当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121101

漏洞标题:亿玛在线多个漏洞打包(Rsync未授权\服务邮箱泄露\Getshell等)

相关厂商:emar.com

漏洞作者: 路人甲

提交时间:2015-06-17 14:37

修复时间:2015-08-01 14:44

公开时间:2015-08-01 14:44

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述:

rsync未授权访问导致shell

详细说明:

1、rsync未授权访问

QQ图片20150617115134.png


某爬虫web源码目录
2、rsync emar.com::es/web/
可直接下载、上传
这个应该是之前谁提交过得到的邮箱密码。
mail.server.user=services
mail.server.pass=eqifaservices
nginx配置泄漏其它域名 IP信息

user  root;
worker_processes 8;
error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid logs/nginx.pid;
worker_rlimit_nofile 10240;
events {
use epoll;
worker_connections 102400;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$http_host"';
#access_log logs/access.log main;
proxy_hide_header Vary;
sendfile on;
#tcp_nopush on;

upstream cm_fair {
server 127.0.0.1:8081;
server 127.0.0.1:8082;
server 127.0.0.1:8083;
server 127.0.0.1:8084;
server 127.0.0.1:8085;
server 127.0.0.1:8086;
server 127.0.0.1:8087;
#server 114.113.233.77 weight=8 backup;
#server 106.38.251.106:8082 weight=1 backup;
#server 106.38.251.186:8082 weight=1 backup;
check interval=3000 rise=2 fall=5 timeout=120 type=http;
check_http_send "GET / HTTP/1.0\r\n\r\n";
#check_http_expect_alive http_2xx http_3xx;
}
#keepalive_timeout 0;
#keepalive_timeout 65;
keepalive_timeout 10;
client_max_body_size 50m;
proxy_buffer_size 1024k;
proxy_buffers 32 64k;
proxy_busy_buffers_size 1024k;
proxy_temp_file_write_size 1024k;
client_header_buffer_size 1024K;
large_client_header_buffers 48 2048k;
underscores_in_headers on;
gzip on;
add_header Vary Accept-Encoding;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_comp_level 9;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
server {
listen 80 default ;
#server_name emarbox.com *.emarbox.com ckm.emarbox.com dmpcm.emarbox.com dmpcm.yigao.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
#access_log logs/adwiser.log;
location ~ /WEB-INF/ {
return 404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
#if ($host ~* "emarbox\.com$"){
# rewrite /(.*)$ http://adwiser_1k0gd.emarbox.com/$1 last;
#}
location / {
#access_log logs/cookiematch.log main;
access_log off;
index index.jsp;
proxy_pass http://cm_fair;
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
add_header Cache-Control no-cache;
add_header Cache-Control private;
}

location /nstatus {
check_status;
access_log off;
#allow SOME.IP.ADD.RESS;
#deny all;
}
}
server {
listen 443 default;
#server_name emarbox.com *.emarbox.com dmpcm.emarbox.com dmpcm.yigao.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

#access_log logs/adwiser.log;

ssl on;
ssl_certificate /usr/local/nginx/conf/https/emarbox.cer;
ssl_certificate_key /usr/local/nginx/conf/https/emarbox.key;
location ~ /WEB-INF/ {
return 404;
}

error_page 404 /404.html;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
#if ($host ~* "emarbox\.com$"){
# rewrite /(.*)$ http://adwiser_1k0gd.emarbox.com/$1 last;
#}

location / {
access_log logs/cookiematch.log main;
index index.jsp;
proxy_pass http://cm_fair;
#proxy_pass http://cm_fair2;
proxy_set_header SSL true;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
}
}
server {
listen 80 ;
server_name www.emar.com emar.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
access_log logs/emar.com.log main;
index index.html index.php index.jsp;
proxy_pass http://221.122.127.14;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
}
}
server {
listen 8011 ;
server_name_in_redirect off;
server_name www.emar.com.cn;
access_log logs/www.emar.com.cn_8011.log main;
location / {
proxy_pass http://221.122.127.49:8011/;
proxy_set_header X-Forwared-For $proxy_add_x_forwarded_for ;
proxy_set_header Host $http_host ;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
}
}
server {
listen 80 ;
server_name www.yijifen.com yijifen.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
access_log logs/emar.com.log main;
index index.html index.php index.jsp;
proxy_pass http://221.122.127.200;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
}
}
server {
listen 80 ;
server_name www.intdmp.com *.intdmp.com intdmp.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
root /data/intdmp;
index intdmp.htm index.html index.php index.jsp;
access_log logs/emar.com.log main;

}
}
server {
listen 80 ;
server_name www.emaryun.com *.emaryum.com emaryun.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
root /data/emaryun;
index emaryun.htm index.html index.php index.jsp;
access_log logs/emar.com.log main;

}
}
server {
listen 80 ;
server_name www.emarbox.net *.emarbox.net emarbox.net;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
root /data/emarbox.net;
index emarbox.htm index.html index.php index.jsp;
access_log logs/emar.com.log main;

}
}
server {
listen 80 ;
server_name www.emardmp.com *.emardmp.com emardmp.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
root /data/emardmp;
index emardmp.htm index.php index.jsp;
access_log logs/emar.com.log main;

}
}
server {
listen 80 ;
server_name www.emaradx.com *.emaradx.com emaradx.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
access_log logs/emaradx.com.log main;
index index.html index.php index.jsp;
proxy_pass http://118.26.150.214;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
}
}
server {
listen 80 ;
server_name www.eqile.com *.eqile.com eqile.com;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
access_log logs/www.eqile.com.log main;
index index.html index.php index.jsp;
proxy_pass http://221.122.127.157;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
}
}
}


3、可直接上传导致主域名下机器getshell
http://emar.com:15801/js_ss.jsp

QQ图片20150617115239.png


4、http://221.122.127.117:15801/
某处爬虫 泄漏大量内网IP

QQ图片20150617115531.png


漏洞证明:

见详细

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-17 14:42

厂商回复:

路人甲 感谢,我们紧急处理。

最新状态:

暂无