当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156919

漏洞标题:点到为止之好利网多处配置不当或可涉及内网信息

相关厂商:haolyy.com

漏洞作者: 路人甲

提交时间:2015-11-30 16:07

修复时间:2016-01-14 17:04

公开时间:2016-01-14 17:04

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

RT

详细说明:

0x01:备份下载

http://track.haolyy.com/app.zip


1.png


2.png

<?xml version="1.0"?>
<!--
注意: 除了手动编辑此文件以外,您还可以使用 a
Web 管理工具来配置应用程序的设置。可以使用 Visual Studio 中的
“网站”->“Asp.Net 配置”选项。
设置和注释的完整列表在
machine.config.comments 中,该文件通常位于
\Windows\Microsoft.Net\Framework\v2.x\Config 中
-->
<configuration>
<configSections>

<sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/>
<section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
</sectionGroup>
</sectionGroup>
</sectionGroup>
<!--NLog config-->
<section name="nlog" type="NLog.Config.ConfigSectionHandler, NLog"/>
</configSections>

<location path="Task">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Email">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Email/test/test.htm">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Email/test.htm">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Subscriber">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Report">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="NewReport">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="EmailSend">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="User">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Trigger">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

<appSettings>
<add key="LogPath" value="d:\Log"/>
<add key="SubscriberImportPath" value="d:\data\star\UserUpload\"/>
<add key="UserPath" value="d:\data\star\fkImages\" />
<!--fckeditor-->
<add key="FCKeditor:BasePath" value="~/fckeditor/"/>
<add key="FCKeditor:UserFilesPath" value="d:/data/star/fkImages/"/>
<add key="FCKeditor:AttachDirectory" value="http://image.izacholsm.com/fkImages/"/>

<!--upload content-->
<add key="Domain" value="http://localhost" />
<add key="ImportImageExtension" value=".jpg,.jpeg,.gif,.png" />
<add key="ImportHtmlExtension" value=".html,.dhtml,.htm" />
<add key="UploadToImportExtension" value=".txt,.html,.dhtml,.htm,.zip" />
<!--QQWry.Dat数据库所在路径-->
<add key="QQWryPath" value="D:\focussend\web\track\QQWry.Dat"/>
<!--test postfix-->
<add key="TestPostfix" value="211.144.78.112" />
<!--小于该数字,则认为是测试邮件-->
<add key="MaxTestCount" value="100" />
<!--跟踪链接时将用户的链接替换成 http://www.greentomail.com/eid=55 这种样子 -->
<add key="MappingUrl" value="http://image.izacholsm.com/t/zz?t="/>
<add key="MappingUrlGuidDir" value="http://image.izacholsm.com/t/"/>
<!--如果该超链接里有该字符,则表示该链接要进行mapping-->
<add key="MappingKey" value="(((StarMap)))"/>
<!--如果该超链接里有该字符,则表示该链接要进行demapping-->
<add key="DeMappingKey" value="(((StarDeMap)))"/>
<add key="EmailPattern" value="^[a-z0-9A-Z-_.]+?@[a-z0-9A-Z-_.]+\.[a-z0-9A-Z-_.]+$"/>

<!--是否开放短信通知功能-->
<add key="IsSMSOn" value="true"/>
<!--有人注册则向该号码发短信-->
<add key="SignupSMSTo" value="13162596439;15021191249"/>
<!--有人发送时则向该号码发短信-->
<add key="SendTaskSMSTo" value="13162596439,13681623948"/>
<!--短信发送的账号-->
<add key="SendSMSAccountName" value="focussend"/>
<!--短信发送的密码-->
<add key="SendSMSPassWord" value="staredm123456"/>
<!--是否开放测试用户提交任务时发送短信功能-->
<add key="IsTesterTaskSMSOn" value="true"/>
<!--测试用户提交任务排除列表,比如我们公司的就不要通知了-->
<add key="TestTaskExceptAccounts" value="334" />
<!--是否开放测试用户提交任务时发送短信功能-->
<add key="IsTesterTaskSMSOn" value="true" />
<!--有测试用户提交任务则向该号码发短信-->
<add key="TestTaskSMSTo" value="13817064947,13162596431,13117551234"/>
<add key="TestDomain" value="lywsendm.com " />

