当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121764

漏洞标题:唱吧敏感信息泄露(含数据库配置信息)

相关厂商:Changba-inc

漏洞作者: 猪猪侠

提交时间:2015-06-22 12:40

修复时间:2015-08-06 13:22

公开时间:2015-08-06 13:22

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-22: 细节已通知厂商并且等待厂商处理中
2015-06-22: 厂商已经确认,细节仅向厂商公开
2015-07-02: 细节向核心白帽子及相关领域专家公开
2015-07-12: 细节向普通白帽子公开
2015-07-22: 细节向实习白帽子公开
2015-08-06: 细节向公众公开

简要描述:

唱吧敏感信息泄露(含数据库配置信息)

详细说明:

结合 WooYun: 人类的怠惰之一安全管理执行力度不够导致唱吧安全边界被突破(进入内网)
http://v.changba.com:8888/common/config.inc.php.bak
http://v.changba.com:8888/common/config.inc.php1
http://59.151.31.233:8888/common/config.inc.php.bak
http://59.151.31.233:8888/common/config.inc.php1
SVN泄露
http://v.changba.com:8888/crontab/.svn/entries
http://v.changba.com:808/login/.svn/entries

漏洞证明:

<?php
define('APPLICATION','MAIN');  //used to define MAIN/DUET/... applicatoin center
date_default_timezone_set('Asia/Chongqing');
define('DOCUMENT_ROOT','/home/wwwroot/api.changba.com/');
define('KTV_SERVER','http://api.changba.com/');
define('KTV_CDN_IMG_SERVER','http://img.changba.com/');
define('KTV_CDN_ORIMP3_SERVER','http://mp3.changba.com/');
define('KTV_CDN_EXTERNAL_MP3_SERVER', 'http://a129mp3.changba.com/');
define('KTV_CDN_MP3_SERVER','http://a123mp3.changba.com/');
define('KTV_STAT_PREFIX', '123');
define('KTV_CDN_DUET_SERVER','http://a201hc.changba.com/');
define('KTV_CDN_DOMAIN','changba.com/');
$KTV_DEBUG = 'debug'; 
//	****** 数据库类型 ******
$config['Database']['dbtype'] = 'mysql';
//	****** 技术人员邮箱地址 ******
$config['Database']['technicalemail'] = 'faq@zuitao-inc.com';
//	****** 强制清空 SQL 模式 ******
$config['Database']['force_sql_mode'] = false;
//	****** SQL语句DEBUG模式 ******
$config['Database']['debug'] = false;
//	****** MySQL 4.1 以上版本连接字符集 ******
$config['Database']['charset'] = 'utf8';
//	****** MySQL 数据库存储引擎 ******
$config['Database']['engine'] = 'InnoDB';
/*mysql client 数据库地址*/
$config['ZuitaoKtvServer_client']['servername'] = '192.168.1.128';
$config['ZuitaoKtvServer_client']['port'] = 13306;
$config['ZuitaoKtvServer_client']['username'] = 'client';
$config['ZuitaoKtvServer_client']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer_client']['pconnect'] = 0;
$config['ZuitaoKtvServer_client']['dbname'] = 'changba_client';
$config['ZuitaoKtvServer_client']['charset'] = 'utf8';
/*mysql notice 数据库地址*/
$config['ZuitaoKtvServer_notice']['servername'] = '192.168.1.128';
$config['ZuitaoKtvServer_notice']['port'] = 13306;
$config['ZuitaoKtvServer_notice']['username'] = 'client';
$config['ZuitaoKtvServer_notice']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer_notice']['pconnect'] = 0;
$config['ZuitaoKtvServer_notice']['dbname'] = 'changba_notice';
$config['ZuitaoKtvServer_notice']['charset'] = 'utf8mb4';
/*mysql hottest 榜单专用数据库地址*/
$config['ZuitaoKtvServer_hottest']['servername'] = '192.168.1.132';
$config['ZuitaoKtvServer_hottest']['port'] = 3306;
$config['ZuitaoKtvServer_hottest']['username'] = 'root';
$config['ZuitaoKtvServer_hottest']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer_hottest']['pconnect'] = 0;
$config['ZuitaoKtvServer_hottest']['dbname'] = 'ktv_hottest,zuitaoktv';
$config['ZuitaoKtvServer_hottest']['charset'] = 'utf8';
/*mysql user 用户昵称专用数据库地址*/
$config['ZuitaoKtvServer_user']['servername'] = '192.168.1.127';
$config['ZuitaoKtvServer_user']['port'] = 13306;
$config['ZuitaoKtvServer_user']['username'] = 'root';
$config['ZuitaoKtvServer_user']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer_user']['pconnect'] = 0;
$config['ZuitaoKtvServer_user']['dbname'] = 'zuitaoktv_user';
$config['ZuitaoKtvServer_user']['charset'] = 'utf8mb4';
/*zuitaoktv数据库账号*/
$config['ZuitaoKtvServer']['servername'] = '192.168.1.133';
$config['ZuitaoKtvServer']['port'] = 3306;
$config['ZuitaoKtvServer']['username'] = 'root';
$config['ZuitaoKtvServer']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer']['pconnect'] = 0;
$config['ZuitaoKtvServer']['dbname'] = 'zuitaoktv';
$config['ZuitaoKtvServer']['charset'] = 'utf8';
/*mysql 从库地址*/
$config['ZuitaoKtvServer_slave']['servername'] = '192.168.1.123';
$config['ZuitaoKtvServer_slave']['port'] = 3306;
$config['ZuitaoKtvServer_slave']['username'] = 'read';
$config['ZuitaoKtvServer_slave']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer_slave']['pconnect'] = 0;
$config['ZuitaoKtvServer_slave']['dbname'] = 'zuitaoktv';
$config['ZuitaoKtvServer_slave']['charset'] = 'utf8';
/*mysql duet 数据库地址*/
$config['ZuitaoKtvServer_duet']['servername'] = '192.168.1.202';
$config['ZuitaoKtvServer_duet']['port'] = 3306;
$config['ZuitaoKtvServer_duet']['username'] = 'root';
$config['ZuitaoKtvServer_duet']['password'] = 'TSj3E6LU6CHq4rLJ';
$config['ZuitaoKtvServer_duet']['pconnect'] = 0;
$config['ZuitaoKtvServer_duet']['dbname'] = 'duet';
$config['ZuitaoKtvServer_duet']['charset'] = 'utf8';
$config['memcached']['addr'] = '192.168.1.133';
$config['memcached']['port'] = 11215;
$config['memcacheq']['addr'] = '192.168.1.125';
$config['memcacheq']['port'] = 22201;
$config['memcached_notice']['addr'] = '192.168.1.125'; //献花数和notice
$config['memcached_notice']['port'] = 11215;
$config['memcached_vip']['addr'] = '192.168.1.132'; //处理vip请求的memcache (以前是130,现在是132)
$config['memcached_vip']['port'] = 11215;
/*邮件账号*/
$config['email']['host']='mail.zuitao.com';	//'mail.zuitao.com';
$config['email']['port']=25;
$config['email']['username']='service';//'noreply';
$config['email']['password']='123456';
$config['email']['from']='service@zuitao.com';//'noreply@zuitao.com';
$config['email']['fromname']='最淘网';
$cdn_backup_config['a123img']	=	5;
$cdn_backup_config['a126img']	=	5;
$cdn_backup_config['http://a121mp3.changba.com/']	=	5;
$cdn_backup_config['http://a122mp3.changba.com/']	=	5;
$cdn_backup_config['http://a123mp3.changba.com/']	=	5;
$cdn_backup_config['http://a124mp3.changba.com/']	=	5;
$cdn_backup_config['http://a125mp3.changba.com/']	=	5;
$cdn_backup_config['http://a126mp3.changba.com/']	=	5;
$cdn_backup_config['http://a127mp3.changba.com/']	=	5;
$cdn_backup_config['http://a128mp3.changba.com/']	=	5;
$cdn_backup_config['http://a129mp3.changba.com/']	=	5;
$cdn_backup_config['http://a130mp3.changba.com/']	=	5;
$cdn_backup_config['http://a131mp3.changba.com/']	=	5;
$cdn_backup_config['http://a134mp3.changba.com/']	=	5;
$cdn_backup_config['http://a21mp3.changba.com/']	=	5;
$cdn_backup_config['http://a132mp3.changba.com/']	=	0;
$cdn_backup_config['http://a133mp3.changba.com/']	=	0;
$cdn_backup_config['http://a201hc.changba.com/']	=	5;
$cdn_backup_config['http://a202hc.changba.com/']	=	5;
$localconfig = array();
if(file_exists('localconfig.inc.php')){
	include_once ('localconfig.inc.php');
}
?>

