当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162514

漏洞标题:点到为止之时趣互动某站配置不当大量数据流出(第三弹)

相关厂商:social-touch.com

漏洞作者: 路人甲

提交时间:2015-12-19 14:11

修复时间:2016-02-04 17:47

公开时间:2016-02-04 17:47

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-19: 细节已通知厂商并且等待厂商处理中
2015-12-23: 厂商已经确认,细节仅向厂商公开
2016-01-02: 细节向核心白帽子及相关领域专家公开
2016-01-12: 细节向普通白帽子公开
2016-01-22: 细节向实习白帽子公开
2016-02-04: 细节向公众公开

简要描述:

前面已经提交了两个漏洞了哦,就第二次发了一次礼物!这次依旧求礼物!!这次依旧求礼物!!这次依旧求礼物!!这次依旧求礼物!!这次依旧求礼物!!

详细说明:

2016招聘网站:

http://campus.social-touch.com/
http://campus.social-touch.com/campus.zip


如图:

2015-12-18_183927.png


2015-12-18_183525.png

漏洞证明:

随便贴一段信息,更多信息你自己心里清楚:

mail:
pms@social-touch.com
SQpms%^&it
'db'=>array(
'class' => 'CDbConnection', // 数据库连接类
'connectionString' => 'mysql:host=192.168.0.192;dbname=campus_app;port=3306',
'emulatePrepare' => true,
'username' => 'mosh', // 数据库用户
'password' => 'h@j*y$&$', // 数据库密码
'charset' => 'utf8', // 默认字符集
'tablePrefix' => '', // 表名前缀
'schemaCachingDuration'=>3600, // 缓存时间
),
'default'=>array(
'class' => 'CDbConnection', // 数据库连接类
'connectionString' => 'mysql:host=192.168.0.192;dbname=campus_app;port=3306',
'emulatePrepare' => true,
'username' => 'mosh', // 数据库用户
'password' => 'h@j*y$&$', // 数据库密码
'charset' => 'utf8', // 默认字符集
'tablePrefix' => '', // 表名前缀
'schemaCachingDuration'=>3600, // 缓存时间
),
'campus_app'=>array(
'class' => 'CDbConnection', // 数据库连接类
'connectionString' => 'mysql:host=192.168.0.192;dbname=campus_app;port=3306',
'emulatePrepare' => true,
'username' => 'mosh', // 数据库用户
'password' => 'h@j*y$&$', // 数据库密码
'charset' => 'utf8', // 默认字符集
'tablePrefix' => '', // 表名前缀
'schemaCachingDuration'=>3600, // 缓存时间
),
/** mssql数据库 */
'mssqlDb'=>array(
'class' => 'CDbConnection',
'connectionString' => 'dblib:host=host;dbname=dbName',
//'emulatePrepare' => false,
'username' => 'userName',
'password' => 'passWord',
'charset' => 'utf8',
'schemaCachingDuration'=>3600,
),


测试的都给你挖到了:

