当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113156

漏洞标题:天弘基金旗下某分站整站源码可下载(可连数据库)

相关厂商:天弘基金管理有限公司

漏洞作者: 猪猪侠

提交时间:2015-05-10 00:18

修复时间:2015-06-25 11:16

公开时间:2015-06-25 11:16

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-10: 细节已通知厂商并且等待厂商处理中
2015-05-11: 厂商已经确认,细节仅向厂商公开
2015-05-21: 细节向核心白帽子及相关领域专家公开
2015-05-31: 细节向普通白帽子公开
2015-06-10: 细节向实习白帽子公开
2015-06-25: 细节向公众公开

简要描述:

天弘基金旗下某分站整站源码可下载(可连数据库)

详细说明:

宝粉网(www.baofen.cn)隶属于天弘基金管理有限公司,在2014年6月余额宝上线一周年之际重磅推出,是余额宝用户专属的交流互助平台。
http://www.baofen.cn/wwwroot.tar.gz

thfund.png


<?php
if (!defined('SITE_PATH')) exit();
return array(
	'THEME_NAME' => 'stv1', 
	// 数据库常用配置
	'DB_TYPE'			=>	'mysql',			// 数据库类型
	'DB_HOST'			=>	'rdsemmmefemmmef.mysql.rds.aliyuncs.com',			// 数据库服务器地址
	'DB_NAME'			=>	'tests',			// 数据库名
	'DB_USER'			=>	'fxkj',		// 数据库用户名
	'DB_PWD'			=>	'fxkj1234',		// 数据库密码
	'DB_PORT'			=>	3306,				// 数据库端口
	'DB_PREFIX'			=>	'fts_',		// 数据库表前缀(因为漫游的原因,数据库表前缀必须写在本文件)
	'DB_CHARSET'		=>	'utf8',				// 数据库编码
	'SECURE_CODE'		=>	'91556750452e0b2ff14db8',	// 数据加密密钥
	'COOKIE_PREFIX'		=>	'T3_',	// 数据加密密钥
	'DATA_CACHE_TYPE'   =>  'memcache',
	'MEMCACHE_HOST'		=> '10.132.64.119',
);


indexer
{
	mem_limit		=	128000000
}
searchd
{
	listen			=	3312
	listen			=	9306:mysql41
	log			=	/xampp/coreseek/var/log/searchd.log
	query_log		=	/xampp/coreseek/var/log/query.log
	pid_file		=	/xampp/coreseek/var/log/searchd.pid
	read_timeout		=	3
	max_children		=	30
	max_matches		=	1000
	seamless_rotate		=	1
	preopen_indexes		=	0
	unlink_old		=	1
}
# forum topic & post index #
source ts_forum_post
{
	type			= mysql
	sql_host		= 10.88.48.174
	sql_user		= 3ms_beta
	sql_pass		= xsw2XSW@
	sql_db			= forum_beta
	sql_port		= 3306
	sql_query_pre		= SET NAMES utf8
	sql_query_range		= SELECT min(pid),max(pid) FROM ts_forum_post
	sql_range_step		= 1000
	sql_query		= SELECT a.pid, \
					20 as indexid, \
					a.uid, \
					a.maskId, \
					crc32(a.maskName) as maskCode, \
					a.cTime, \
					-1 as gid, \
					a.fid as cid, \
					-1 as inside, \
					istopic as ext1, \
					a.title, \
					a.content \
					FROM ts_forum_post as a,ts_forum_topic as b \
					WHERE b.isdel=0 AND a.isdel=0 AND a.tid=b.tid AND a.pid>=$start AND a.pid<=$end
	
	sql_attr_uint		= indexid
	sql_attr_uint		= uid
	sql_attr_uint		= maskId
	sql_attr_uint		= maskCode
	sql_attr_timestamp	= cTime
	sql_attr_uint		= gid
	sql_attr_uint		= cid
	sql_attr_uint		= inside
	sql_attr_uint		= ext1
}
index ts_forum_post
{
	source			= ts_forum_post
	path			= /xampp/coreseek/var/data/ts_forum_post
	docinfo			= extern
        html_strip              = 1
	html_index_attrs	= img=alt,title; a=title;
	html_remove_elements	= style, script
        min_word_len            = 2
	charset_dictpath	= /xampp/coreseek/etc/
	charset_type		= zh_cn.utf-8
}


漏洞证明:

后台:
http://www.baofen.cn//index.php?app=admin&mod=Public&act=login
间接利用:
$ uname -a 

Linux AY14061623295889102cZ 2.6.32-358.6.2.el6.x86_64 #1 SMP Thu May 16 20:59:36 UTC 2013 x86_64


$ pwd

/home/wwwroot/

修复方案:

删除

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-05-11 11:15

厂商回复:

感谢作者对互联网安全的热心以及贡献

最新状态:

暂无