: 8e: 53 [ether] on eth0 ? (192.168.10.79)at 6c: 40: 08: bf: c4: e8 [ether] on eth0 ? (192.168.10.182)00: 0c: 29: a0: 1e: 8b [ether] on eth0 Zpf(192.168.10.33)at a4: 5e: 60: f3: 16: 61 [ether] on eth0 Rongde-iPhone(192.168.10.40)at 60: 92: 17: 88: 0d: b2 [ether] on eth0 ? (192.168.10.66)at a4: 5e: 60: ef: f6: 11 [ether] on eth0 ? (192.168.10.22)ec: 55: f9: 69: 8d: 33 [ether] on eth0 ? (192.168.10.29)at 1c: 5c: f2: b8: 31: f7 [ether] on eth0 ? (192.168.10.176)at 00: 0c: 29: bc: df: 2d [ether] on eth0 Failure when receiving data from the peer ? (192.168.10.30)at a4: 5e: 60: ef: f6: 11 [ether] on eth0 ? (192.168.10.166)at 00: 0c: 29: cf: ff: 78 [ether] on eth0 DESKTOP-L19Q5EU(192.168.10.97)at dc: 53: 60: 6f: 04: 64 [ether] on eth0 ? (192.168.10.199)00: 0c: 29: bc: 5f: 3f [ether] on eth0 ? (192.168.10.53)at b8: e8: 56: 34: ec: ba [ether] on eth0 Janky(192.168.10.35)at b8: e8: 56: 34: ec: ba [ether] on eth0 ? (192.168.10.42)ac: bc: 32: 89: 32: 63 [ether] on eth0 xuzhens-iPhone(192.168.10.93)at f4: 31: c3: 61: 5a: c9 [ether] on eth0 Android-c2dde5ee21615c29(192.168.10.68)at f0: 25: b7: 80: aa: 17 [ether] on eth0 ? (192.168.10.24)at 48: 6b: 2c: a6: ae: eb [ether] on eth0 ? (192.168.10.178)at< incomplete>关于eth0 JeffinBaos-Air(192.168.10.6)at 2c: f0: ee: 07: 40: ee [ether] on eth0 小格尔(192.168.10.31)at 80: ea: 96: 4a: 5d: 9d [ether] on eth0 ? (192.168.10.98)at ac: cf: 85: ca: af: 73 [ether] on eth0 ? (192.168.10.61)at a4: 5e: 60: c0: fe: 0f [ether] on eth0 ? (192.168.10.36)at a4: 5e: 60: f3: 16: 61 [ether] on eth0 Cc-2(192.168.10.94)at 6c: 40: 08: bf: c4: e8 [ether] on eth0 ? (192.168.10.43)at b8: e8: 56: 34: ec: ba [ether] on eth0 ? (192.168.10.99)at 78: 92: 9c: 7e: 54: 3e [ether] on eth0 wangziruideMBP(192.168.10.37)at 6c: 40: 08: a9: 72: 2e [ether] on eth0 caolinjdeiPhone(192.168.10.44)at 70: 48: 0f: 44: 11: 98 [ether] on eth0 Failure when receiving data from the peer ? (192.168.10.2)at c4: 04: 15: 25: 31: 48 [ether] on eth0 ? (192.168.10.196)00: 0c: 29: 10: 7b: 08 [ether] on eth0 2, Redis的 越权存取 115.29.203.54: 6379 115.29.203.54: 7000 115.29.203.54: 6789 连接的。 115.29.203.54: 0> info #Server Redis_version: 2.8.17 Redis_git_sha1: 00000000 Redis_git_dirty: 0 Redis_build_id: 899a50dd343b0f96 Redis_mode:独立 Os: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 Arch_bits: 64 Multiplexing_api: epoll Gcc_version: 4.4.7 Process_id: 20493 Run_id: 29a859ecf22adfa374f77a992289339978377132 Tcp_port: 6379 Uptime_in_seconds: 35225407 Uptime_in_days: 407 Hz: 10 Lru_clock: 2710515 Config_file: #客户 Connected_clients: 13 Client_longest_output_list: 0 Client_biggest_input_buf: 0 Blocked_clients: 0 #记忆 Used_memory: 1067992 Used_memory_human: 1.02M Used_memory_rss: 7475200 Used_memory_peak: 1117904 Used_memory_peak_human: 1.07M Used_memory_lua: 33792 Mem_fragmentation_ratio: 7.00 Mem_allocator: jemalloc-3.6.0 #Persistence 正在加载: 0 Rdb_changes_since_last_save: 4 Rdb_bgsave_in_progress: 0 Rdb_last_save_time: 1449471155 Rdb_last_bgsave_status:错误 Failure when receiving data from the peer #Replication 角色:主人 Connected_slaves: 0 Master_repl_offset: 0 Repl_backlog_active: 0 Repl_backlog_size: 1048576 Repl_backlog_first_byte_offset: 0 Repl_backlog_histlen: 0 # 中央处理器 Used_cpu_sys: 13952.89 Used_cpu_user: 9476.04 Used_cpu_sys_children: 2241.05 Used_cpu_user_children: 175.00 #Keyspace Db0: keys=1,expires=0,avg_ttl=0 115.29.203.54: 0>键* 格拉基特 看起来好像被蜇了
看看这个 3, Gitlab http://git.zenzet.com/canhttp://git.zenzet.com/explore直接浏览所有项目
4, 邮件
好 其他 Blog.zenzet.com: 122.234.56.66 Sso.zenzet.com: 121.40.222.125 Smtp.zenzet.com: 42.120.219.29 Ftp.zenzet.com: 192.168.10.168 Dev.zenzet.com: 115.29.203.54 Monitor.zenzet.com: 121.40.222.125 M.zenzet.com: 42.121.103.112 Wiki.zenzet.com: 115.29.203.54 Jobs.zenzet.com: 120.55.249.149 Pop3.zenzet.com: 42.120.219.25 Reg.zenzet.com: 192.168.10.188 Developer.zenzet.com: 120.55.196.208 Cas.zenzet.com: 121.40.222.125 Imap.zenzet.com: 42.120.219.28 Bi.zenzet.com: 192.168.10.166 Seo.zenzet.com: 122.234.56.66 Jira.zenzet.com: 115.29.203.54 Mail.zenzet.com: 42.156.140.99 Vm.zenzet.com: 122.234.56.66 Nexus.zenzet.com: 192.168.10.188 Failure when receiving data from the peer