乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-30: 细节已通知厂商并且等待厂商处理中 2015-11-30: 厂商已经确认,细节仅向厂商公开 2015-12-10: 细节向核心白帽子及相关领域专家公开 2015-12-20: 细节向普通白帽子公开 2015-12-30: 细节向实习白帽子公开 2016-01-14: 细节向公众公开
RT
0x01:备份下载
http://track.haolyy.com/app.zip
<?xml version="1.0"?><!-- 注意: 除了手动编辑此文件以外,您还可以使用 a Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的 “网站”->“Asp.Net 配置”选项。 设置和注释的完整列表在 machine.config.comments 中,该文件通常位于 \Windows\Microsoft.Net\Framework\v2.x\Config 中--><configuration> <configSections> <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/> <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/> </sectionGroup> </sectionGroup> </sectionGroup> <!--NLog config--> <section name="nlog" type="NLog.Config.ConfigSectionHandler, NLog"/> </configSections> <location path="Task"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="Email"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="Email/test/test.htm"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> <location path="Email/test.htm"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> <location path="Subscriber"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="Report"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="NewReport"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="EmailSend"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="User"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="Trigger"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="Default.aspx"> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <appSettings> <add key="LogPath" value="d:\Log"/> <add key="SubscriberImportPath" value="d:\data\star\UserUpload\"/> <add key="UserPath" value="d:\data\star\fkImages\" /> <!--fckeditor--> <add key="FCKeditor:BasePath" value="~/fckeditor/"/> <add key="FCKeditor:UserFilesPath" value="d:/data/star/fkImages/"/> <add key="FCKeditor:AttachDirectory" value="http://image.izacholsm.com/fkImages/"/> <!--upload content--> <add key="Domain" value="http://localhost" /> <add key="ImportImageExtension" value=".jpg,.jpeg,.gif,.png" /> <add key="ImportHtmlExtension" value=".html,.dhtml,.htm" /> <add key="UploadToImportExtension" value=".txt,.html,.dhtml,.htm,.zip" /> <!--QQWry.Dat数据库所在路径--> <add key="QQWryPath" value="D:\focussend\web\track\QQWry.Dat"/> <!--test postfix--> <add key="TestPostfix" value="211.144.78.112" /> <!--小于该数字,则认为是测试邮件--> <add key="MaxTestCount" value="100" /> <!--跟踪链接时将用户的链接替换成 http://www.greentomail.com/eid=55 这种样子 --> <add key="MappingUrl" value="http://image.izacholsm.com/t/zz?t="/> <add key="MappingUrlGuidDir" value="http://image.izacholsm.com/t/"/> <!--如果该超链接里有该字符,则表示该链接要进行mapping--> <add key="MappingKey" value="(((StarMap)))"/> <!--如果该超链接里有该字符,则表示该链接要进行demapping--> <add key="DeMappingKey" value="(((StarDeMap)))"/> <add key="EmailPattern" value="^[a-z0-9A-Z-_.]+?@[a-z0-9A-Z-_.]+\.[a-z0-9A-Z-_.]+$"/> <!--是否开放短信通知功能--> <add key="IsSMSOn" value="true"/> <!--有人注册则向该号码发短信--> <add key="SignupSMSTo" value="13162596439;15021191249"/> <!--有人发送时则向该号码发短信--> <add key="SendTaskSMSTo" value="13162596439,13681623948"/> <!--短信发送的账号--> <add key="SendSMSAccountName" value="focussend"/> <!--短信发送的密码--> <add key="SendSMSPassWord" value="staredm123456"/> <!--是否开放测试用户提交任务时发送短信功能--> <add key="IsTesterTaskSMSOn" value="true"/> <!--测试用户提交任务排除列表,比如我们公司的就不要通知了--> <add key="TestTaskExceptAccounts" value="334" /> <!--是否开放测试用户提交任务时发送短信功能--> <add key="IsTesterTaskSMSOn" value="true" /> <!--有测试用户提交任务则向该号码发短信--> <add key="TestTaskSMSTo" value="13817064947,13162596431,13117551234"/> <add key="TestDomain" value="lywsendm.com " /> <!--小批量短信提醒向该号发送短信--> <add key="SmallSendTaskSMSTo" value="13162596439,13681623948"/> <!