当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106942

漏洞标题:盛大集团旗下某游戏论坛敏感数据泄露

相关厂商:盛大网络

漏洞作者: 大王叫我去巡山

提交时间:2015-04-10 10:22

修复时间:2015-05-25 10:44

公开时间:2015-05-25 10:44

漏洞类型:重要敏感信息泄露

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-10: 细节已通知厂商并且等待厂商处理中
2015-04-10: 厂商已经确认,细节仅向厂商公开
2015-04-20: 细节向核心白帽子及相关领域专家公开
2015-04-30: 细节向普通白帽子公开
2015-05-10: 细节向实习白帽子公开
2015-05-25: 细节向公众公开

简要描述:

运维就是日了狗了。。
有脾气就少点漏洞?

详细说明:

传送门:

http://116.211.4.186/config/config_global.php.bak


极游网是盛大旗下的。
http://www.ggg.cn/
沪ICP备14024254号-1  沪网文[2013]0092-012号 网络视听许可证:0909339号 盛大集团旗下网站 上海善极计算机科技有限公司 版权所有

极游网.png


漏洞证明:

<?php
$_config = array();
// ----------------------------  CONFIG WEB  ----------------------------- //
$_config[\'ggg\'][\'main\'] = \'www.ggg.cn\';
$_config[\'ggg\'][\'m\'] = \'m.ggg.cn\';
$_config[\'ggg\'][\'bbs\'] = \'bbs.ggg.cn\';
$_webService[\'ggg\'][0]= \'web001:8081\';
$_webService[\'ggg\'][1]= \'web001:8082\';
$_webService[\'ggg\'][2]= \'web001:8083\';
$_webService[\'ggg\'][3]= \'web001:8084\';
$_webService[\'ggg\'][4]= \'web002:8081\';
$_webService[\'ggg\'][5]= \'web002:8082\';
$_webService[\'ggg\'][6]= \'web002:8083\';
$_webService[\'ggg\'][7]= \'web002:8084\';
$_webService[\'ggg\'][8]= \'web003:8081\';
$_webService[\'ggg\'][9]= \'web003:8082\';
$_webService[\'ggg\'][10]= \'web003:8083\';
$_webService[\'ggg\'][11]= \'web003:8084\';
$_webService[\'ggg\'][12]= \'web004:8081\';
$_webService[\'ggg\'][13]= \'web004:8082\';
$_webService[\'ggg\'][14]= \'web004:8083\';
$_webService[\'ggg\'][15]= \'web004:8084\';
// ----------------------------  CONFIG DB  ----------------------------- //
$_config[\'db\'][\'1\'][\'dbhost\'] = \'10.128.115.173\';
$_config[\'db\'][\'1\'][\'dbuser\'] = \'bbs\';
$_config[\'db\'][\'1\'][\'dbpw\'] = \'bbspwd\';
$_config[\'db\'][\'1\'][\'dbcharset\'] = \'utf8\';
$_config[\'db\'][\'1\'][\'pconnect\'] = \'0\';
$_config[\'db\'][\'1\'][\'dbname\'] = \'bbs\';
$_config[\'db\'][\'1\'][\'tablepre\'] = \'pre_\';
$_config[\'db\'][\'common\'][\'slave_except_table\'] = \'common_session,common_member,ucenter_members\';
$_config[\'db\'][\'slave\'][\'1\'][\'dbhost\'] = \'10.128.115.174\';
$_config[\'db\'][\'slave\'][\'1\'][\'dbuser\'] = \'bbs\';
$_config[\'db\'][\'slave\'][\'1\'][\'dbpw\'] = \'bbspwd\';
$_config[\'db\'][\'slave\'][\'1\'][\'dbcharset\'] = \'utf8\';
$_config[\'db\'][\'slave\'][\'1\'][\'pconnect\'] = \'0\';
$_config[\'db\'][\'slave\'][\'1\'][\'dbname\'] = \'bbs\';
$_config[\'db\'][\'slave\'][\'1\'][\'tablepre\'] = \'pre_\';
#$_config[\'db\'][\'slave\'][\'2\'][\'dbhost\'] = \'10.128.115.175\';
#$_config[\'db\'][\'slave\'][\'2\'][\'dbuser\'] = \'bbs\';
#$_config[\'db\'][\'slave\'][\'2\'][\'dbpw\'] = \'bbspwd\';
#$_config[\'db\'][\'slave\'][\'2\'][\'dbcharset\'] = \'utf8\';
#$_config[\'db\'][\'slave\'][\'2\'][\'pconnect\'] = \'0\';
#$_config[\'db\'][\'slave\'][\'2\'][\'dbname\'] = \'bbs\';
#$_config[\'db\'][\'slave\'][\'2\'][\'tablepre\'] = \'pre_\';
// --------------------------  CONFIG MEMORY  --------------------------- //
$_config[\'memory\'][\'prefix\'] = \'W8Bs5e_\';
$_config[\'memory\'][\'eaccelerator\'] = 1;
$_config[\'memory\'][\'apc\'] = 1;
$_config[\'memory\'][\'xcache\'] = 1;
$_config[\'memory\'][\'memcache\'][\'server\'] = \'10.128.115.148\';
$_config[\'memory\'][\'memcache\'][\'port\'] = 12000;
$_config[\'memory\'][\'memcache\'][\'pconnect\'] = 1;
$_config[\'memory\'][\'memcache\'][\'timeout\'] = 84600;
// --------------------------  CONFIG SERVER  --------------------------- //
