当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-088195

漏洞标题:星巴克官网备份可下载导致敏感信息泄露(含操作系统Administrator密码)

相关厂商:星巴克中国

漏洞作者: 猪猪侠

提交时间:2014-12-22 20:49

修复时间:2015-02-05 20:50

公开时间:2015-02-05 20:50

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-02-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

星巴克中国官网备份可下载导致敏感信息泄露(包含操作系统Administrator密码)

详细说明:

web.config核心配置文件可直接远程下载
http://www.starbucks.com.cn/web.rar
后台
http://cms.starbucks.com.cn:8888/


操作系统管理员密码

<httpRuntime executionTimeout="600" maxRequestLength="51200" useFullyQualifiedRedirectUrl="false" />
<identity impersonate="true" userName="administrator" password="Flipscript@0502" />

漏洞证明:

mask 区域
*****ot; encoding=&q*****
*****;!*****
*****^外,您还可以^*****
*****^^序的^*****
*****^网站”->“As*****
*****^在 machine.c*****
*****^通^*****
*****t\Framework\v*****
*****gt*****
*****ration*****
*****gSecti*****
**********
*****et.Config.Log4NetConfiguratio*****
**********
*****ExtensionsSectionGroup, System.Web.Extensions, Versio*****
*****SectionGroup, System.Web.Extensions, Version=3.5*****
*****tensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E3*****
*****ervicesSectionGroup, System.Web.Extensions, Version=*****
*****Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856A*****
*****ns, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35&q*****
*****tensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35*****
*****Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35&quot*****
*****section*****
*****ctionGr*****
*****ctionG*****
*****igSect*****
**********
*****og4ne*****
*****uot; type="log4net.App*****
*****uot; value="log*****
*****ndToFile" valu*****
*****ingStyle" valu*****
*****ern" value=&quot*****
*****LogFileName" va*****
*****;log4net.Layout.P*****
*****ttern" value="%*****
*****lt;/lay*****
*****;/appe*****
*****uot; type="log4net.A*****
*****;log4net.Layout.P*****
*****ttern" value="%*****
*****lt;/lay*****
*****;/appe*****
*****lt;ro*****
*****alue="D*****
*****"RollingFile*****
*****f="ConsoleA*****
*****;/root*****
*****log4n*****
**********
**********
**********
*****Settin*****
*****写绝对路径,如^*****
*****ww.starbucks.com.cn.temp|\\172.16.1.2*****
**********
*****uot;D:\starbucks\rewards|\\17*****
1.://**.**.**//www.starbucks.com.cn/upload/" />_
2.://**.**.**//www.starbucks.com.cn/upload/" />_
3.://**.**.**//www.starbucks.com.cn/upload/" />_
4.://**.**.**//www.starbucks.com.cn/upload/" />_
5.://**.**.**//www.starbucks.com.cn/upload/" />_
6.://**.**.**//www.starbucks.com.cn/upload/" />_
*****path" value=&q*****
7.://**.**.**//www.starbucks.com.cn" />_
*****nid" value=*****
*****nid" value=*****
*****id" value=*****
*****id" value=*****
*****pSetti*****
*****ionStrin*****
*****tem.we*****
***** &lt*****
*****bug="true&qu*****
*****^^编译^*****
*****^^,因此只在^*****
*****^^置^*****
***** --&*****
*****s mode=&quot*****
***** debug=&quot*****
*****;assembl*****
*****=3.5.0.0, Culture=neutral, Pub*****
*****sion=3.5.0.0, Culture=neutral, Pu*****
*****on=3.5.0.0, Culture=neutral, Pu*****
***** Version=3.5.0.0, Culture=neutral, *****
*****;/assemb*****
*****compila*****
***** &lt*****
*****on> 节可以^*****
*****别进^*****
*****^^份验^*****
***** --&*****
*****mode="Win*****
***** &lt*****
*****的过程中出^*****
*****gt; 节可以配置^*****
*****^^体^*****
*****^通过该^*****
*****误页以代替^*****
**********
*****ot; defaultRedirect=&quot*****
*****3" redirect=&quo*****
*****quot; redirect="F*****
*****customE*****
***** --&*****
*****;pages*****
*****lt;cont*****
*****y="System.Web.Extensions, Version=3.5.0.0,*****
*****ssembly="System.Web.Extensions, Version=3.5.0*****
*****lt;/con*****
*****;/page*****
*****ttpHand*****
*****;*" path=&qu*****
*****ipt.Services.ScriptHandlerFactory, System.Web.Extensions, *****
*****.Script.Services.ScriptHandlerFactory, System.Web.Extensions,*****
*****ystem.Web.Handlers.ScriptResourceHandler, System.Web.Extensio*****
*****httpHan*****
*****ttpModu*****
*****le, System.Web.Extensions, Version=3.5.0.0, Cu*****
*****httpMod*****
*****Length="51200" useFullyQ*****
*****ot;administrator" passw*****
*****stem.w*****
*****m.coded*****
*****;compi*****
*****p.CSharpCodeProvider,System, Version=2.0.0.0, Culture=ne*****
*****;CompilerVersion" *****
*****ot;WarnAsError" v*****
*****lt;/com*****
*****t.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Cultu*****
*****;CompilerVersion" *****
*****ot;OptionInfer" v*****
*****ot;WarnAsError" v*****
*****lt;/com*****
*****compile*****
*****em.code*****
*****serviceM*****
**********
*****;bindi*****
*****;wsHttpB*****
*****nsactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288000" maxRece*****
*****; maxArrayLength="1638400" maxBytesPerRea*****
*****; inactivityTimeout="00:10:*****
*****urity mode=&qu*****
*****t;Windows" proxyCredentialT*****
*****ctionPolicy policyEnfor*****
***** </*****
*****uot;Windows" negotiateSer*****
***** </s*****
***** </bi*****
*****ionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="52428800" maxReceived*****
*****; maxArrayLength="1638400" maxBytesPerRea*****
*****; inactivityTimeout="00:10:*****
*****urity mode=&qu*****
*****t;Windows" proxyCredentialT*****
*****ctionPolicy policyEnfor*****
***** </*****
*****negotiateServiceCredential="true&q*****
***** </s*****
***** </bi*****
*****wsHttpBin*****
*****;/bind*****
*****;clien*****
8.://**.**.**//172.16.1.32:8002/StarbucksGCService.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IStarbucksGCService" contract="StarbucksGCService.IStarbucksGCService" name="WSHttpBinding_IStarbucksGCService">_
***** <ide*****
*****alue="loca*****
***** </id*****
*****lt;/end*****
9.://**.**.**//172.16.1.32:8888/Service1.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService11" contract="MSRService.IService1" name="WSHttpBinding_IService1">_
***** <ide*****
*****alue="loca*****
***** </id*****
*****lt;/end*****
*****;/clie*****
*****.service*****
*****m.webSe*****
**********
**********
*****taticCo*****
*****quot; mimeType="appl*****
*****;.mp4" mimeType=&*****
*****;.webm" mimeType=*****
*****aticCont*****
*****aultDocu*****
***** <f*****
*****ue="via.h*****
*****lt;/fil*****
*****faultDoc*****
*****em.webS*****
*****uratio*****

修复方案:

# 删除备份文件

版权声明:转载请注明来源 猪猪侠@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