当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113156

漏洞标题:天弘基金旗下某分站整站源码可下载(可连数据库)

相关厂商:天弘基金管理有限公司

漏洞作者: 猪猪侠

提交时间:2015-05-10 00:18

修复时间:2015-06-25 11:16

公开时间:2015-06-25 11:16

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-10: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

天弘基金旗下某分站整站源码可下载(可连数据库)

详细说明:

宝粉网(www.baofen.cn)隶属于天弘基金管理有限公司,在2014年6月余额宝上线一周年之际重磅推出,是余额宝用户专属的交流互助平台。
http://www.baofen.cn/wwwroot.tar.gz

thfund.png


<?php
if (!defined('SITE_PATH')) exit();
return array(
'THEME_NAME' => 'stv1',
// 数据库常用配置
'DB_TYPE' => 'mysql', // 数据库类型
'DB_HOST' => 'rdsemmmefemmmef.mysql.rds.aliyuncs.com', // 数据库服务器地址
'DB_NAME' => 'tests', // 数据库名
'DB_USER' => 'fxkj', // 数据库用户名
'DB_PWD' => 'fxkj1234', // 数据库密码
'DB_PORT' => 3306, // 数据库端口
'DB_PREFIX' => 'fts_', // 数据库表前缀(因为漫游的原因,数据库表前缀必须写在本文件)
'DB_CHARSET' => 'utf8', // 数据库编码
'SECURE_CODE' => '91556750452e0b2ff14db8', // 数据加密密钥
'COOKIE_PREFIX' => 'T3_', // 数据加密密钥
'DATA_CACHE_TYPE' => 'memcache',
'MEMCACHE_HOST' => '10.132.64.119',
);


indexer
{
mem_limit = 128000000
}
searchd
{
listen = 3312
listen = 9306:mysql41
log = /xampp/coreseek/var/log/searchd.log
query_log = /xampp/coreseek/var/log/query.log
pid_file = /xampp/coreseek/var/log/searchd.pid
read_timeout = 3
max_children = 30
max_matches = 1000
seamless_rotate = 1
preopen_indexes = 0
unlink_old = 1
}
# forum topic & post index #
source ts_forum_post
{
type = mysql
sql_host = 10.88.48.174
sql_user = 3ms_beta
sql_pass = xsw2XSW@
sql_db = forum_beta
sql_port = 3306
sql_query_pre = SET NAMES utf8
sql_query_range = SELECT min(pid),max(pid) FROM ts_forum_post
sql_range_step = 1000
sql_query = SELECT a.pid, \
20 as indexid, \
a.uid, \
a.maskId, \
crc32(a.maskName) as maskCode, \
a.cTime, \
-1 as gid, \
a.fid as cid, \
-1 as inside, \
istopic as ext1, \
a.title, \
a.content \
FROM ts_forum_post as a,ts_forum_topic as b \
WHERE b.isdel=0 AND a.isdel=0 AND a.tid=b.tid AND a.pid>=$start AND a.pid<=$end

sql_attr_uint = indexid
sql_attr_uint = uid
sql_attr_uint = maskId
sql_attr_uint = maskCode
sql_attr_timestamp = cTime
sql_attr_uint = gid
sql_attr_uint = cid
sql_attr_uint = inside
sql_attr_uint = ext1
}
index ts_forum_post
{
source = ts_forum_post
path = /xampp/coreseek/var/data/ts_forum_post
docinfo = extern
html_strip = 1
html_index_attrs = img=alt,title; a=title;
html_remove_elements = style, script
min_word_len = 2
charset_dictpath = /xampp/coreseek/etc/
charset_type = zh_cn.utf-8
}


漏洞证明:

后台:
http://www.baofen.cn//index.php?app=admin&mod=Public&act=login
间接利用:
$ uname -a

Linux AY14061623295889102cZ 2.6.32-358.6.2.el6.x86_64 #1 SMP Thu May 16 20:59:36 UTC 2013 x86_64


$ pwd

/home/wwwroot/

修复方案:

删除

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-05-11 11:15

厂商回复:

感谢作者对互联网安全的热心以及贡献

最新状态:

暂无