$_config[\'server\'][\'id\'] = 1;
// -------------------------  CONFIG DOWNLOAD  -------------------------- //
$_config[\'download\'][\'readmod\'] = 2;
$_config[\'download\'][\'xsendfile\'][\'type\'] = \'0\';
$_config[\'download\'][\'xsendfile\'][\'dir\'] = \'/down/\';
// ---------------------------  CONFIG CACHE  --------------------------- //
$_config[\'cache\'][\'type\'] = \'sql\';
// --------------------------  CONFIG OUTPUT  --------------------------- //
$_config[\'output\'][\'charset\'] = \'utf-8\';
$_config[\'output\'][\'forceheader\'] = 1;
$_config[\'output\'][\'gzip\'] = \'0\';
$_config[\'output\'][\'tplrefresh\'] = 1;
$_config[\'output\'][\'language\'] = \'zh_cn\';
$_config[\'output\'][\'staticurl\'] = \'static/\';
$_config[\'output\'][\'ajaxvalidate\'] = \'0\';
$_config[\'output\'][\'iecompatible\'] = \'0\';
// --------------------------  CONFIG COOKIE  --------------------------- //
$_config[\'cookie\'][\'cookiepre\'] = \'ojBh_\';
$_config[\'cookie\'][\'cookiedomain\'] = \'\';
$_config[\'cookie\'][\'cookiepath\'] = \'/\';
// -------------------------  CONFIG SECURITY  -------------------------- //
$_config[\'security\'][\'authkey\'] = \'3527d9zu0OcEDGIh\';
$_config[\'security\'][\'urlxssdefend\'] = 1;
$_config[\'security\'][\'attackevasive\'] = \'0\';
$_config[\'security\'][\'querysafe\'][\'status\'] = 1;
$_config[\'security\'][\'querysafe\'][\'dfunction\'][\'0\'] = \'load_file\';
$_config[\'security\'][\'querysafe\'][\'dfunction\'][\'1\'] = \'hex\';
$_config[\'security\'][\'querysafe\'][\'dfunction\'][\'2\'] = \'substring\';
$_config[\'security\'][\'querysafe\'][\'dfunction\'][\'3\'] = \'if\';
$_config[\'security\'][\'querysafe\'][\'dfunction\'][\'4\'] = \'ord\';
$_config[\'security\'][\'querysafe\'][\'dfunction\'][\'5\'] = \'char\';
$_config[\'security\'][\'querysafe\'][\'daction\'][\'0\'] = \'intooutfile\';
$_config[\'security\'][\'querysafe\'][\'daction\'][\'1\'] = \'intodumpfile\';
$_config[\'security\'][\'querysafe\'][\'daction\'][\'2\'] = \'unionselect\';
$_config[\'security\'][\'querysafe\'][\'daction\'][\'3\'] = \'(select\';
$_config[\'security\'][\'querysafe\'][\'daction\'][\'4\'] = \'unionall\';
$_config[\'security\'][\'querysafe\'][\'daction\'][\'5\'] = \'uniondistinct\';
$_config[\'security\'][\'querysafe\'][\'dnote\'][\'0\'] = \'/*\';
$_config[\'security\'][\'querysafe\'][\'dnote\'][\'1\'] = \'*/\';
$_config[\'security\'][\'querysafe\'][\'dnote\'][\'2\'] = \'#\';
$_config[\'security\'][\'querysafe\'][\'dnote\'][\'3\'] = \'--\';
$_config[\'security\'][\'querysafe\'][\'dnote\'][\'4\'] = \'\"\';
$_config[\'security\'][\'querysafe\'][\'dlikehex\'] = 1;
$_config[\'security\'][\'querysafe\'][\'afullnote\'] = \'0\';
// --------------------------  CONFIG ADMINCP  -------------------------- //
// -------- Founders: $_config[\'admincp\'][\'founder\'] = \'1,2,3\'; --------- //
$_config[\'admincp\'][\'founder\'] = \'1\';
$_config[\'admincp\'][\'forcesecques\'] = \'0\';
$_config[\'admincp\'][\'checkip\'] = 1;
$_config[\'admincp\'][\'runquery\'] = 1;
$_config[\'admincp\'][\'dbimport\'] = 1;
// --------------------------  CONFIG REMOTE  --------------------------- //
$_config[\'remote\'][\'on\'] = \'0\';
$_config[\'remote\'][\'dir\'] = \'remote\';
$_config[\'remote\'][\'appkey\'] = \'62cf0b3c3e6a4c9468e7216839721d8e\';
$_config[\'remote\'][\'cron\'] = \'0\';
// -------------------  THE END  -------------------- //
?>
 <br>

修复方案:

运维快去日狗

版权声明:转载请注明来源 大王叫我去巡山@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-04-10 10:43

厂商回复:

!!!

最新状态:

暂无