2016-03-30: 细节已通知厂商并且等待厂商处理中 2016-03-31: 厂商已经确认,细节仅向厂商公开 2016-04-10: 细节向核心白帽子及相关领域专家公开 2016-04-20: 细节向普通白帽子公开 2016-04-30: 细节向实习白帽子公开 2016-05-15: 细节向公众公开
网宿CDN啊,全国人民都在用啊。
就是一个ftp弱口令啊
ftp://218.207.195.219:21 'username' => 'ftp', 'password' => '',
里面有CDN的访问日志,GET请求的,其中包括各大企业的(含腾讯、工行、农行、360、百度、网易、新浪等),随便调几条
tmp git:(master) ✗ zgrep 'qq.com' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:00 118.132.149.95 http://222.73.3.74/mobileoc.music.tc.qq.com/463238.m4a?vkey=C1F19E52EC06E638DD6F23197F32C0E04C2A62E47B2A237B6F8BC7980F7DFFEE642BDD0CFDCF364710F9A85DE48F129C253FD189D8D0A1E1&guid=000000001af0101cf3c7017d3e6baf95&fromtag=57 - 2016-02-29 10:00:00 118.132.115.96 http://openplat.gamesafe.qq.com/cgi-bin/sec.fcgi?req=status&jsonp=SecJs.status_rsp&seckey=siAOrWQFwVYnwapeXOaANdzMN2e2BqTVYfgRVg6+rMDN&appid=358&rn=0.7230536881834269 58.222.19.210 ➜ tmp git:(master) ✗ zgrep 'icbc.com' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:00 118.134.48.47 http://hit.icbc.com.cn/image/hitcount.gif?rid=1456711207478&ReferrerPage=http://www.icbc.com.cn/&UserAnalysisId=20160229622783842 58.221.56.224 2016-02-29 10:00:00 118.133.27.95 http://www.icbc.com.cn/ICBC_ADJS/E57A950CE45E4BE38CCA1085B9E4AA97.js?Ad_Top=0&Ad_Left=0&Ad_ChooseMode=1&Ad_Width=1000&Ad_Height=1000&Ad_IsClose=False&Ad_Guid=b6d2ac30ab69459fbed798e8c8e1fd3f&Ad_AreaId=63c553e0-c8bb-4856-bc7e-aaac4456a34a&Ad_RealAreaName=通栏综合版首页通栏1000124&Ad_AreaName=b6d2ac30ab69459fbed798e8c8e1fd3f通栏综合版首页通栏1000124&Ad_Source=通栏综合版首页通栏1000124&AD_tocken=404641&Ad_ZoneNo=0 -➜ tmp git:(master) ✗ zgrep 'abchina.com' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:06 118.132.104.133 http://click.abchina.com/dcsg0rqni00000golpuu3ikjn_2c1g/dcs.gif?&dcsdat=1456711589312&dcssip=www.abchina.com&dcsref=http%3A//www.abchina.com/cn/&WT.abc_st=pc&WT.tz=8&WT.bh=10&WT.ul=zh-cn&WT.cd=32&WT.sr=1280x960&WT.jo=Yes&WT.ti=%E4%B8%AD%E5%9B%BD%E5%86%9C%E4%B8%9A%E9%93%B6%E8%A1%8C&WT.js=Yes&WT.jv=1.3&WT.ct=lan&WT.hp=0&WT.bs=1259x762&WT.fv=15.0&WT.slv=Not%20enabled&WT.le=gb2312&WT.tv=10.4.14&WT.dl=0&WT.ssl=0&WT.es=www.abchina.com%2Fcn%2F&WT.cg_n=%E4%B8%AD%E5%9B%BD%E5%86%9C%E4%B8%9A%E9%93%B6%E8%A1%8C&WT.ce=2&WT.vt_f_a=2&WT.vt_f=2 58.222.18.167 2016-02-29 10:00:09 121.76.50.219 http://phone.abchina.com/mbap/user/handshake?agent=iphone&appname=ebank&last_prompted_time=&ota_version=IP-UMP-3.0.3-000000&app=ebank&o=i 124.74.251.157 ➜ tmp git:(master) ✗ zgrep '360.cn' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:00 114.60.169.102 http://site.browser.360.cn/msgmodel.php?mt=[\"ssrc\"] 58.222.18.167 2016-02-29 10:00:00 118.134.35.106 http://site.browser.360.cn/msgmodel.php?callback=jQuery20008257419313304126_1456711432489&mt=[\"hunantv\",\"news8\",\"newmusic\",\"newmall3\"]&v=7.1.1.644&_=1456711432490 58.222.18.167 ➜ tmp git:(master) ✗ zgrep 'baidu.com' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:00 121.76.57.92 