当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-089775

漏洞标题:瑞丽网某分站敏感信息泄露(可影响到500万用户信息)

相关厂商:rayli.com.cn

漏洞作者: 猪猪侠

提交时间:2015-01-03 01:12

修复时间:2015-01-08 15:23

公开时间:2015-01-08 15:23

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-03: 细节已通知厂商并且等待厂商处理中
2015-01-05: 厂商已经确认,细节仅向厂商公开
2015-01-08: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

瑞丽网某分站敏感信息泄露(可直接威胁到用户数据库)

详细说明:

SVN信息泄露
http://xiangmai.rayli.com.cn/.svn/entries

svn.jpg


后台
http://xiangmai.rayli.com.cn/index.php?/admin/login

$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = '58.68.225.131';
$db['default']['username'] = 'rayli_tuitui';
$db['default']['password'] = '*******************';
$db['default']['database'] = 'rayli_tuitui';
$db['default']['dbdriver'] = 'mysql';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
$db['sa']['hostname'] = '58.68.225.131';
$db['sa']['username'] = 'rayli_tuitui';
$db['sa']['password'] = '*******************';
$db['sa']['database'] = 'rayli_tuitui';
$db['sa']['dbdriver'] = 'mysql';
$db['sa']['dbprefix'] = '';
$db['sa']['pconnect'] = TRUE;
$db['sa']['db_debug'] = TRUE;
$db['sa']['cache_on'] = FALSE;
$db['sa']['cachedir'] = '';
$db['sa']['char_set'] = 'utf8';
$db['sa']['dbcollat'] = 'utf8_general_ci';
$db['sa']['swap_pre'] = '';
$db['sa']['autoinit'] = TRUE;
$db['sa']['stricton'] = FALSE;


利用获取到的UC_KEY直接GETWEBSHELL

<?php
define('UC_CONNECT', '');
define('UC_DBHOST', '192.168.0.13');
define('UC_DBUSER', 'discuz');
define('UC_DBPW', '1qaz2w****l0.13');
define('UC_DBNAME', 'uc');
define('UC_DBCHARSET', 'gbk');
define('UC_DBTABLEPRE', '`uc`.uc_');
define('UC_DBCONNECT', '0');
define('UC_KEY', '1facNvxogx*******60TvvygnvUSUVk');
define('UC_API', 'http://***.rayli.com.cn/uc');
define('UC_CHARSET', 'gbk');
define('UC_IP', '');
define('UC_APPID', '20');
define('UC_PPP', '20');

漏洞证明:

mysql_con.jpg


sh-3.2# nmap -sT -sV 192.168.0.13
nmap -sT -sV 192.168.0.13
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-01-03 00:58 CST
Interesting ports on localhost (192.168.0.13):
Not shown: 1676 closed ports
PORT     STATE SERVICE     VERSION
25/tcp   open  smtp        Exim smtpd
465/tcp  open  smtps?
587/tcp  open  submission?
3306/tcp open  mysql       MySQL 5.0.77-log
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port587-TCP:V=4.11%I=7%D=1/3%Time=54A6CE5B%P=x86_64-redhat-linux-gnu%r(
SF:GenericLines,20,"554\x20SMTP\x20synchronization\x20error\r\n");
MAC Address: 00:22:19:BD:54:DB (Unknown)


select url from uc_applications;
+--------------------------------------+
| url                                  |
+--------------------------------------+
| http://ucclient.rayli.com.cn         | 
| http://blog.rayli.com.cn             | 
| http://pass.rayli.com.cn             | 
| http://adsite2.rayli.com.cn/APPDemo/ | 
| http://q.rayli.com.cn                | 
| http://3w.rayli.com.cn/registration/ | 
| http://bbs.rayli.com.cn              | 
| http://credit.rayli.com.cn/          | 
| http://product.rayli.com.cn/         | 
| http://star.rayli.com.cn             | 
| http://testgo.rayli.com.cn           | 
| http://xiangmai.rayli.com.cn         | 
+--------------------------------------+
12 rows in set (0.01 sec)


select count(*) from uc_members;
+----------+
| count(*) |
+----------+
|  5118858 | 
+----------+
1 row in set (0.00 sec)

修复方案:

删除

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-01-05 14:36

厂商回复:

此漏洞已知晓,谢谢提醒,我们正在对此漏洞进行全方面的修复。

最新状态:

2015-01-08:非常感谢已修复