乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-18: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-18: 厂商已经主动忽略漏洞,细节向公众公开
yuncart配置不当导致备份数据可被下载
public function backupok() { include_once STAGEPATH."/dumpdb.class.php"; if(isset($_GET['tableorder'])) { //非第一次备份 $tableorder = intval($_GET["tableorder"]); $tablepos = intval($_GET["tablepos"]); $filename = trim($_GET["filename"]); $vol = intval($_GET["vol"]); $dumpdb = new Dumpdb($vol,$filename,$tablepos,$tableorder); $dumpdb->dump_tables(); } else { //第一次备份 //获取所有表 $dumpdb = new Dumpdb(); $dumpdb->dump_tables(); } if($dumpdb->getFinished()) { //已经结束 $this->adminlog('al_backup'); echo __("backup_finished")."<script>setTimeout(function(){ window.location.reload(); },1000)</script>"; //生成文件 $filetime = time(); $vol = $dumpdb->getNextVol() - 1; $filename = $dumpdb->getFileName(); $crlf = $dumpdb->getDeLimiter(); $content = "filename={$filename}".$crlf . "vol={$vol}".$crlf . "filetime={$filetime}".$crlf; ; $file = $dumpdb->getSqlFileDir() . "/{$filename}.bak"; cwritefile($file,$content); } else { $url = url("admin","data","backupok", "tableorder={$dumpdb->getTableOrder()}&tablepos={$dumpdb->getTablePos()}&filename={$dumpdb->getFileName()}&vol={$dumpdb->getnextVol()}",false); echo __("backup_vol",$dumpdb->getNextVol())."<script type='text/javascript'>$.oper.runjs('{$url}')</script>"; } }
= =filename=time()like:201412171801规则为y+m+d+h+min可穷举:
filename 的随机数加长点吧。
未能联系到厂商或者厂商积极拒绝