http://g.fastapi.net/ga?type=JS&mode=sync&slotid=1009181&index=0&count=5&exclude=87991,151575,109077,216127,167063&mexclude=a-87991,a-109077&z=index=0&rr=http://travel.cnr.cn/list/20160228/t20160228_521491188_2.shtml&cb=_FTAPI_.fillData&pid=zaxy75dlta2qqn5fv7s001d2o2amcbn47mohaogh&pvc=4&r=il7c9ijizgu&f=1&v=1353,664,1366,768,-1,-1,-2,66,0,1&d=pc&o=windows,6.1&b=ie,trident,8&i=0,0&source=www.baidu.com/ 58.222.18.175 2016-02-29 10:00:00 121.76.57.92 http://g.fastapi.net/ga?type=JS&mode=sync&slotid=1009561&index=0&count=4&exclude=87991,151575,109077,216127&mexclude=a-87991,a-109077&z=index=0&rr=http://travel.cnr.cn/list/20160228/t20160228_521491188_2.shtml&cb=_FTAPI_.fillData&pid=zaxy75dlta2qqn5fv7s001d2o2amcbn47mohaogh&pvc=4&r=il7c9i8j8qy&f=1&v=1353,664,1366,768,-1,-1,-2,66,0,1&d=pc&o=windows,6.1&b=ie,trident,8&i=0,0&source=www.baidu.com/ 58.222.18.175 ➜ tmp git:(master) ✗ zgrep '163.com' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:00 118.132.241.214 http://p.3g.163.com/nc/now.do?1456711209724 58.222.18.167 2016-02-29 10:00:00 118.133.15.102 http://163.wrating.com/a.gif?a=1532ac0e49e&t=&i=44ac6ef4.1509f190f6a.0.d83b81e1&b=http://e.163.com/?docid=BGTQ0L9R00964MBE#smartPage_indexguess1&c=860010-0502010100&s=1400x1050x32&l=zh-cn&z=8&j=1&f=19.0 r0&r=http://www.163.com/&kw=&ut=11&n=&js=&ck=1 221.235.244.42 ➜ tmp git:(master) ✗ zgrep 'sina.com' ACCESS__2016-02-29-10-00_2016-02-29-10-05_1.gz|grep '?'|head -n 22016-02-29 10:00:00 118.132.127.120 http://sax.sina.com.cn/view?type=bottom&t=UERQUzAwMDAwMDA0NTk3OQ==&_sinaads_sio_log_zh2jzz 58.222.19.210 2016-02-29 10:00:00 118.132.127.120 http://sax.sina.com.cn/view?type=bottom&t=UERQUzAwMDAwMDA0NjE1NA==&_sinaads_sio_log_u7h5cw 58.222.19.210
那么这里面有什么好玩的东西呢?1.日志量比较大,随便调了一个看一下,如果我没算错这个一个文件是几百G
2.找个小量几条测试一下看看,由于是get请求,里面包含会有账号密码,COOKIE,各种认证用的key等等酷狗的账号密码
新浪的什么卵业务的密码
iqiyi的cookie
016-02-29 10:00:16 114.60.115.216 http://cm.passport.iqiyi.com/apis/cmonitor/keepalive.action?authcookie=cajeum3m3JLXbgm193fls9WJw9MIiYsS6AxGt7KeDC7tRLpOgUm2bm21XctXjzK9wu3QTjT97&agenttype=23&sign=6b295f34589d544b3b222fb5d9731a02&device_id=1DD39F98-2876-411A-86FD-90A131BA75D2&tv_id=&ptid=2_21_211&app_version=7.1 58.222.19.194
微信的什么key来着
016-02-29 10:00:15 118.133.160.173 http://mp.weixin.qq.com/mp/appmsg/show?uin=OTgyMzc1MTMz&key=710a5d99946419d9ab698f71583758e9c7c946bf8cb75d753dcb2ed4d2e4271a5d51501cbe858bf88894346d1e67fb9e&pass_ticket=vTWhaarSeO%252Boj3dDqiSqXXeCuae9Y1IizGv%252BHebYKD0xjnpdvWZbp6WZwYAlpqwJ&wxtoken=2805519491&devicetype=android-19&clientversion=26030d33&x5=1 182.254.10.58
然后各自企业的各自sign信息,仅测试,就不列举了
ftp 弱口令修复,不要对外,不要记客户的敏感日志
危害等级:中
漏洞Rank:8
确认时间:2016-03-31 10:15
感谢乌云白帽子的关注。针对该漏洞,网宿已于当日第一时间停用所涉及的服务器,并对问题原因和造成的影响进行了彻底的排查,说明如下:1、漏洞涉及的服务器为公司内部测试服务器,未涉及客户服务器及任何网宿对外服务平台;2、漏洞所涉及日志数据来自网宿运营商缓存产品中,某小运营商1个月前的日志缓存数据,及部分仿造数据,实际日志量共400多M,仅供内部压力测试使用;3、在通过ftp将数据传输到服务器过程中,由于内部疏忽未对ftp设置用户名和密码,造成了此次漏洞及数据的曝光;网宿一直把客户的数据及服务的安全作为首要服务宗旨,我们也将进一步提升内部系统的安全级别,感谢乌云白帽子对网宿的关注。
暂无
