Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2022-00583
- 發信 Vendor: 台灣電力公司
- Title: [Bounty] 台灣電力公司 核技處除役設施興建資訊平台 Arbitrary File Upload to RCE
- Introduction: Arbitrary File Upload to RCE
處理狀態
目前狀態
公開
Last Update : 2022/10/03
-
新提交
-
已審核
-
已通報
-
已修補
-
已複測
-
公開
處理歷程
- 2022/08/03 00:22:33 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/03 00:42:48 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/03 01:08:51 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/04 03:52:13 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/04 03:52:53 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/04 03:57:21 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/04 06:58:07 : 新提交 (由 MksYi 更新此狀態)
- 2022/08/04 08:52:15 : 審核中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2022/09/28 11:04:01 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2022/09/29 12:40:21 : 確認已修補 (由 MksYi 更新此狀態)
- 2022/10/03 03:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2022-00583
- 通報者:MksYi (MksYi)
- 風險:嚴重
- 類型:任意檔案上傳 (Arbitrary File Upload)
參考資料
攻擊者可上傳任意檔案至該主機,有機會經由上傳之文件取得該主機系統權限。
漏洞說明: OWASP - Unrestricted File Upload
https://www.owasp.org/index.php/Unrestricted_File_Upload
漏洞說明: CWE-434: Unrestricted Upload of File with Dangerous Type
https://cwe.mitre.org/data/definitions/434.html
漏洞說明: OWASP - Unrestricted File Upload
https://www.owasp.org/index.php/Unrestricted_File_Upload
漏洞說明: CWE-434: Unrestricted Upload of File with Dangerous Type
https://cwe.mitre.org/data/definitions/434.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)
相關網址
https://d027-dmzsvr.taipower.com.tw/CIC/UploadForm
敘述
Arbitrary File Upload
-
利用「ZD-2022-00582」取得登入權限。
-
發現頁面上存在上傳頁面。
-
嘗試上傳木馬成功。
-
成功串接管理工具,並確認 IP 狀態與 whoami 資訊。
-
成功堤權至 Windows 最高權限 system。
-
經過一系列操作取得系統 Local Admin 權限
kerberos : * Username : d027Web * Domain : D027-DMZSVR * Password : !**************v (密碼隱碼處理) -
並執行 RDP 遠端桌面連線。
-
內部網路探測
透過同內部網段段(10.21.1.x)探測取得以下資訊。Nmap scan report for 10.21.1.1 Host is up (0.026s latency). Nmap scan report for 10.21.1.6 Host is up (0.126s latency). Nmap scan report for 10.21.1.8 Host is up (0.074s latency). Nmap scan report for 10.21.1.9 Host is up (0.024s latency). Nmap scan report for 10.21.1.10 Host is up (0.092s latency). Nmap scan report for 10.21.1.11 Host is up (0.052s latency). Nmap scan report for 10.21.1.12 Host is up (0.106s latency). Nmap scan report for 10.21.1.13 Host is up (0.183s latency). Nmap scan report for 10.21.1.14 Host is up (0.232s latency). Nmap scan report for 10.21.1.15 Host is up (1.032s latency). Nmap scan report for 10.21.1.19 Host is up (0.058s latency). Nmap scan report for 10.21.1.23 Host is up (0.196s latency). Nmap scan report for 10.21.1.24 Host is up (0.281s latency). Nmap scan report for 10.21.1.25 Host is up (0.023s latency). Nmap scan report for 10.21.1.26 Host is up (0.093s latency). Nmap scan report for 10.21.1.27 Host is up (0.025s latency). Nmap scan report for 10.21.1.28 Host is up (0.046s latency). Nmap scan report for 10.21.1.29 Host is up (0.099s latency). Nmap scan report for 10.21.1.30 Host is up (0.126s latency). Nmap scan report for 10.21.1.31 Host is up (2.406s latency). Nmap scan report for 10.21.1.32 Host is up (1.002s latency). Nmap scan report for 10.21.1.33 Host is up (1.3s latency). Nmap scan report for 10.21.1.34 Host is up (4.9s latency). Nmap scan report for 10.21.1.36 Host is up (0.040s latency). Nmap scan report for 10.21.1.37 Host is up (0.051s latency). Nmap scan report for 10.21.1.40 Host is up (0.045s latency). Nmap scan report for 10.21.1.41 Host is up (0.045s latency). Nmap scan report for 10.21.1.48 Host is up (0.043s latency). Nmap scan report for 10.21.1.49 Host is up (0.047s latency). Nmap scan report for 10.21.1.50 Host is up (0.053s latency). Nmap