当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121101

漏洞标题:亿玛在线多个漏洞打包(Rsync未授权\服务邮箱泄露\Getshell等)

相关厂商:emar.com

漏洞作者: 路人甲

提交时间:2015-06-17 14:37

修复时间:2015-08-01 14:44

公开时间:2015-08-01 14:44

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述:

rsync未授权访问导致shell

详细说明:

1、rsync未授权访问

QQ图片20150617115134.png


某爬虫web源码目录
2、rsync emar.com::es/web/
可直接下载、上传
这个应该是之前谁提交过得到的邮箱密码。
mail.server.user=services
mail.server.pass=eqifaservices
nginx配置泄漏其它域名 IP信息

user  root;
worker_processes  8;
error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
pid        logs/nginx.pid;
worker_rlimit_nofile 10240;
events {
        use epoll;
    worker_connections  102400;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$http_host"';
    #access_log  logs/access.log  main;
    proxy_hide_header Vary;
    sendfile        on;
    #tcp_nopush     on;
   
    upstream cm_fair {
        server   127.0.0.1:8081;
        server   127.0.0.1:8082;
        server   127.0.0.1:8083;
        server   127.0.0.1:8084;
	server   127.0.0.1:8085;
        server   127.0.0.1:8086;
        server   127.0.0.1:8087;
	#server   114.113.233.77 weight=8 backup;
        #server   106.38.251.106:8082 weight=1 backup;
        #server   106.38.251.186:8082 weight=1 backup;
        check interval=3000 rise=2 fall=5 timeout=120 type=http;
        check_http_send "GET / HTTP/1.0\r\n\r\n";
        #check_http_expect_alive http_2xx http_3xx;
    }
    #keepalive_timeout  0;
    #keepalive_timeout  65;
    keepalive_timeout  10;
    client_max_body_size 50m;
    proxy_buffer_size   1024k;
    proxy_buffers   32 64k;
    proxy_busy_buffers_size   1024k;
    proxy_temp_file_write_size 1024k;
    client_header_buffer_size 1024K;
    large_client_header_buffers 48 2048k;
    underscores_in_headers on;
    gzip  on;
    add_header Vary Accept-Encoding;
    gzip_http_version 1.0;
    gzip_min_length  1000;
    gzip_buffers     4 8k;
    gzip_comp_level 9;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;	
     server {
        listen       80    default     ;
        #server_name  emarbox.com *.emarbox.com ckm.emarbox.com dmpcm.emarbox.com dmpcm.yigao.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        #access_log  logs/adwiser.log;
        location ~ /WEB-INF/ {
                return 404;
        }
        error_page  404              /404.html;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        #if ($host ~* "emarbox\.com$"){
        #       rewrite /(.*)$   http://adwiser_1k0gd.emarbox.com/$1 last;
        #}     
        location / {
                #access_log  logs/cookiematch.log main;
		access_log off;
                index index.jsp;
                proxy_pass http://cm_fair;
		proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_headers_hash_max_size     1024;
                proxy_headers_hash_bucket_size  128;
                add_header Cache-Control no-cache;
                add_header Cache-Control private;
        }
      
        location /nstatus {
                check_status;
                access_log off;
                #allow SOME.IP.ADD.RESS;
                #deny all;
        }
    }
    server {
        listen       443         default;
        #server_name  emarbox.com *.emarbox.com  dmpcm.emarbox.com dmpcm.yigao.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    
        #access_log  logs/adwiser.log;
    
        ssl on;      
        ssl_certificate /usr/local/nginx/conf/https/emarbox.cer;
        ssl_certificate_key /usr/local/nginx/conf/https/emarbox.key;
        location ~ /WEB-INF/ {
                return 404;
        }
        
        error_page  404              /404.html;
        
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {       
            root   html;
        }
        #if ($host ~* "emarbox\.com$"){
        #       rewrite /(.*)$   http://adwiser_1k0gd.emarbox.com/$1 last;
        #}
        
        location / {
                access_log  logs/cookiematch.log main;
                index index.jsp;
                proxy_pass http://cm_fair;
                #proxy_pass http://cm_fair2;
                proxy_set_header  SSL true;
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_headers_hash_max_size     1024;
                proxy_headers_hash_bucket_size  128;
        }
    }
    server {
        listen       80 ;
        server_name  www.emar.com emar.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
                access_log  logs/emar.com.log main;
                index index.html index.php index.jsp;
                proxy_pass http://221.122.127.14;
            	  proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_headers_hash_max_size     1024;
                proxy_headers_hash_bucket_size  128;
        }
    }
	server {        
                listen       8011 ; 
                server_name_in_redirect off;       
                server_name    www.emar.com.cn;
                access_log      logs/www.emar.com.cn_8011.log main;        
                location / {
                        proxy_pass http://221.122.127.49:8011/;
                        proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for ;
                        proxy_set_header Host $http_host ;
                        proxy_set_header X-Real-IP  $remote_addr;
                        proxy_set_header X-Forwarded-For $http_x_forwarded_for;    
                }      
        }
	server {
        listen       80 ;
        server_name  www.yijifen.com yijifen.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
                access_log  logs/emar.com.log main;
                index index.html index.php index.jsp;
                proxy_pass http://221.122.127.200;
            	  proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_headers_hash_max_size     1024;
                proxy_headers_hash_bucket_size  128;
        }
    }
    server {
        listen       80 ;
        server_name  www.intdmp.com *.intdmp.com intdmp.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
        				root /data/intdmp;
        				index intdmp.htm index.html index.php index.jsp;
                access_log  logs/emar.com.log main;
               
        }
    }
	 server {
        listen       80 ;
        server_name  www.emaryun.com *.emaryum.com emaryun.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
        				root /data/emaryun;
        				index emaryun.htm index.html index.php index.jsp;
                access_log  logs/emar.com.log main;
               
        }
    }
	 server {
        listen       80 ;
        server_name  www.emarbox.net *.emarbox.net emarbox.net;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
        				root /data/emarbox.net;
        				index emarbox.htm index.html index.php index.jsp;
                access_log  logs/emar.com.log main;
               
        }
    }
	 server {
        listen       80 ;
        server_name  www.emardmp.com *.emardmp.com emardmp.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
        				root /data/emardmp;
        				index emardmp.htm index.php index.jsp;
                access_log  logs/emar.com.log main;
               
        }
    }
	server {
        listen       80 ;
        server_name  www.emaradx.com *.emaradx.com emaradx.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
                access_log  logs/emaradx.com.log main;
                index index.html index.php index.jsp;
                proxy_pass http://118.26.150.214;
            	  proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_headers_hash_max_size     1024;
                proxy_headers_hash_bucket_size  128;
        }
    }
     server {
        listen       80 ;
        server_name  www.eqile.com *.eqile.com eqile.com;
        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
        location / {
                access_log  logs/www.eqile.com.log main;
                index index.html index.php index.jsp;
                proxy_pass http://221.122.127.157;
                  proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP  $remote_addr;
                proxy_set_header  X-Forwarded-For $remote_addr;
                proxy_headers_hash_max_size     1024;
                proxy_headers_hash_bucket_size  128;
        }
    }
}


3、可直接上传导致主域名下机器getshell
http://emar.com:15801/js_ss.jsp

QQ图片20150617115239.png


4、http://221.122.127.117:15801/
某处爬虫 泄漏大量内网IP

QQ图片20150617115531.png


漏洞证明:

见详细

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-17 14:42

厂商回复:

路人甲 感谢,我们紧急处理。

最新状态:

暂无