当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123828

漏洞标题:HTML5中国主站与分站存在svn代码泄露漏洞续(二)

相关厂商:html5cn.org

漏洞作者: 上岸的鱼

提交时间:2015-07-01 11:14

修复时间:2015-07-06 11:16

公开时间:2015-07-06 11:16

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-01: 细节已通知厂商并且等待厂商处理中
2015-07-06: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

本来本着测试的目的,没深入,没拿数据出来亮亮,但是尽然给我忽略了,我表示不服,那我就拿点数据出来亮亮
我们挥洒汗水,给你们测试,给你们告警,不要凉了我们的心啊,不然哪天数据在无声无息中传播整个网络就是你们挥洒汗水的时候

详细说明:

前戏: WooYun: HTML5中国主站与分站存在svn代码泄露漏洞
通过获取到数据库的配置信息,我们找到mysql数据库访问地址:211.155.82.185
直接mysql连接,内容还是很丰富的啊,313个表,11+w的用户数:

+----------------------------------+
| Tables_in_tx100_discuz           |
+----------------------------------+
| t_common_addon                   |
| t_common_admincp_cmenu           |
| t_common_admincp_group           |
| t_common_admincp_member          |
| t_common_admincp_perm            |
| t_common_admincp_session         |
| t_common_admingroup              |
| t_common_adminnote               |
| t_common_advertisement           |
| t_common_advertisement_custom    |
| t_common_banned                  |
| t_common_block                   |
| t_common_block_favorite          |
| t_common_block_item              |
| t_common_block_item_data         |
| t_common_block_permission        |
| t_common_block_pic               |
| t_common_block_style             |
| t_common_block_xml               |
| t_common_cache                   |
| t_common_card                    |
| t_common_card_log                |
| t_common_card_type               |
| t_common_connect_guest           |
| t_common_credit_log              |
| t_common_credit_log_field        |
| t_common_credit_rule             |
| t_common_credit_rule_log         |
| t_common_credit_rule_log_field   |
| t_common_cron                    |
| t_common_devicetoken             |
| t_common_district                |
| t_common_diy_data                |
| t_common_domain                  |
| t_common_failedip                |
| t_common_failedlogin             |
| t_common_friendlink              |
| t_common_grouppm                 |
| t_common_invite                  |
| t_common_magic                   |
| t_common_magiclog                |
| t_common_mailcron                |
| t_common_mailqueue               |
| t_common_member                  |
| t_common_member_action_log       |
| t_common_member_connect          |
| t_common_member_count            |
| t_common_member_crime            |
| t_common_member_field_forum      |
| t_common_member_field_home       |
| t_common_member_forum_buylog     |
| t_common_member_grouppm          |
| t_common_member_log              |
| t_common_member_magic            |
| t_common_member_medal            |
| t_common_member_newprompt        |
| t_common_member_profile          |
| t_common_member_profile_setting  |
| t_common_member_security         |
| t_common_member_secwhite         |
| t_common_member_stat_field       |
| t_common_member_stat_fieldcache  |
| t_common_member_stat_search      |
| t_common_member_stat_searchcache |
| t_common_member_status           |
| t_common_member_validate         |
| t_common_member_verify           |
| t_common_member_verify_info      |
| t_common_moderate                |
| t_common_myapp                   |
| t_common_myinvite                |
| t_common_mytask                  |
| t_common_nav                     |
| t_common_onlinetime              |
| t_common_optimizer               |
| t_common_patch                   |
| t_common_plugin                  |
| t_common_pluginvar               |
| t_common_process                 |
| t_common_regip                   |
| t_common_relatedlink             |
| t_common_remote_port             |
| t_common_report                  |
| t_common_searchindex             |
| t_common_seccheck                |
| t_common_secquestion             |
| t_common_session                 |
| t_common_setting                 |
| t_common_smiley                  |
| t_common_sphinxcounter           |
| t_common_stat                    |
| t_common_statuser                |
| t_common_style                   |
| t_common_stylevar                |
| t_common_syscache                |
| t_common_tag                     |
| t_common_tagitem                 |
| t_common_task                    |
| t_common_taskvar                 |
| t_common_template                |
| t_common_template_block          |
| t_common_template_permission     |
| t_common_uin_black               |
| t_common_usergroup               |
| t_common_usergroup_field         |
| t_common_visit                   |
| t_common_word                    |
| t_common_word_type               |
| t_connect_disktask               |
| t_connect_feedlog                |
| t_connect_memberbindlog          |
| t_connect_postfeedlog            |
| t_connect_tlog                   |
| t_connect_tthreadlog             |
| t_dsu_paulsign                   |
| t_dsu_paulsignemot               |
| t_dsu_paulsignset                |
| t_forum_access                   |
| t_forum_activity                 |
| t_forum_activityapply            |
| t_forum_announcement             |
| t_forum_attachment               |
| t_forum_attachment_0             |
| t_forum_attachment_1             |
| t_forum_attachment_2             |
| t_forum_attachment_3             |
| t_forum_attachment_4             |
| t_forum_attachment_5             |
| t_forum_attachment_6             |
| t_forum_attachment_7             |
| t_forum_attachment_8             |
| t_forum_attachment_9             |
| t_forum_attachment_exif          |
| t_forum_attachment_unused        |
| t_forum_attachtype               |
| t_forum_bbcode                   |
| t_forum_collection               |
| t_forum_collectioncomment        |
| t_forum_collectionfollow         |
| t_forum_collectioninvite         |
| t_forum_collectionrelated        |
| t_forum_collectionteamworker     |
| t_forum_collectionthread         |
| t_forum_creditslog               |
| t_forum_debate                   |
| t_forum_debatepost               |
| t_forum_faq                      |
| t_forum_filter_post              |
