当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-015978

漏洞标题:扬子晚报官方购物平台百万用户信息泄漏

相关厂商:扬子晚报网

漏洞作者: se55i0n

提交时间:2012-12-13 23:03

修复时间:2013-01-27 23:03

公开时间:2013-01-27 23:03

漏洞类型:用户资料大量泄漏

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-12-13: 细节已通知厂商并且等待厂商处理中
2012-12-18: 厂商已经确认,细节仅向厂商公开
2012-12-28: 细节向核心白帽子及相关领域专家公开
2013-01-07: 细节向普通白帽子公开
2013-01-17: 细节向实习白帽子公开
2013-01-27: 细节向公众公开

简要描述:

剑心,我真的没脱裤~

详细说明:

1)整个事件起源于一处SQL注射,好久之前发了剑心没给过,下午偶然看到记录,就挖掘了下~~注射点:http://service.xhby.net/yiliao/item.php?id=695
再友情赠送一枚:http://meirong.yangtse.com/chanel.php?id=14
2)不知道管理员怎么想的,之前发现这个注入点的时候数据库权限并不是root,今天再次测试发现成了root权限,顿时来了兴趣;

2.jpg


3)既然是root权限,就可以使用load_file()查看配置文件获取我们想要的信息,查看apache默认配置文件,发现同服务器的存在几个重要网站(信息作了部分处理);

#</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/xxx/
ServerName blog.yzwb.net
ErrorDocument 404 http://www.yangtse.com/
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/xxx/
ServerName blog.yangtse.com
ErrorDocument 404 http://www.yangtse.com/
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/xxx/
ServerName service.yangtse.com
ErrorDocument 404 http://www.yangtse.com/
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/xxx/
ServerName service.yzwb.net
ErrorDocument 404 http://www.yangtse.com/
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName www.dalibao.cn
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName www.960961.cn
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName www.960961.net
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName shop.yzwb.net
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName shop.yangtse.com
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/xxx/
ServerName app.yzwb.net
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/xxx/
ServerName app.yangtse.com
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName www.960961.com
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName 960961.com
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName 960961.cn
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName www.960961.cn
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName 960961.net
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/eshop/test/xxx/
ServerName www.960961.net
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/shop/xxx/
ServerName tg.960961.com
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/service/xxx/
ServerName baby.yzwb.net
# ErrorLog error_log
# CustomLog culog
</VirtualHost>
#### ----------------------- xhby --------------- ###
<VirtualHost *:80>
ServerName service.xhby.net
DocumentRoot "/var/www/html/xxx/"
</VirtualHost>
<VirtualHost *:80>
ServerName ly2012.xhby.net
DocumentRoot "/var/www/html/path/myphp/xxx/"
</VirtualHost>
<VirtualHost *:80>
ServerName ocar.com.cn
DocumentRoot "/var/www/html/path/xxx/"
</VirtualHost>
<VirtualHost *:80>
ServerName www.ocar.com.cn
DocumentRoot "/var/www/html/path/xxx/"
</VirtualHost>
<VirtualHost *:80>
ServerAdmin xyz@xhby.net
ServerName "www.jslegal.com"
DocumentRoot "/var/www/html/path/xxx/"
</VirtualHost>
<VirtualHost *:80>
ServerAdmin xyz@xhby.net
ServerName "77.xhby.net"
DocumentRoot "/var/www/html/path/xxx/"
</VirtualHost>


4)有了网站路径信息,接下来就能读取数据库配置信息了,然后就能...(YY),读取到数据库配置信息如下:

<?php 
$dbuser = 'root'; //用户名
$dbpwd = 'a7vztx';//密码
$dbname = 'yiliao';//数据库名称
$dbz = ''; //数据库表前缀
?>


5)好吧~数据库用户名、密码都有了,能远程连接到数据库么~~哈哈,不能连接也没有本文咯;

1.jpg


6)好吧~这里才是keypoint,扬子晚报官方购物平台的数据库,当然还有一下其他数据库,信息非常丰富;

2.jpg


6.1)去,还有工作单位;

3.jpg


6.2)

4.jpg


6.3)

5.jpg


6.4)

6.jpg


漏洞证明:

见详细说明~

修复方案:

版权声明:转载请注明来源 se55i0n@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2012-12-18 15:41

厂商回复:

CNVD确认漏洞并复现所述情况,转由CNCERT江苏分中心协调涉事单位处置。
按完全影响机密性进行评分,基本危害评分7.79(高危),发现技术难度系数1.0,涉及行业或单位影响系数1.4,综合rank=10.906,涉及多家单位,rank +2

最新状态:

暂无