--少于多少算是小批量发送--> <add key="SmallBatchNum" value="100"/> <!--内部小批量发送短信不提示UserID--> <add key="SmallBatchUserID" value="584,793,1497,34,2297,1546,1550,298,788"/> <!--转发时的发件人--> <add key="TransmitSender" value="[email protected]" /> <!--贝塔斯曼 UserId --> <add key="BertelsmannUserIds" value="1,29,43,44,48,72,84,91,98,138,144,168,23,33,-1" /> <!--可以开通代理商的UserId --> <add key="CanAddAdminUserIds" value="33,262,366,597,900,1235,3931,5509,6448,5376,8484,7533,12823" /> <!--以下 UserId 可以修改发件人邮箱 --> <add key="CanModifyFromEmailUserIds" value="328,365,266,334,369,214,499,530,574,482,691,815,584,1018,1341,883,1518,1519,1520,1901,1206,1723,2028,1724,2069,1980,2135,3358,1820,9557"/> <!--app 的网站虚拟目录地址 --> <add key="AppDomain" value="http://image.izacholsm.com/focussend"/> <!--不需要审核的用户id--> <add key="NotNeedAuditUserIds" value="499,673,574,660,778,839" /> <add key="NotNeedAuditUserSendEmailAmountSet" value="30" /> <!--代理商客户注册后,不需要审核的agentId--> <add key="RegisNotNeedAuditAgentIds" value="3" /><!--附件大小,默认为1MB--> <add key="UpFileTotalSize" value="5242880" /> <!--最多能够上传附件数量--> <add key="UpFileMaxNum" value="2" /> <!--一个任务的测试发送走IP设置--> <add key="SendTaskTestSelectIP" value="182.50.8.227" /> <!--注册用户默认测试邮件数--> <add key="RegisterUserTestNum" value="50" /> <!--大于等于该数值即为大批量--> <add key="BigBatchCount" value="1000" /> <!--大于等于该数值,小于大批量即为批量--> <add key="SmallBatchCount" value="500" /> <!--发送测试域名替换--> <add key="TestTaskDomain" value="newsletter.postalstar.com/" /> <!--发送统计不执行精确计算用户,以“,”开始和结尾--> <add key="IsSendCalculateTotal" value=",1468,394,793," /> <!--StarId 别名--> <add key="StarIdAlias" value="s" /> <!--开启合并任务user--> <add key="OpenMergeTask" value="-1,793,1229,394,34,172,174,584,1206,1723,1724,792,23,1972,1550,276,318,1525,1604,204,788,1468,"/> <!--可以发送内嵌图片的用户id--> <add key="CanEmbeddedUserIds" value="9616,584,664,1630,2551,1449,3329,793,3519,3760,3794,3083,3488,34,7047,9616" /> <!--插入自定义字段的最大数量 --> <add key="CustomCount" value="60"/> <!-- 添加用于存放用户添加或修改子账户点数的信息--> <add key ="ChildAccountHavePointLogPath" value="d:\Log\ChildAccountHaveCountLog\"/> <!-- spf解析后的所有域名信息--> <add key="SpfDomain" value="focussend.com,staredm.cn,zxzsurvey.com,bjsend.com,211.144.78.0/24"/> <!-- 小于此值进行精确计算--> <add key="AccurateCount" value="1000"/> <!--非法字符路径--> <add key="TBodyLegalPath" value="D:\data\text"/> <add key="UserTaskCount" value="-1" /> <add key="UserTotalUpdateEmail" value="-1" /> <add key="NotSetMaxSoftBounce" value="-1" /> <add key="DomainIsVisibleOC" value="-1" /> <!--自定义模版组的名称--> <add key="UserTemplateGroupName" value="自定义模版组" /> <!--判断是否为默认活动--> <add key="ISActivityId" value="-1"/> <add key="ReportColorList" value="4674A9,AC4744,994CB9,8CA850,449CB3,DF873F,96ACD3,D59695,BCD199,AB9DC0"/> </appSettings> <nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true"> <targets> <!--日志自动分卷 5242880 bytes(5MB)--> <target name="file" xsi:type="File" fileName="d:/log/app/${shortdate}.txt" layout="${longdate} ${level} ${message} ${exception:format=tostring}" archiveAboveSize="5242880" ConcurrentWrites="false" archiveNumbering="Rolling"/> </targets> <rules> <!--Trace,Debug,Info,Warn,Error,Fatal--> <logger name="*" minlevel="Info" writeTo="file"/> </rules> </nlog> <connectionStrings> <clear /> <!