当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-04606

漏洞标题:凤凰分站注射漏洞读取配置文件获得网站路径THEN读取网站文件

相关厂商:凤凰网

漏洞作者: 疯狂

提交时间:2012-02-17 20:18

修复时间:2012-04-02 20:19

公开时间:2012-04-02 20:19

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-02-17: 细节已通知厂商并且等待厂商处理中
2012-02-17: 厂商已经确认,细节仅向厂商公开
2012-02-27: 细节向核心白帽子及相关领域专家公开
2012-03-08: 细节向普通白帽子公开
2012-03-18: 细节向实习白帽子公开
2012-04-02: 细节向公众公开

简要描述:

以点破面......

详细说明:


这是网站注入点...

漏洞证明:


读取敏感文件,一个一个的读,慢死我了

修复方案:

终于有发现了:loveyou.cfg
Content is : server
{
listen 80;
server_name bbs.travel.ifeng.com bbsfile.travel.ifeng.com;
ssi on;
client_max_body_size 4m;
index index.shtml index.html index.php;
root /data/ifengsite/htdocs/bbs;

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
location ~ ^/(admin|include|attachments|templates|forumdata)/.*\.(php|php5)$
{
deny all;
}
location ~ .*admincp\.(php|php5)?$ {
allow 220.181.67.0/24;
allow 220.181.48.0/24;
allow 210.51.19.0/24;
allow 210.51.18.0/24;
allow 211.151.61.0/24;
allow 210.51.19.11;
allow 127.0.0.1;
deny all;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ .*\.(php|php5)?$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
error_page 404 /404.html;
error_page 500 502 503 504 50x.html;
location = /50x.html {
root /data/ifengsite/htdocs;
}
location ~ .*\.(gif|jpg|png|bmp|jpeg|ico|tif|css)$ {
expires 60m;
valid_referers none blocked *.ifeng.com *.phoenixtv.com ;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(mpeg|mpg|mov|asf|wmv|wma|mp3|rm|rmvb|swf)$ {
expires 120m;
}
location ~ .*\.(shtml|htm|html|js)$ {
expires 10m;
}
log_format accessbbs '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
access_log /data/logs/nginx/bbs_access.log accessbbs;
rewrite ^(.*)/archiver/((fid|tid)-[\w\-]+\.html)$ $1/archiver/index.php?$2 last;
rewrite ^(.*)/forum-([0-9]+)-([0-9]+)\.html$ $1/forumdisplay.php?fid=$2&page=$3 last;
rewrite ^(.*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/viewthread.php?tid=$2&extra=page%3D$4&page=$3 last;
rewrite ^(.*)/tag-(.+)\.html$ $1/tag.php?name=$2 last;
}
server
{
listen 80;
server_name app.travel.ifeng.com app.travel.fashion.ifeng.com;
ssi on;
index index.html index.php;
root /data/ifengsite/htdocs/app;
location ~ ^/(cache|upload|templates_c)/.*\.(php|php5)$
{
deny all;
}
location ~ .*\.(php|php5)?$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
error_page 404 /404.html;
error_page 500 502 503 504 50x.html;
location = /50x.html {
root /data/ifengsite/htdocs;
}
location ~ .*\.(gif|jpg|png|bmp|jpeg|ico|tif|css)$ {
expires 60m;
valid_referers none blocked *.ifeng.com *.phoenixtv.com ;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(mpeg|mpg|mov|asf|wmv|wma|mp3|rm|rmvb|swf)$ {
expires 120m;
}
location ~ .*\.(shtml|htm|html|js)$ {
expires 10m;
}
log_format accessapp '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
access_log /data/logs/nginx/app_access.log accessapp;
rewrite ^/scenery_comment_(\d+)$ /scenery_comment.php?scenery=$1 last;
rewrite ^/scenery_(.*)$ /scenery.php?scenery_$1 last;
rewrite ^/tools/((?!index.php|images|js|style).*)$ /tools/index.php?$1 last;
rewrite ^/city_detail_(\d+)$ /city_detail.php?id=$1 last;
rewrite ^/city_intro_(\d+)$ /city_intro.php?id=$1 last;
rewrite ^/city_image_(\d+)$ /city_image.php?id=$1 last;
rewrite ^/city_comment_(\d+)$ /city_comment.php?city=$1 last;
rewrite ^/city_blog_(\d+)$ /city_blog.php?city=$1 last;