| t_forum_forum                    |
| t_forum_forum_threadtable        |
| t_forum_forumfield               |
| t_forum_forumrecommend           |
| t_forum_groupcreditslog          |
| t_forum_groupfield               |
| t_forum_groupinvite              |
| t_forum_grouplevel               |
| t_forum_groupranking             |
| t_forum_groupuser                |
| t_forum_hotreply_member          |
| t_forum_hotreply_number          |
| t_forum_imagetype                |
| t_forum_medal                    |
| t_forum_medallog                 |
| t_forum_memberrecommend          |
| t_forum_moderator                |
| t_forum_modwork                  |
| t_forum_newthread                |
| t_forum_onlinelist               |
| t_forum_order                    |
| t_forum_poll                     |
| t_forum_polloption               |
| t_forum_polloption_image         |
| t_forum_pollvoter                |
| t_forum_post                     |
| t_forum_post_location            |
| t_forum_post_moderate            |
| t_forum_post_tableid             |
| t_forum_postcache                |
| t_forum_postcomment              |
| t_forum_postlog                  |
| t_forum_postposition             |
| t_forum_poststick                |
| t_forum_promotion                |
| t_forum_ratelog                  |
| t_forum_relatedthread            |
| t_forum_replycredit              |
| t_forum_rsscache                 |
| t_forum_sofa                     |
| t_forum_spacecache               |
| t_forum_statlog                  |
| t_forum_thread                   |
| t_forum_thread_moderate          |
| t_forum_threadaddviews           |
| t_forum_threadcalendar           |
| t_forum_threadclass              |
| t_forum_threadclosed             |
| t_forum_threaddisablepos         |
| t_forum_threadhidelog            |
| t_forum_threadhot                |
| t_forum_threadimage              |
| t_forum_threadlog                |
| t_forum_threadmod                |
| t_forum_threadpartake            |
| t_forum_threadpreview            |
| t_forum_threadprofile            |
| t_forum_threadprofile_group      |
| t_forum_threadrush               |
| t_forum_threadtype               |
| t_forum_trade                    |
| t_forum_tradecomment             |
| t_forum_tradelog                 |
| t_forum_typeoption               |
| t_forum_typeoptionvar            |
| t_forum_typevar                  |
| t_forum_warning                  |
| t_home_album                     |
| t_home_album_category            |
| t_home_appcreditlog              |
| t_home_blacklist                 |
| t_home_blog                      |
| t_home_blog_category             |
| t_home_blog_moderate             |
| t_home_blogfield                 |
| t_home_class                     |
| t_home_click                     |
| t_home_clickuser                 |
| t_home_comment                   |
| t_home_comment_moderate          |
| t_home_docomment                 |
| t_home_doing                     |
| t_home_doing_moderate            |
| t_home_favorite                  |
| t_home_feed                      |
| t_home_feed_app                  |
| t_home_follow                    |
| t_home_follow_feed               |
| t_home_follow_feed_archiver      |
| t_home_friend                    |
| t_home_friend_request            |
| t_home_friendlog                 |
| t_home_notification              |
| t_home_pic                       |
| t_home_pic_moderate              |
| t_home_picfield                  |
| t_home_poke                      |
| t_home_pokearchive               |
| t_home_share                     |
| t_home_share_moderate            |
| t_home_show                      |
| t_home_specialuser               |
| t_home_userapp                   |
| t_home_userappfield              |
| t_home_visitor                   |
| t_mobile_setting                 |
| t_mobileoem_member               |
| t_mobileoem_pushthreads          |
| t_plugin_auction                 |
| t_plugin_auction_message         |
| t_plugin_auction_xml             |
| t_plugin_auctionapply            |
| t_plugin_dsuampper               |
| t_portal_article_content         |
| t_portal_article_count           |
| t_portal_article_moderate        |
| t_portal_article_related         |
| t_portal_article_title           |
| t_portal_article_trash           |
| t_portal_attachment              |
| t_portal_category                |
| t_portal_category_permission     |
| t_portal_comment                 |
| t_portal_comment_moderate        |
| t_portal_rsscache                |
| t_portal_topic                   |
| t_portal_topic_pic               |
| t_security_evilpost              |
| t_security_eviluser              |
| t_security_failedlog             |
| t_ucenter_admins                 |
| t_ucenter_applications           |
| t_ucenter_badwords               |
| t_ucenter_domains                |
| t_ucenter_failedlogins           |
| t_ucenter_feeds                  |
| t_ucenter_friends                |
| t_ucenter_mailqueue              |
| t_ucenter_memberfields           |
| t_ucenter_members                |
| t_ucenter_mergemembers           |
| t_ucenter_newpm                  |
| t_ucenter_notelist               |
| t_ucenter_pm_indexes             |
| t_ucenter_pm_lists               |
| t_ucenter_pm_members             |
| t_ucenter_pm_messages_0          |
| t_ucenter_pm_messages_1          |
| t_ucenter_pm_messages_2          |
| t_ucenter_pm_messages_3          |
| t_ucenter_pm_messages_4          |
| t_ucenter_pm_messages_5          |
| t_ucenter_pm_messages_6          |
| t_ucenter_pm_messages_7          |
| t_ucenter_pm_messages_8          |
| t_ucenter_pm_messages_9          |
| t_ucenter_protectedmembers       |
| t_ucenter_settings               |
| t_ucenter_sqlcache               |
| t_ucenter_tags                   |
| t_ucenter_vars                   |
| t_zywx_forum_postfield           |
| t_zywx_home_blogfield            |
| t_zywx_useroperation             |
| t_zywx_useroperation_log         |
+----------------------------------+
313 rows in set (0.02 sec)


