乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-08: 细节已通知厂商并且等待厂商处理中 2014-10-08: 厂商已经确认,细节仅向厂商公开 2014-10-18: 细节向核心白帽子及相关领域专家公开 2014-10-28: 细节向普通白帽子公开 2014-11-07: 细节向实习白帽子公开 2014-11-22: 细节向公众公开
同样类似的问题,怎么补都补不完,补了又有,补了又有,而且数据库密码又是弱口令。。。http://security.tencent.com/index.php/blog/msg/68
网站: http://bbs.paipai.com 存在信息泄露:网址:http://bbs.paipai.com/config/config_global.php.bak
<?php$_config = array();// ---------------------------- CONFIG DB ----------------------------- //$_config['db']['1']['dbhost'] = '10.**.**.222';$_config['db']['1']['dbuser'] = 'ppbbsdb';$_config['db']['1']['dbpw'] = 'ppbbsdb@db';$_config['db']['1']['dbcharset'] = 'gbk';$_config['db']['1']['pconnect'] = '0';$_config['db']['1']['dbname'] = 'ppbbs';$_config['db']['1']['tablepre'] = '';/************************************ begin ****************************************/// 数据库从服务器设置( slave, 只读 ), 支持多组服务器设置, 当设置多组服务器时, 系统每次随机使用$_config['db']['slave'] = array();$_config['db']['slave']['1']['dbhost'] = '10.**.**.143';$_config['db']['slave']['1']['dbuser'] = 'ppbbsdb';$_config['db']['slave']['1']['dbpw'] = 'ppbbsdb@db';$_config['db']['slave']['1']['dbcharset'] = 'gbk';$_config['db']['slave']['1']['pconnect'] = '0';$_config['db']['slave']['1']['dbname'] = 'ppbbs';$_config['db']['slave']['1']['tablepre'] = '';$_config['db']['slave']['2']['dbhost'] = '10.**.**.222';$_config['db']['slave']['2']['dbuser'] = 'ppbbsdb';$_config['db']['slave']['2']['dbpw'] = 'ppbbsdb@db';$_config['db']['slave']['2']['dbcharset'] = 'gbk';$_config['db']['slave']['2']['pconnect'] = '0';$_config['db']['slave']['2']['dbname'] = 'ppbbs';$_config['db']['slave']['2']['tablepre'] = '';/* 2014-1-7 取消对10.**.**.235的读操作$_config['db']['slave']['3']['dbhost'] = '10.**.**.235';$_config['db']['slave']['3']['dbuser'] = 'ppbbsdb';$_config['db']['slave']['3']['dbpw'] = 'ppbbsdb@db';$_config['db']['slave']['3']['dbcharset'] = 'gbk';$_config['db']['slave']['3']['pconnect'] = '0';$_config['db']['slave']['3']['dbname'] = 'ppbbs';$_config['db']['slave']['3']['tablepre'] = '';*//** * paipai, zhuxun. 手动启用还是自动启用从库的开关 * 0 => 不使用从库; * 1 => 自动使用从库; * 2 => 手动使用从库; */$_config['db']['slaveswitch'] = 1;/** * 数据库 分布部署策略设置 * * @example 将 common_member 部署到第二服务器, common_session 部署在第三服务器, 则设置为 * $_config['db']['map']['common_member'] = 2; * $_config['db']['map']['common_session'] = 3; * * 对于没有明确声明服务器的表, 则一律默认部署在第一服务器上 * */$_config['db']['map'] = array();/** * 数据库 公共设置, 此类设置通常对针对每个部署的服务器 */$_config['db']['common'] = array();/** * 禁用从数据库的数据表, 表名字之间使用逗号分割 * * @example common_session, common_member 这两个表仅从主服务器读写, 不使用从服务器 * $_config['db']['common']['slave_except_table'] = 'common_session, common_member'; * */$_config['db']['common']['slave_except_table'] = '';/****************************** end ********************************/// -------------------------- CONFIG MEMORY --------------------------- ////10.**.**.81,172.**.**.144,10.**.**.117$_config['memory']['prefix'] = 'jjXlau_';$_config['memory']['eaccelerator'] = 0;$_config['memory']['xcache'] = 0;$_config['memory']['memcache']['server']['1'] = '10.**.**.81';$_config['memory']['memcache']['port']['1'] = 11383;$_config['memory']['memcache']['pconnect']['1'] = 1;$_config['memory']['memcache']['timeout']['1'] = 1;$_config['memory']['memcache']['server']['2'] = '172.**.**.144';$_config['memory']['memcache']['port']['2'] = 11383;$_config['memory']['memcache']['pconnect']['2'] = 1;$_config['memory']['memcache']['timeout']['2'] = 1;$_config['memory']['memcache']['server']['3'] = '10.**.