2016-02-21: 细节已通知厂商并且等待厂商处理中 2016-02-22: 厂商已经确认,细节仅向厂商公开 2016-03-03: 细节向核心白帽子及相关领域专家公开 2016-03-13: 细节向普通白帽子公开 2016-03-23: 细节向实习白帽子公开 2016-03-07: 细节向公众公开
厂商又活了,看到要送礼物了,那就来几发漏洞吧。
问题出现在论坛问题 http://bbs.xxzhushou.cn/config/.config_ucenter.php.swp http://bbs.xxzhushou.cn/uc_server/data/.config.inc.php.swp 这两个备份没删除
看到泄露了key 尝试是否有效
可以 key 可以用我通过key修改了后台管理员密码 admin 密码是mango1995
然后通过 http://wooyun.org/bugs/wooyun-2014-065559 getshell http://bbs.xxzhushou.cn/0.php 密码a
执行命令发现在好多网络中~
[/data/web/xxzhushou/bbs/]$ /sbin/ifconfig em1 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6 inet addr:14.18.239.130 Bcast:14.18.239.255 Mask:255.255.255.128 inet6 addr: fe80::f21f:afff:fed8:e1a6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:46107535393 errors:0 dropped:243 overruns:0 frame:10303 TX packets:47409899906 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16078038561918 (14.6 TiB) TX bytes:17325631484183 (15.7 TiB) Interrupt:16 em1:0 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6 inet addr:122.13.72.194 Bcast:122.13.72.255 Mask:255.255.255.192 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 em1:1 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6 inet addr:183.232.69.157 Bcast:183.232.69.159 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 em1:2 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6 inet addr:192.168.1.130 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 em1:3 Link encap:Ethernet HWaddr F0:1F:AF:D8:E1:A6 inet addr:183.232.5.146 Bcast:183.232.5.159 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:11999976233 errors:0 dropped:0 overruns:0 frame:0 TX packets:11999976233 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6578621050766 (5.9 TiB) TX bytes:6578621050766 (5.9 TiB)
果断尝试之前找到的那些泄露的问题
<?php ///////////////////////////////////////////////////////////////////// // 设计思路:将数据库读操作,和数据库写操作,完全分离开来,使用不同的连接参数,可以分别连到不同服务器上的数据库。 // 数据库连接函数,根据参数数组,依次尝试连接数据库,直到某个连接成功为止,或者全部失败。 ///////////////////////////////////////////////////////////////////// $DB_CONFIG = array( 'read' => array( array('dbms' => 'mysql', 'host' => '14.18.239.130', 'user' => 'analytics', 'password' => 'xxanal123&*(', 'port' => 3306, 'dbname' => 'analytics', 'charset' => 'utf8' ) //多个从库在这里填写 ), 'write' => array( array('dbms' => 'mysql', 'host' => '14.18.239.130', 'user' => 'analytics', 'password' => 'xxanal123&*(', 'port' => 3306, 'dbname' => 'analytics', 'charset' => 'utf8' ) ), 'api_backend' => array( array('dbms' => 'mysql', 'host' => '192.168.1.131', 'user' => 'testXXDb', 'password' => 'testXXDb123', 'port' => 3306, 'dbname' => 'testXXDb', 'charset' => 'utf8' ) ), 'api_feedback' => array( array('dbms' => 'mysql', 'host' => '192.168.1.130', 'user' => 'api_flamingo', 'password' => 'lad9Ad9@3^ladk*A', 'port' => 3306, 'dbname' => 'XXFeedBack', 'charset' => 'utf8' ) ), 'analyticsUser' => array( array('dbms' => 'mysql', 'host' => '14.18.239.130', 'user' => 'analytics', 'password' => 'xxanal123&*(', 'port' => 3306, 'dbname' => 'XXUser', 'charset' => 'utf8' ) ), 'statistics' => array( array('dbms' => 'mysql', 'host' => '192.168.1.131', 'user' => 'xxstatistics', 'password' => 'xxst123789', 'port' => 3306, 'dbname' => 'XXStatistics', 'charset' => 'utf8' ) ), 'package' => array( array('dbms' => 'mysql', 'host' => '192.168.1.131', 'user' => 'xxstatistics', 'password' => 'xxst123789', 'port' => 3306, 'dbname' => 'package', 'charset' => 'utf8' ) ), 'eventlog' => array( array('dbms' => 'mysql', 'host' => '192.168.1.131', 'user' => 'xxstatistics', 'password' => 'xxst123789', 'port' => 3306, 'dbname' => 'eventlog', 'charset' => 'utf8', 'persistency' => true ) ), 'bbs' => array( array('dbms' => 'mysql', 'host' => '192.168.1.131', 'user' => 'xxbbs', 'password' => 'xxBbs789!3', 'port' => 3306, 'dbname' => 'XXBbs', 'charset' => 'utf8', ) ), 'bbs2' => array( array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'mydiscuz', 