修复方案:

删除

版权声明:转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-22 13:21

厂商回复:

上的独立服务由于nginx配置不当,的确导致了敏感代码信息的泄露。是一台老机器上面的旧代码,2012年前估计技术人员线上随意操作的,后期没有清理。
这点上,我们会加强安全意识,同时也注意内网环境的独立。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-22 12:51 | DloveJ ( 普通白帽子 | Rank:1107 漏洞数:200 | <a href=javascrip:alert('xss')>s</a> 点...)

    沙发

  2. 2015-06-22 13:05 | hh2014 ( 普通白帽子 | Rank:225 漏洞数:39 | 继续)

    不好好过节,又来刷洞了

  3. 2015-06-22 23:52 | Q1NG ( 实习白帽子 | Rank:93 漏洞数:16 | 临 兵 斗 者 皆 阵 列 前 行 !)

    猪哥出马 !..........

  4. 2015-08-06 13:54 | im503 ( 路人 | Rank:16 漏洞数:8 | 失踪的路人甲| Rank:-503 漏洞数:0 |爱pyth...)

    猪哥出马.. 一览无余.

  5. 2015-08-06 16:09 | cnb ( 路人 | Rank:4 漏洞数:2 | 跌停板抄底)

    为什么你总能找到敏感信息泄露?