rewrite ^/city_news_(\d+)$ /city_news.php?city=$1 last;
rewrite ^/line_list_(\d+)$ /line_list.php?to_city_id2=$1 last;
rewrite ^/line_detail_(\d+)$ /line_detail.php?id=$1 last;
rewrite ^/map_(\w+)_(\d+)$ /map.php?$1=$2 last;
rewrite ^/continent_(\d+)$ /continent.php?id=$1 last;
rewrite ^/country_(\d+)$ /country.php?id=$1 last;
rewrite ^/province_(\d+)$ /province.php?id=$1 last;
rewrite ^/map_(\w+)_(\d+)$ /map.php?$1=$2 last;
}
server
{
listen 80;
server_name admin.travel.ifeng.com;
ssi on;
index index.html index.php;
root /data/ifengsite/htdocs/admin;
location ~ .*\.(php|php5)?$ {
allow 220.181.67.0/24;
allow 210.51.19.0/24;
allow 210.51.18.0/24;
allow 211.151.61.0/24;
allow 210.51.19.11;
deny all;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
location ~ .*\.(php|php5)?$ {
#location ~ .*\.(php|php5)?$ {
allow 220.181.67.0/24;
allow 210.51.19.0/24;
allow 210.51.18.0/24;
allow 211.151.61.0/24;
allow 210.51.19.11;
deny all;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
error_page 404 /404.html;
error_page 500 502 503 504 50x.html;
location = /50x.html {
root /data/ifengsite/htdocs;
}
location ~ .*\.(gif|jpg|png|bmp|jpeg|ico|tif|css)$ {
expires 60m;
valid_referers none blocked *.ifeng.com *.phoenixtv.com ;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(mpeg|mpg|mov|asf|wmv|wma|mp3|rm|rmvb|swf)$ {
expires 120m;
}
location ~ .*\.(shtml|htm|html|js)$ {
expires 10m;
}
log_format accessadmin '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
access_log /data/logs/nginx/admin_app_access.log accessadmin;
}
server
{
listen 80;
server_name mysql.travel.ifeng.com;
ssi on;
index index.html index.php;
root /data/ifengsite/htdocs/mysql;
location ~ .*\.(php|php5)?$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
error_page 404 /404.html;
error_page 500 502 503 504 50x.html;
location = /50x.html {
root /data/ifengsite/htdocs;
}
location ~ .*\.(gif|jpg|png|bmp|jpeg|ico|tif|css)$ {
expires 60m;
valid_referers none blocked *.ifeng.com *.phoenixtv.com ;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(mpeg|mpg|mov|asf|wmv|wma|mp3|rm|rmvb|swf)$ {
expires 120m;
}
location ~ .*\.(shtml|htm|html|js)$ {
expires 10m;
}
log_format accessmysql '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
access_log /data/logs/nginx/mysql_access.log accessmysql;
}
还有一个:tech.conf
server
{
listen 80;
server_name bbs.tech.ifeng.com;
ssi on;
index index.shtml index.html index.php;
root /data/ifengsite/htdocs/tech_bbs;
location ~ ^/(admin|attachments|templates|forumdata)/.*\.(php|php5)$
{
deny all;
}
location ~ .*\.(php|php5)?$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
error_page 404 /404.html;
error_page 500 502 503 504 50x.html;
location = /50x.html {
root /data/ifengsite/htdocs;
}
location ~ .*\.(gif|jpg|png|bmp|jpeg|ico|tif|css)$ {
expires 60m;
valid_referers none blocked *.ifeng.com *.phoenixtv.com ;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(mpeg|mpg|mov|asf|wmv|wma|mp3|rm|rmvb|swf)$ {
expires 120m;
}
location ~ .*\.(shtml|htm|html|js)$ {
expires 10m;
}
log_format accesstechbbs '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
access_log /data/logs/nginx/tech_bbs_access.log accessbbs;
}
呵呵路径和网站配置出来了,读取网站文件


打完收工.....

版权声明:转载请注明来源 疯狂@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2012-02-17 21:54

厂商回复:

非常感谢你的提供。

最新状态:

暂无