'charset' => 'utf8', ) ), 'test' => array( array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'test', 'charset' => 'utf8', ) ), 'statistics' => array( array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'xxserver', 'charset' => 'utf8', ) ), 'api_backend' => array( array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'xxserver', 'charset' => 'utf8', ) ), 'testUserWrite' => array( array('dbms' => 'mysql', 'host' => '14.18.239.131', 'user' => 'testXXUser', 'password' => 'testXXUser123', 'port' => 3306, 'dbname' => 'testXXUser', 'charset' => 'utf8' ), ), 'testGuopan1' => array( array('dbms' => 'mysql', 'host' => '14.18.239.131', 'user' => 'testGuopan', 'password' => 'testGp123@', 'port' => 3306, 'dbname' => 'testGuopan', 'charset' => 'utf8' ), ), 'testGuopan' => array( array('dbms' => 'mysql', 'host' => 'localhost', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'test', 'charset' => 'utf8' ), ), 'guopan' => array( array('dbms' => 'mysql', 'host' => 'localhost', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'guopan', 'charset' => 'utf8' ), ), 'xxcms' => array( array('dbms' => 'mysql', 'host' => 'localhost', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'xxcms', 'charset' => 'utf8' ), ), 'oobbs' => array( array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'oobbs', 'charset' => 'utf8' ), ), 'datastat' => array(// 频道数据统计 array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'datasta', 'charset' => 'utf8' ), ), 'gpbbs' => array(// 频道数据统计 array('dbms' => 'mysql', 'host' => '127.0.0.1', 'user' => 'root', 'password' => '', 'port' => 3306, 'dbname' => 'gpbbs', 'charset' => 'utf8' ), ), //更多数据库在这里填写 ); ///////////////////////////////////////////////////////////////////// //缓存配置, use_config 为0表示使用第一项配置,为1表示使用第2项 $CACHE_CONFIG = array( 'use_config' => 'file' , 'memcache' => array('type' => 'memcache', 'server' => array( // array('host' =>'server1', 'port' => '11211', 'weight' => '10'), array('host' =>'192.168.1.130', 'port' => '11211', 'weight' => '10') ), 'ttl' => 7200, 'compress' => false, ), 'file' => array('type' => 'file', 'cache_dir'=> SYSDIR_CACHE . '/tmp/', 'ttl' => 600, ) ); ///////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////// //SESSION配置, use_config 为0表示使用第一项配置,为1表示使用第2项 $SESSION_CONFIG = array( 'use_config' => 'files' , 'memcache' => array('type' => 'memcache', 'save_path' => 'tcp://192.168.1.130:11210', 'cache_expire' => 7200, //minutes ), 'files' => array('type' => 'files', 'save_path' => SYSDIR_CACHE . '/sessions/', 'cache_expire' => 180, //minutes ) ); ///////////////////////////////////////////////////////////////////// //REDIS配置 主要用于统计类的集合 $REDIS_CONFIG = array( 'write' => array( array( 'host' => '127.0.0.1', 'port' => '6379', 'password' => '', ), ), 'read' => array( array( 'host' => '127.0.0.1', 'port' => '6379', 'password' => '', ), ), 'api' => array( array( 'host' => '192.168.1.132', 'port' => '6379', 'password' => '', ), ), 'testUser' => array( array( 'host' => '192.168.1.131', 'port' => '6379', 'password' => '', ), ), 'user' => array( array( 'host' => '192.168.1.130', 'port' => '6379', 'password' => '', ), ), 'testDm_level' => array( array( 'host' => '192.168.1.131', 'port' => '6379', 'dbN' => 1, 'password' => '', ), ), ); ?>
及时删除这些备份的文件~加强线上安全
危害等级:高
漏洞Rank:15
确认时间:2016-02-22 12:28
我们将在下个版本对bbs进行全面的处理
暂无
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
。。666
登录后才能发表评论,请先 登录 。
![VXYIVPX6([RKIC)8}%]US14.png](../upload/201602/2121424366b9544e7b9686401f172d300cc4c196.png)
![M8`(7{$)XHQ}A5IZ[]QU{{F.png](../upload/201602/21214308c44f8793dd600a1202e81c41d502375a.png)
![]NANN_HC%YUGMM56X}$BR_8.png](../upload/201602/21214339cbe32d7dc6ed9d1854f802d925996368.png)
![9~`T1LU]5UH__ENUUS`828H.png](../upload/201602/21215734c3450f6f4c7890d4803fdd23f6f06d7d.png)
![TJGWBSQ6~6%4{4{%]R15J%K.png](../upload/201602/21220213babbef1ababd2e2f43d6ebcfabefac0a.png)
