当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142424

漏洞标题:电子科技大学某分站源码备份可下载

相关厂商:uestc.edu.cn

漏洞作者: 路人甲

提交时间:2015-09-21 22:21

修复时间:2015-11-08 10:02

公开时间:2015-11-08 10:02

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-21: 细节已通知厂商并且等待厂商处理中
2015-09-24: 厂商已经确认,细节仅向厂商公开
2015-10-04: 细节向核心白帽子及相关领域专家公开
2015-10-14: 细节向普通白帽子公开
2015-10-24: 细节向实习白帽子公开
2015-11-08: 细节向公众公开

简要描述:

从一处源码泄漏到多个站账号密码泄漏

详细说明:

源码下载地址:http://epaper.uestc.edu.cn/epaper.tar.gz
下载解压看看发现
/var/www/admin/application/config/database.php

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/*
| -------------------------------------------------------------------
| DATABASE CONNECTIVITY SETTINGS
| -------------------------------------------------------------------
| This file will contain the settings needed to access your database.
|
| For complete instructions please consult the 'Database Connection'
| page of the User Guide.
|
| -------------------------------------------------------------------
| EXPLANATION OF VARIABLES
| -------------------------------------------------------------------
|
| ['hostname'] The hostname of your database server.
| ['username'] The username used to connect to the database
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database type. ie: mysql. Currently supported:
mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Active Record class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
| ['db_debug'] TRUE/FALSE - Whether database errors should be displayed.
| ['cache_on'] TRUE/FALSE - Enables/disables query caching
| ['cachedir'] The path to the folder where cache files should be stored
| ['char_set'] The character set used in communicating with the database
| ['dbcollat'] The character collation used in communicating with the database
| NOTE: For MySQL and MySQLi databases, this setting is only used
| as a backup if your server is running PHP < 5.2.3 or MySQL < 5.0.7.
| There is an incompatibility in PHP with mysql_real_escape_string() which
| can make your site vulnerable to SQL injection if you are using a
| multi-byte character set and are running versions lower than these.
| Sites using Latin-1 or UTF-8 database character set and collation are unaffected.
| ['swap_pre'] A default table prefix that should be swapped with the dbprefix
| ['autoinit'] Whether or not to automatically initialize the database.
| ['stricton'] TRUE/FALSE - forces 'Strict Mode' connections
| - good for ensuring strict SQL while developing
|
| The $active_group variable lets you choose which connection group to
| make active. By default there is only one group (the 'default' group).
|
| The $active_record variables lets you determine whether or not to load
| the active record class
*/
$active_group = 'default';
$active_record = TRUE;
$db['default']['hostname'] = '127.0.0.1';
$db['default']['username'] = 'root';
$db['default']['password'] = 'ukf8rz5gv8';
$db['default']['database'] = 'epaper2013';
$db['default']['dbdriver'] = 'mysql';
$db['default']['dbprefix'] = '';
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = '';
$db['default']['char_set'] = 'utf8';
$db['default']['dbcollat'] = 'utf8_general_ci';
$db['default']['swap_pre'] = '';
$db['default']['autoinit'] = TRUE;
$db['default']['stricton'] = FALSE;
/* End of file database.php */
/* Location: ./application/config/database.php */


从这得知了数据库的用户名:root 密码:ukf8rz5gv8
然后发现http://epaper.uestc.edu.cn/websites/目录可遍历,在这个目录里面发现test.php,点进去一看竟然是phpinfo

6.jpg


继续,发现phpmyadmin可以直接访问,http://epaper.uestc.edu.cn/phpmyadmin,使用上面得到的用户名密码登录

1.jpg


登进来后直奔我们的校报的用户密码(为什么不直接Getshell呢,因为竟然没写权限...)

2.jpg


拿到用户名密码尝试登录,后台地址:http://epaper.uestc.edu.cn/admin/

3.jpg


之后逛逛发现还有其他的网站管理员的账户密码,一个个来

4.jpg


5.jpg


7.jpg


就这样吧,怕被老师请去喝茶不继续了。

漏洞证明:

如上

修复方案:

删除备份,修改后台账号密码

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-09-24 10:00

厂商回复:

已经确认漏洞,并通知负责人跟进,谢谢

最新状态:

暂无