乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-22: 细节已通知厂商并且等待厂商处理中 2015-06-22: 厂商已经确认,细节仅向厂商公开 2015-07-02: 细节向核心白帽子及相关领域专家公开 2015-07-12: 细节向普通白帽子公开 2015-07-22: 细节向实习白帽子公开 2015-08-06: 细节向公众公开
唱吧敏感信息泄露(含数据库配置信息)
结合 WooYun: 人类的怠惰之一安全管理执行力度不够导致唱吧安全边界被突破(进入内网) http://v.changba.com:8888/common/config.inc.php.bakhttp://v.changba.com:8888/common/config.inc.php1http://59.151.31.233:8888/common/config.inc.php.bakhttp://59.151.31.233:8888/common/config.inc.php1SVN泄露http://v.changba.com:8888/crontab/.svn/entrieshttp://v.changba.com:808/login/.svn/entries
<?phpdefine('APPLICATION','MAIN'); //used to define MAIN/DUET/... applicatoin centerdate_default_timezone_set('Asia/Chongqing');define('DOCUMENT_ROOT','/home/wwwroot/api.changba.com/');define('KTV_SERVER','http://api.changba.com/');define('KTV_CDN_IMG_SERVER','http://img.changba.com/');define('KTV_CDN_ORIMP3_SERVER','http://mp3.changba.com/');define('KTV_CDN_EXTERNAL_MP3_SERVER', 'http://a129mp3.changba.com/');define('KTV_CDN_MP3_SERVER','http://a123mp3.changba.com/');define('KTV_STAT_PREFIX', '123');define('KTV_CDN_DUET_SERVER','http://a201hc.changba.com/');define('KTV_CDN_DOMAIN','changba.com/');$KTV_DEBUG = 'debug'; // ****** 数据库类型 ******$config['Database']['dbtype'] = 'mysql';// ****** 技术人员邮箱地址 ******$config['Database']['technicalemail'] = '[email protected]';// ****** 强制清空 SQL 模式 ******$config['Database']['force_sql_mode'] = false;// ****** SQL语句DEBUG模式 ******$config['Database']['debug'] = false;// ****** MySQL 4.1 以上版本连接字符集 ******$config['Database']['charset'] = 'utf8';// ****** MySQL 数据库存储引擎 ******$config['Database']['engine'] = 'InnoDB';/*mysql client 数据库地址*/$config['ZuitaoKtvServer_client']['servername'] = '192.168.1.128';$config['ZuitaoKtvServer_client']['port'] = 13306;$config['ZuitaoKtvServer_client']['username'] = 'client';$config['ZuitaoKtvServer_client']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer_client']['pconnect'] = 0;$config['ZuitaoKtvServer_client']['dbname'] = 'changba_client';$config['ZuitaoKtvServer_client']['charset'] = 'utf8';/*mysql notice 数据库地址*/$config['ZuitaoKtvServer_notice']['servername'] = '192.168.1.128';$config['ZuitaoKtvServer_notice']['port'] = 13306;$config['ZuitaoKtvServer_notice']['username'] = 'client';$config['ZuitaoKtvServer_notice']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer_notice']['pconnect'] = 0;$config['ZuitaoKtvServer_notice']['dbname'] = 'changba_notice';$config['ZuitaoKtvServer_notice']['charset'] = 'utf8mb4';/*mysql hottest 榜单专用数据库地址*/$config['ZuitaoKtvServer_hottest']['servername'] = '192.168.1.132';$config['ZuitaoKtvServer_hottest']['port'] = 3306;$config['ZuitaoKtvServer_hottest']['username'] = 'root';$config['ZuitaoKtvServer_hottest']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer_hottest']['pconnect'] = 0;$config['ZuitaoKtvServer_hottest']['dbname'] = 'ktv_hottest,zuitaoktv';$config['ZuitaoKtvServer_hottest']['charset'] = 'utf8';/*mysql user 用户昵称专用数据库地址*/$config['ZuitaoKtvServer_user']['servername'] = '192.168.1.127';$config['ZuitaoKtvServer_user']['port'] = 13306;$config['ZuitaoKtvServer_user']['username'] = 'root';$config['ZuitaoKtvServer_user']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer_user']['pconnect'] = 