scan report for 10.21.1.51 Host is up (0.052s latency). Nmap scan report for 10.21.1.52 Host is up (0.048s latency). Nmap scan report for 10.21.1.53 Host is up (0.055s latency). Nmap scan report for 10.21.1.54 Host is up (0.063s latency). Nmap scan report for 10.21.1.55 Host is up (0.052s latency). Nmap scan report for 10.21.1.57 Host is up (0.055s latency). Nmap scan report for 10.21.1.59 Host is up (0.048s latency). Nmap scan report for 10.21.1.60 Host is up (1.1s latency). Nmap scan report for 10.21.1.61 Host is up (1.1s latency). Nmap scan report for 10.21.1.63 Host is up (0.050s latency). Nmap scan report for 10.21.1.64 Host is up (0.053s latency). Nmap scan report for 10.21.1.65 Host is up (10s latency). Nmap scan report for 10.21.1.67 Host is up (0.056s latency). Nmap scan report for 10.21.1.73 Host is up (0.040s latency). Nmap scan report for 10.21.1.76 Host is up (0.048s latency). Nmap scan report for 10.21.1.77 Host is up (0.044s latency). Nmap scan report for 10.21.1.78 Host is up (0.054s latency). Nmap scan report for 10.21.1.80 Host is up (0.058s latency). Nmap scan report for 10.21.1.81 Host is up (0.036s latency). Nmap scan report for 10.21.1.82 Host is up (0.047s latency). Nmap scan report for 10.21.1.85 Host is up (0.047s latency). Nmap scan report for 10.21.1.87 Host is up (0.047s latency). Nmap scan report for 10.21.1.88 Host is up (0.050s latency). Nmap scan report for 10.21.1.89 Host is up (0.068s latency). Nmap scan report for 10.21.1.91 Host is up (0.043s latency). Nmap scan report for 10.21.1.92 Host is up (0.042s latency). Nmap scan report for 10.21.1.93 Host is up (0.058s latency). Nmap scan report for 10.21.1.94 Host is up (0.066s latency). Nmap scan report for 10.21.1.95 Host is up (0.044s latency). Nmap scan report for 10.21.1.96 Host is up (0.053s latency). Nmap scan report for 10.21.1.97 Host is up (0.044s latency). Nmap scan report for 10.21.1.99 Host is up (0.061s latency). Nmap scan report for 10.21.1.100 Host is up (0.054s latency). Nmap scan report for 10.21.1.102 Host is up (0.038s latency). Nmap scan report for 10.21.1.106 Host is up (1.1s latency). Nmap scan report for 10.21.1.109 Host is up (0.061s latency). Nmap scan report for 10.21.1.111 Host is up (0.057s latency). Nmap scan report for 10.21.1.113 Host is up (0.064s latency). Nmap scan report for 10.21.1.114 Host is up (0.057s latency). Nmap scan report for 10.21.1.115 Host is up (10s latency). Nmap scan report for 10.21.1.117 Host is up (0.060s latency). Nmap scan report for 10.21.1.118 Host is up (0.051s latency). Nmap scan report for 10.21.1.119 Host is up (0.053s latency). Nmap scan report for 10.21.1.121 Host is up (0.039s latency). Nmap scan report for 10.21.1.124 Host is up (0.054s latency). Nmap scan report for 10.21.1.125 Host is up (0.043s latency). Nmap scan report for 10.21.1.126 Host is up (10s latency). Nmap scan report for 10.21.1.127 Host is up (0.063s latency). Nmap scan report for 10.21.1.129 Host is up (0.049s latency). Nmap scan report for 10.21.1.131 Host is up (0.044s latency). Nmap scan report for 10.21.1.132 Host is up (0.048s latency). Nmap scan report for 10.21.1.133 Host is up (0.051s latency). Nmap scan report for 10.21.1.134 Host is up (1.5s latency). Nmap scan report for 10.21.1.135 Host is up (0.043s latency). Nmap scan report for 10.21.1.136 Host is up (0.042s latency). Nmap scan report for 10.21.1.137 Host is up (0.064s latency). Nmap scan report for 10.21.1.145 Host is up (1.2s latency). Nmap scan report for 10.21.1.146 Host is up (1.1s latency). Nmap scan report for 10.21.1.147 Host is up (1.1s latency). Nmap scan report for 10.21.1.148 Host is up (1.1s latency). Nmap scan report for 10.21.1.149 Host is up (0.042s latency). Nmap scan report for 10.21.1.150 Host is up (0.038s latency). Nmap scan report for 10.21.1.154 Host is up (0.040s latency). Nmap scan report for 10.21.1.157 Host is up (0.048s latency). Nmap scan report for 10.21.1.159 Host is up (0.044s latency). Nmap scan report for 10.21.1.162 Host is up (0.054s latency). Nmap scan report for 10.21.1.163 Host is up (0.058s latency). Nmap scan report for 10.21.1.167 Host is up (0.036s latency). Nmap scan report for 10.21.1.168 Host is up (0.047s latency). Nmap scan report for 10.21.1.169 Host is up (0.047s latency). Nmap scan report for 10.21.1.176 Host is up (0.047s latency). Nmap scan report for 10.21.1.177 Host is up (0.050s latency). Nmap scan report for 10.21.1.179 Host is up (0.068s latency). Nmap scan report for 10.21.1.180 Host is up (0.043s latency). Nmap scan report for 10.21.1.181 Host is up (0.042s latency). Nmap scan report for 10.21.1.182 Host is up (0.058s latency). Nmap scan report for 10.21.1.185 Host is up (0.066s latency). Nmap scan report for 10.21.1.186 Host is up (0.044s latency). Nmap scan report for 10.21.1.188 Host is up (0.053s latency). Nmap scan report for 10.21.1.189 Host is up (0.044s latency). Nmap scan report for 10.21.1.191 Host is up (0.061s latency). Nmap scan report for 10.21.1.192 Host is up (0.054s latency). Nmap scan report for 10.21.1.193 Host is up (0.038s latency). Nmap scan report for 10.21.1.194 Host is up (1.1s latency). Nmap scan report for 10.21.1.195 Host is up (0.061s latency). Nmap scan report for 10.21.1.196 Host is up (0.057s latency). Nmap scan report for 10.21.1.199 Host is up (0.064s latency). Nmap scan report for 10.21.1.202 Host is up (0.057s latency). Nmap scan report for 10.21.1.203 Host is up (10s latency). Nmap scan report for 10.21.1.206 Host is up (0.060s latency). Nmap scan report for 10.21.1.207 Host is up (0.051s latency). Nmap scan report for 10.21.1.208 Host is up (0.053s latency). Nmap scan report for 10.21.1.210 Host is up (0.039s latency). Nmap scan report for 10.21.1.211 Host is up (0.054s latency). Nmap scan report for 10.21.1.213 Host is up (0.043s latency). Nmap scan report for 10.21.1.214 Host is up (10s latency). Nmap scan report for 10.21.1.215 Host is up (0.063s latency). Nmap scan report for 10.21.1.216 Host is up (0.049s latency). Nmap scan report for 10.21.1.217 Host is up (0.044s latency). Nmap scan report for 10.21.1.218 Host is up (0.048s latency). Nmap scan report for 10.21.1.219 Host is up (0.051s latency). Nmap scan report for 10.21.1.222 Host is up (1.5s latency). Nmap scan report for 10.21.1.225 Host is up (0.043s latency). Nmap scan report for 10.21.1.226 Host is up (0.042s latency). Nmap scan report for 10.21.1.227 Host is up (0.064s latency). Nmap scan report for 10.21.1.228 Host is up (1.2s latency). Nmap scan report for 10.21.1.230 Host is up (1.1s latency). Nmap scan report for 10.21.1.231 Host is up (1.1s latency). Nmap scan report for 10.21.1.232 Host is up (1.1s latency). Nmap scan report for 10.21.1.233 Host is up (0.042s latency). Nmap scan report for 10.21.1.234 Host is up (0.038s latency). Nmap scan report for 10.21.1.235 Host is up (0.040s latency). Nmap scan report for 10.21.1.236 Host is up (0.052s latency). Nmap scan report for 10.21.1.247 Host is up (0.048s latency). Nmap scan report for 10.21.1.248 Host is up (0.055s latency). Nmap scan report for 10.21.1.249 Host is up (0.063s latency). Nmap scan report for 10.21.1.250 Host is up (0.052s latency). Nmap scan report for 10.21.1.251 Host is up (0.055s latency). Nmap scan report for 10.21.1.252 Host is up (0.026s latency). Nmap scan report for 10.21.1.253 Host is up (0.040s latency). Nmap scan report for 10.21.1.254 Host is up (0.063s latency). -
並且成功訪問內部網路之 HTTP 與 HTTPS 服務。
擷圖
留言討論
登入後留言
聯絡組織
發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。