--<add name="StarConnectionString" connectionString="Data Source=STAREDM-EB92CF8;Initial Catalog=StarEdm;Persist Security Info=True;User ID=sa;Password=123456" providerName="System.Data.SqlClient"/>--> <add name="StarConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=StarEdm;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient"/> <add name="UserDataConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=UserData;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient" /> <add name="LinqModel.Properties.Settings.EmailSenderConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=EmailSender;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient" /> <add name="LinqModel.Properties.Settings.StarEdmConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=StarEdm;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient" /><add name="LinqModel.Properties.Settings.WebServiceConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=WebService;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient" /><add name="StarEdmOldConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=StarEdm_Old;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient"/> </connectionStrings> <system.web> <!-- 设置 compilation debug="true" 可将调试符号插入 已编译的页面中。但由于这会 影响性能,因此只在开发过程中将此值 设置为 true。 --> <identity impersonate="true" userName="xing1zhao" password="Liu@Focussend#1987Xing" /> <compilation debug="true"> <assemblies> <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> <add assembly="System.Data.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> </assemblies> </compilation> <!-- 通过 <authentication> 节可以配置 ASP.NET 用来 识别进入用户的 安全身份验证模式。 --> <!--<authentication mode="Windows"/>--> <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" name=".StarAuth" defaultUrl="~/Default.aspx"></forms> </authentication> <customErrors mode="RemoteOnly" defaultRedirect="wrong.html"> <error statusCode="403" redirect="wrong.html" /> <error statusCode="404" redirect="wrong.html" /> </customErrors> <!-- 如果在执行请求的过程中出现未处理的错误, 则通过 <customErrors> 节可以配置相应的处理步骤。具体说来, 开发人员通过该节可以配置 要显示的 html 错误页 以代替错误堆栈跟踪。 <customErrors mode="Off" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> <error statusCode="404" redirect="FileNotFound.htm" /> </customErrors> --> <pages> <controls> <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </controls> </pages> <httpHandlers> <add verb="POST,GET" path="ajaxpro/*.ashx" type="AjaxPro.AjaxHandlerFactory,AjaxPro.2"/> <remove verb="*" path="*.asmx"/> <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/> </httpHandlers> <httpModules> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </httpModules> <httpRuntime maxRequestLength="8096" /> </system.web> <system.codedom> <compilers> <compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <providerOption name="CompilerVersion" value="v3.5"/> <providerOption name="WarnAsError" value="false"/> </compiler> <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <providerOption name="CompilerVersion" value="v3.5"/> <providerOption name="OptionInfer" value="true"/> <providerOption name="WarnAsError" value="false"/> </compiler> </compilers> </system.codedom> <!-- 在 Internet 信息服务 7.0 下运行 ASP.NET AJAX 需要 system.webServer 节。对早期版本的 IIS 来说则不需要此节。 --> <system.webServer> <validation validateIntegratedModeConfiguration="false"/> <modules> <remove name="ScriptModule"/> <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </modules> <handlers> <remove name="WebServiceHandlerFactory-Integrated"/> <remove name="ScriptHandlerFactory"/> <remove name="ScriptHandlerFactoryAppServices"/> <remove name="ScriptResource"/> <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> </handlers> </system.webServer> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/> </dependentAssembly> <dependentAssembly> <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/> </dependentAssembly> </assemblyBinding> </runtime> </configuration>
0x02:多处配置不当
http://vip.haolyy.com/.viminfohttp://sub.haolyy.com/.git/confighttp://m.haolyy.com/.git/confighttp://weixin.haolyy.com/.git/config
我是来找礼物的!
危害等级:低
漏洞Rank:5
确认时间:2015-11-30 17:02
感谢提交,谢谢。
暂无
