当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0198883

漏洞标题:Uber社区存在多个漏洞(可执行任意SQL)

相关厂商:优步Uber

漏洞作者: 猪猪侠

提交时间:2016-04-21 15:00

修复时间:2016-06-06 05:00

公开时间:2016-06-06 05:00

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-21: 细节已通知厂商并且等待厂商处理中
2016-04-22: 厂商已经确认,细节仅向厂商公开
2016-05-02: 细节向核心白帽子及相关领域专家公开
2016-05-12: 细节向普通白帽子公开
2016-05-22: 细节向实习白帽子公开
2016-06-06: 细节向公众公开

简要描述:

Uber社区存在多个漏洞,可进入系统后台,可执行任意SQL,影响8W会员
dig www.uber.com.cn , 解析结果和uber主站在同一IP上

详细说明:

#0 影响描述
dig ubernihao.com
dig uber.com.cn
记录显示,部署在同一个网络内部
#1 .git 文件导致整站源码泄露

python wyspider.py http://cms.ubernihao.com
--------------------------------------------------
* scan http://cms.ubernihao.com start
--------------------------------------------------
[200] http://cms.ubernihao.com => http://cms.ubernihao.com/
[200] http://cms.ubernihao.com/login.html => http://cms.ubernihao.com/login.html
[200] http://cms.ubernihao.com/.git/config => http://cms.ubernihao.com/.git/config
--------------------------------------------------
* scan complete...
--------------------------------------------------
{
  "dirs": {
    "http://cms.ubernihao.com": [
      "http://cms.ubernihao.com/"
    ]
  }, 
  "files": {
    "http://cms.ubernihao.com": {
      "/.git/": [
        "http://cms.ubernihao.com/.git/config"
      ], 
      "/": [
        "http://cms.ubernihao.com/login.html"
      ]
    }
  }
}


http://cms.ubernihao.com/.git/config

[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	fetch = +refs/heads/*:refs/remotes/origin/*
	url = git@git.oschina.net:muzhibuluo/uber_cms_v2.git
[branch "master"]
	remote = origin
	merge = refs/heads/master


uber1.png


#2 系统调试日志、错误日志、访问日志可远程访问
http://code.ubernihao.com/logs/

Index of /logs/
../
access.log                                         21-Apr-2016 06:32    357M
debug.log                                          21-Apr-2016 06:32    440M
debug.log-2016-04-13                               13-Apr-2016 09:42     71K
debug.log-2016-04-14                               14-Apr-2016 17:34    174K
debug.log-2016-04-15                               16-Apr-2016 15:59    293M
debug.log-2016-04-16                               17-Apr-2016 15:59    260M
debug.log-2016-04-17                               18-Apr-2016 08:16    152M
debug.log-2016-04-18                               19-Apr-2016 15:59    129M
debug.log-2016-04-19                               20-Apr-2016 09:28     85M
debug.log-2016-04-20                               21-Apr-2016 04:01     92M
error.log                                          21-Apr-2016 06:32    329M
info.log                                           21-Apr-2016 06:32    685M

漏洞证明:

#3 日志泄露大量敏感信息
用户的访问TOKEN,登录密码信息

[2016-04-13 16:21:26.008] [INFO] http - 116.23.126.182 - - "PUT /adminUsers/1?authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidHlwZSI6ImxvY2FsIiwiaWF0IjoxNDYwNTM1NjcwLCJleHAiOjE0NjI2MDkyNzB9.dscvgrWIzwL-Kl_jeElfAes93RLGRC3gG4nxa2BwTzU HTTP/1.0" 200 196 "http://cms.ubernihao.com/index.html" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36"
[2016-04-13 16:21:26.046] [DEBUG] mysqlDb - query sql : select id,email,nickname,cities,level,create_time as createTime from admin_user where level>=:level { level: '0' }
[2016-04-13 16:21:26.047] [DEBUG] mysqlDb - formatedSql: select id,email,nickname,cities,level,create_time as createTime from admin_user where level>='0'
[2016-04-13 16:21:26.049] [DEBUG] mysqlDb - operator back rows length :  1
[2016-04-13 16:21:26.050] [INFO] http - 116.23.126.182 - - "GET /adminUsers/manage?cities=*&level=0 HTTP/1.0" 304 - "http://cms.ubernihao.com/index.html" "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.76 Mobile Safari/537.36"
[2016-04-13 16:21:37.959] [ERROR] app.js - NoUnauthorizationHeader /adminUsers?email=muzhi&passwd=uber undefined undefined undefined undefined


明文密码传输获取

cat debug.log-2016-04-16 | grep passwd
[2016-04-17 00:48:14.330] [ERROR] app.js - NoUnauthorizationHeader /adminUsers?email=muzhi&passwd=ubernihao undefined undefined undefined undefined
[2016-04-17 00:48:14.334] [DEBUG] mysqlDb - query sql : select id,email,nickname,passwd,cities,level,status,create_time,create_by,update_time,update_by from admin_user where 1=1  and email='muzhi' and passwd='f1a89ad1f8388af2fe5b99ee07d2f468' order by  id desc
[2016-04-17 00:48:14.336] [INFO] http - ::ffff:127.0.0.1 - - "GET /adminUsers?email=muzhi&passwd=ubernihao HTTP/1.1" 200 270 "" "undefined"
[2016-04-17 14:31:32.614] [ERROR] app.js - NoUnauthorizationHeader /adminUsers?email=gz01&passwd=gz0101 undefined undefined undefined undefined
[2016-04-17 14:31:32.618] [DEBUG] mysqlDb - query sql : select id,email,nickname,passwd,cities,level,status,create_time,create_by,update_time,update_by from admin_user where 1=1  and email='gz01' and passwd='e6144bda3a2f257ac9b59c9007bd9dbb' order by  id desc
[2016-04-17 14:31:32.620] [INFO] http - ::ffff:127.0.0.1 - - "GET /adminUsers?email=gz01&passwd=gz0101 HTTP/1.1" 200 260 "" "undefined"


#4 利用调试信息里面找到的用户信息进入后台

uber2.jpg


uber3.jpg


uber5.jpg


uber4.png

修复方案:

加强安全意识,就这样

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-04-22 04:54

厂商回复:

谢谢您提供的信息,我们正在尽快处理中

最新状态:

暂无