0;$config['ZuitaoKtvServer_user']['dbname'] = 'zuitaoktv_user';$config['ZuitaoKtvServer_user']['charset'] = 'utf8mb4';/*zuitaoktv数据库账号*/$config['ZuitaoKtvServer']['servername'] = '192.168.1.133';$config['ZuitaoKtvServer']['port'] = 3306;$config['ZuitaoKtvServer']['username'] = 'root';$config['ZuitaoKtvServer']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer']['pconnect'] = 0;$config['ZuitaoKtvServer']['dbname'] = 'zuitaoktv';$config['ZuitaoKtvServer']['charset'] = 'utf8';/*mysql 从库地址*/$config['ZuitaoKtvServer_slave']['servername'] = '192.168.1.123';$config['ZuitaoKtvServer_slave']['port'] = 3306;$config['ZuitaoKtvServer_slave']['username'] = 'read';$config['ZuitaoKtvServer_slave']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer_slave']['pconnect'] = 0;$config['ZuitaoKtvServer_slave']['dbname'] = 'zuitaoktv';$config['ZuitaoKtvServer_slave']['charset'] = 'utf8';/*mysql duet 数据库地址*/$config['ZuitaoKtvServer_duet']['servername'] = '192.168.1.202';$config['ZuitaoKtvServer_duet']['port'] = 3306;$config['ZuitaoKtvServer_duet']['username'] = 'root';$config['ZuitaoKtvServer_duet']['password'] = 'TSj3E6LU6CHq4rLJ';$config['ZuitaoKtvServer_duet']['pconnect'] = 0;$config['ZuitaoKtvServer_duet']['dbname'] = 'duet';$config['ZuitaoKtvServer_duet']['charset'] = 'utf8';$config['memcached']['addr'] = '192.168.1.133';$config['memcached']['port'] = 11215;$config['memcacheq']['addr'] = '192.168.1.125';$config['memcacheq']['port'] = 22201;$config['memcached_notice']['addr'] = '192.168.1.125'; //献花数和notice$config['memcached_notice']['port'] = 11215;$config['memcached_vip']['addr'] = '192.168.1.132'; //处理vip请求的memcache (以前是130,现在是132)$config['memcached_vip']['port'] = 11215;/*邮件账号*/$config['email']['host']='mail.zuitao.com'; //'mail.zuitao.com';$config['email']['port']=25;$config['email']['username']='service';//'noreply';$config['email']['password']='123456';$config['email']['from']='[email protected]';//'[email protected]';$config['email']['fromname']='最淘网';$cdn_backup_config['a123img'] = 5;$cdn_backup_config['a126img'] = 5;$cdn_backup_config['http://a121mp3.changba.com/'] = 5;$cdn_backup_config['http://a122mp3.changba.com/'] = 5;$cdn_backup_config['http://a123mp3.changba.com/'] = 5;$cdn_backup_config['http://a124mp3.changba.com/'] = 5;$cdn_backup_config['http://a125mp3.changba.com/'] = 5;$cdn_backup_config['http://a126mp3.changba.com/'] = 5;$cdn_backup_config['http://a127mp3.changba.com/'] = 5;$cdn_backup_config['http://a128mp3.changba.com/'] = 5;$cdn_backup_config['http://a129mp3.changba.com/'] = 5;$cdn_backup_config['http://a130mp3.changba.com/'] = 5;$cdn_backup_config['http://a131mp3.changba.com/'] = 5;$cdn_backup_config['http://a134mp3.changba.com/'] = 5;$cdn_backup_config['http://a21mp3.changba.com/'] = 5;$cdn_backup_config['http://a132mp3.changba.com/'] = 0;$cdn_backup_config['http://a133mp3.changba.com/'] = 0;$cdn_backup_config['http://a201hc.changba.com/'] = 5;$cdn_backup_config['http://a202hc.changba.com/'] = 5;$localconfig = array();if(file_exists('localconfig.inc.php')){ include_once ('localconfig.inc.php');}?>
删除
危害等级:中
漏洞Rank:10
确认时间:2015-06-22 13:21
上的独立服务由于nginx配置不当,的确导致了敏感代码信息的泄露。是一台老机器上面的旧代码,2012年前估计技术人员线上随意操作的,后期没有清理。这点上,我们会加强安全意识,同时也注意内网环境的独立。
暂无