<?php
$config = array (
'basePath' => dirname(__FILE__).DIRECTORY_SEPARATOR.'..',
'name' => '时趣校招',
'preload' => array('log'),
// 自动导入的类
'import' => array (
'application.models.*',
'application.custom.models.*',
'application.components.*',
'application.custom.components.*',
'sa_ext.fun.*',a
),
'modules' => array (
// uncomment the following to enable the Gii tool
'gii' => array (
'class' => 'system.gii.GiiModule',
'password' => 'password',
'ipFilters' => array ('192.168.5.106', '*'),
'generatorPaths'=> include(SA_SHIQUTECH.'/config/gii.php'),
),
),
'controllerMap'=> array (
'kindeditor' => array (
'class' => 'sa_ext.kindeditor.KindeditorController'
),
),
//应用程序组件
'components' => array (
// 默认错误页
'errorHandler' => array (
'errorAction' => 'site/error',
),
'user' => array (
'class' => 'sa_ext.JCookieWebUser.JCookieWebUser',
'secretKey' => array (
'default',
'default'
),
'authTimeout'=> 24 * 3600,
),
'badword'=>array(
'class'=>'sa_ext.badwordFilter.BadwordFilter',
),
// 微博登陆
'weibo' => array (
'class' => 'application.components.WeiboLogin',
'mustLogin' => true
),
// 客户端读取
'mobile'=>array(
'class'=>"MobileDetect"
),
// 页面模版
'widgetFactory' => array (
'enableSkin' => true,
'skinPath' => SA_SHIQUTECH.'/views/adminSkins',
),
// 临时模版配置
'assetManager' => array(
'class' => 'STAssetManager',
'basePath' => SA_APPLICATION.'/../static/admin/assets',
'baseUrl' => 'http://static.app.social-touch.com/admin/assets',
),
'clientScript'=>array(
'class' => 'CClientScript',
'coreScriptUrl' => 'http://static.app.social-touch.com/admin/assets/web-js-source'
),
// 助手
'helper' => array (
'class' => 'application.components.Helper',
),
// 缓存配置
'cache' => array (
'class' => 'system.caching.CFileCache',
),
'settings'=> array(
'class' => 'application.components.CmsSettings',
'cacheComponentId' => 'cache',
'cacheId' => 'global_website_settings',
'cacheTime' => 84000,
'tableName' => '{{settings}}',
'dbComponentId' => 'db',
'createTable' => true,
'dbEngine' => 'InnoDB',
),
),
'language' => 'zh_cn',
'charset' => 'UTF-8',
'defaultController' => 'home',
// 扩展参数 调用方式:Yii::app()->params[key]
'params' => array (
////////////// 配置区域 START //////////////
// [微博配置 V2.0]
'weibo' => array (
// 开关PC & WAP
'on-off-pc' => FALSE,
'on-off-wap' => FALSE,
// 新浪微博APPkey
'wb_akey' => '3713829188',
'wb_skey' => 'bd518129d6505c4f667225cd3a97f7f8',
'sub_key' => '2962600716',
// 微博地址
'weibo_url' => 'http://e.weibo.com/1762766261/app_2368147542',
'share_url' => 'http://#',
'short_url' => 'http://#',
// 企业微博ID
'weibo_uid' => '2792360741',//'2643306394',
'app_signed' => '8s1LtsXP',//'5TtsXP',
// 微博弹层授权回调页面
'redirect_uri' => 'http://xxx.app.social-touch.com/index.php?r=home',
),
// [微信配置 V1.0]
'we_chat' => array (
// 开关
'on-off' => TRUE,
// appid & appsecret
'app_id' => 'wxf7933dc80d9d33b2',
'app_secret' => 'b63b45eaecb35d87775d95d463bb90f7',
// Auth2.0 回调地址
'redirect_uri' => 'http://gore-tex-dp.app.social-touch.com/index.php?r=home/authorize',
// 自定义验证标识
'state' => 'customApp_GoreTex',
'valid_token' => ''
),
// [优酷配置 V1.0]
'youku' => array (
'youku_client_id' => '2de5869ee42dd525',
'youku_client_secret' => '2258c2dbea9417344311c539cda174fc',
),
// [七牛配置 V1.0]
// 调取图片方式,true七牛云,false mosh图片
'qbox_image' => TRUE,
// 图片id前两位数字,根据项目定义数字
'qbox_image_code' => 10,
// 七牛云图片bucket & url
'qbox_image_bucket' => 'customapp',
// 七牛云域名后台设置
'qbox_image_url' => 'http://customapp.qiniudn.com',
// [管理后台配置 V1.0]
// 后台管理员微博ID
'admin_id' => array (
'1468638990', // 田龙哲
'3535437867', // 杨宏伟
'2855146840', // 杨宏伟
'3541622611', // 房皓阳
'2355672605', //
'1829794471', // 鹏飞
'5216059095', //dongjie
),
// 后台登陆密码
'admin_password' => 'hr5216059095',
// [项目版本配置 V1.0]
// 后台样式模版名称
'kendo_css' => 'default',
// 众趣APPkey
'wb_zhongqu' => '2085793793',
// 后台静态文件URL
'admin_static_url' => 'http://static.app.social-touch.com/admin',
// 站点地址
'hostInfo' => 'http://campus.social-touch.com',
// 静态文件URL
//'static_url' => 'http://static.app.social-touch.com/campus',
'static_url' => 'http://campus.social-touch.com/static',
// 静态文件URL
'version' => '2.2',
////////////// 配置区域 END //////////////
),
);
@include_once(dirname(__FILE__).'/menuList.php');
if (!empty($menuList)) {
$config['params']['menuList'] = $menuList;
} else {
$config['params']['menuList'] = '';
}
if (strstr($_SERVER['SERVER_ADDR'], '211.151.70.') || strstr($_SERVER['SERVER_ADDR'], '127.0.0.')) {
$database = @include_once(dirname(__FILE__).'/database-local.php');
} else {
$database = @include_once(dirname(__FILE__).'/database.php');
}
if (!empty($database)) {
$config['components'] = @array_merge($config['components'], $database);
}
return $config;

修复方案:

我是来找京东卡的!
我是来找京东卡的!
我是来找京东卡的!
我是来找京东卡的!
我是来找京东卡的!
我是来找京东卡的!
我是来找京东卡的!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-12-23 13:48

厂商回复:

谢谢

最新状态:

暂无