mysql> select count(*) from t_ucenter_members;
+----------+
| count(*) |
+----------+
|   111155 |
+----------+
1 row in set (0.01 sec)
mysql> select * from t_ucenter_members limit 1,6;
+-----+------------+----------------------------------+-------------------------+------+---------+-----------------+------------+-------------+---------------+--------+---------+
| uid | username   | password                         | email                   | myid | myidkey | regip           | regdate    | lastloginip | lastlogintime | salt   | secques |
+-----+------------+----------------------------------+-------------------------+------+---------+-----------------+------------+-------------+---------------+--------+---------+
|   2 | esldcf1989 | 1f2d2455b870046cac0d679a2f42aa33 | nihsiede@163.com        |      |         | 182.87.64.31    | 1328067569 |           0 |             0 | 127ae1 |         |
|   3 | nouf62w    | e7a00da53fde94b08ae2be00075a3686 | xmi794ryo65@163.com     |      |         | 112.220.216.11  | 1328075562 |           0 |             0 | a63a73 |         |
|   4 | Joan       | 50d3993ca23a9f354e1b0f354b5ce6ec | joanluoqiong@163.com    |      |         | 58.246.12.28    | 1328086142 |           0 |             0 | ed7307 |         |
|   5 | tizenol    | 7338893f92cba1139eeda162096973f4 | sky@tizenol.com         |      |         | 218.82.7.244    | 1328143833 |           0 |             0 | 94ec7b |         |
|   6 | suxunbo    | a2d49ac89c93d754e47b2b5c9edefc8f | suxunbu@3g2win.com      |      |         | 218.240.157.195 | 1328148452 |           0 |             0 | 4cff5b |         |
|   7 | tingtingxj | fd1e502b701341258edfaa86cd32bf54 | tingting.shi@3g2win.com |      |         | 218.240.157.195 | 1328151733 |           0 |             0 | 5d7cea |         |
+-----+------------+----------------------------------+-------------------------+------+---------+-----------------+------------+-------------+---------------+--------+---------+
6 rows in set (0.02 sec)


漏洞证明:

看详细说明
若有后续,就是直接拿shell了
不说了,说多了都是泪,测试很辛苦的,NND,都凌晨了

修复方案:

我要唱《征服》

版权声明:转载请注明来源 上岸的鱼@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-06 11:16

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论

  1. 2015-07-13 12:21 | 路人癸 ( 路人 | Rank:4 漏洞数:2 | 随意路过)

    还是忽略。。洞主不哭