**.117';$_config['memory']['memcache']['port']['3'] = 11383;$_config['memory']['memcache']['pconnect']['3'] = 1;$_config['memory']['memcache']['timeout']['3'] = 1;// -------------------------- CONFIG SERVER --------------------------- //$_config['server']['id'] = 1;// ------------------------- CONFIG DOWNLOAD -------------------------- //$_config['download']['readmod'] = 2;$_config['download']['xsendfile']['type'] = '0';$_config['download']['xsendfile']['dir'] = '/down/';// --------------------------- CONFIG CACHE --------------------------- //$_config['cache']['type'] = 'sql';// -------------------------- CONFIG OUTPUT --------------------------- //$_config['output']['charset'] = 'gbk';$_config['output']['forceheader'] = 1;$_config['output']['gzip'] = '0';$_config['output']['tplrefresh'] = 1;$_config['output']['language'] = 'zh_cn';$_config['output']['staticurl'] = 'http://static.paipaiimg.com/dz/';$_config['output']['ajaxvalidate'] = '0';// -------------------------- CONFIG COOKIE --------------------------- //$_config['cookie']['cookiepre'] = 'tD1v_';$_config['cookie']['cookiedomain'] = '';$_config['cookie']['cookiepath'] = '/';// ------------------------- CONFIG SECURITY -------------------------- //$_config['security']['authkey'] = '512b45sO****lMn6';$_config['security']['urlxssdefend'] = 1;$_config['security']['attackevasive'] = '0';$_config['security']['querysafe']['status'] = 1;$_config['security']['querysafe']['dfunction']['0'] = 'load_file';$_config['security']['querysafe']['dfunction']['1'] = 'hex';$_config['security']['querysafe']['dfunction']['2'] = 'substring';$_config['security']['querysafe']['dfunction']['3'] = 'if';$_config['security']['querysafe']['dfunction']['4'] = 'ord';$_config['security']['querysafe']['dfunction']['5'] = 'char';$_config['security']['querysafe']['daction']['0'] = 'intooutfile';$_config['security']['querysafe']['daction']['1'] = 'intodumpfile';$_config['security']['querysafe']['daction']['2'] = 'unionselect';$_config['security']['querysafe']['daction']['3'] = '(select';$_config['security']['querysafe']['daction'][] = 'unionall';$_config['security']['querysafe']['daction'][] = 'uniondistinct';$_config['security']['querysafe']['daction']['6'] = '@';$_config['security']['querysafe']['dnote']['0'] = '/*';$_config['security']['querysafe']['dnote']['1'] = '*/';$_config['security']['querysafe']['dnote']['2'] = '#';$_config['security']['querysafe']['dnote']['3'] = '--';$_config['security']['querysafe']['dnote']['4'] = '"';$_config['security']['querysafe']['dlikehex'] = 1;$_config['security']['querysafe']['afullnote'] = 1;// -------------------------- CONFIG ADMINCP -------------------------- //// -------- Founders: $_config['admincp']['founder'] = '1,2,3'; --------- //$_config['admincp']['founder'] = '123009415,518800120,171550539,86189013,55320364,518810171,518800254,518800362,43725553,518800214,305595435';$_config['admincp']['forcesecques'] = '0';$_config['admincp']['checkip'] = 1;$_config['admincp']['runquery'] = 1;$_config['admincp']['dbimport'] = 1;// -------------------------- CONFIG PUBSWITCH -------------------------- ////note 是否开启积分统计$_config['pubclose']['statcredit'] = 1;//$_config['pubclose']['reupdateposts'] = 1;$_config['paipai']['api']['ip'] = array('172.23.155.72','10.130.0.100','172.23.155.87','172.23.28.145','172.23.28.232','172.23.28.233','172.27.28.147','172.27.28.148');define('CSSCACHECDN', 'http://static.paipaiimg.com/dz/');//note 在这之前的帖子 htmlon 状态只看帖子中的标记$_config['pubclose']['htmlonfrompost'] = '2011-01-01 00:00:00';// ------------------- THE END -------------------- //?>
危害等级:中
漏洞Rank:5
确认时间:2014-10-08 11:42
非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。
2014-10-08:感谢反馈,此漏洞已修复。paipai业务已归属于京东,后续paipai的安全问题请直接反馈给京东。