<!--小批量短信提醒向该号发送短信-->
<add key="SmallSendTaskSMSTo" value="13162596439,13681623948"/>
<!--少于多少算是小批量发送-->
<add key="SmallBatchNum" value="100"/>
<!--内部小批量发送短信不提示UserID-->
<add key="SmallBatchUserID" value="584,793,1497,34,2297,1546,1550,298,788"/>
<!--转发时的发件人-->
<add key="TransmitSender" value="service@focussend.com" />
<!--贝塔斯曼 UserId -->
<add key="BertelsmannUserIds" value="1,29,43,44,48,72,84,91,98,138,144,168,23,33,-1" />
<!--可以开通代理商的UserId -->
<add key="CanAddAdminUserIds" value="33,262,366,597,900,1235,3931,5509,6448,5376,8484,7533,12823" />
<!--以下 UserId 可以修改发件人邮箱 -->
<add key="CanModifyFromEmailUserIds" value="328,365,266,334,369,214,499,530,574,482,691,815,584,1018,1341,883,1518,1519,1520,1901,1206,1723,2028,1724,2069,1980,2135,3358,1820,9557"/>
<!--app 的网站虚拟目录地址 -->
<add key="AppDomain" value="http://image.izacholsm.com/focussend"/>
<!--不需要审核的用户id-->
<add key="NotNeedAuditUserIds" value="499,673,574,660,778,839" />
<add key="NotNeedAuditUserSendEmailAmountSet" value="30" />
<!--代理商客户注册后,不需要审核的agentId-->
<add key="RegisNotNeedAuditAgentIds" value="3" />
<!--附件大小,默认为1MB-->
<add key="UpFileTotalSize" value="5242880" />
<!--最多能够上传附件数量-->
<add key="UpFileMaxNum" value="2" />
<!--一个任务的测试发送走IP设置-->
<add key="SendTaskTestSelectIP" value="182.50.8.227" />
<!--注册用户默认测试邮件数-->
<add key="RegisterUserTestNum" value="50" />

<!--大于等于该数值即为大批量-->
<add key="BigBatchCount" value="1000" />
<!--大于等于该数值,小于大批量即为批量-->
<add key="SmallBatchCount" value="500" />
<!--发送测试域名替换-->
<add key="TestTaskDomain" value="newsletter.postalstar.com/" />
<!--发送统计不执行精确计算用户,以“,”开始和结尾-->
<add key="IsSendCalculateTotal" value=",1468,394,793," />
<!--StarId 别名-->
<add key="StarIdAlias" value="s" />
<!--开启合并任务user-->
<add key="OpenMergeTask" value="-1,793,1229,394,34,172,174,584,1206,1723,1724,792,23,1972,1550,276,318,1525,1604,204,788,1468,"/>
<!--可以发送内嵌图片的用户id-->
<add key="CanEmbeddedUserIds" value="9616,584,664,1630,2551,1449,3329,793,3519,3760,3794,3083,3488,34,7047,9616" />
<!--插入自定义字段的最大数量 -->
<add key="CustomCount" value="60"/>
<!-- 添加用于存放用户添加或修改子账户点数的信息-->
<add key ="ChildAccountHavePointLogPath" value="d:\Log\ChildAccountHaveCountLog\"/>
<!-- spf解析后的所有域名信息-->
<add key="SpfDomain" value="focussend.com,staredm.cn,zxzsurvey.com,bjsend.com,211.144.78.0/24"/>
<!-- 小于此值进行精确计算-->
<add key="AccurateCount" value="1000"/>
<!--非法字符路径-->
<add key="TBodyLegalPath" value="D:\data\text"/>
<add key="UserTaskCount" value="-1" />
<add key="UserTotalUpdateEmail" value="-1" />
<add key="NotSetMaxSoftBounce" value="-1" />
<add key="DomainIsVisibleOC" value="-1" />
<!--自定义模版组的名称-->
<add key="UserTemplateGroupName" value="自定义模版组" />
<!--判断是否为默认活动-->
<add key="ISActivityId" value="-1"/>
<add key="ReportColorList" value="4674A9,AC4744,994CB9,8CA850,449CB3,DF873F,96ACD3,D59695,BCD199,AB9DC0"/>
</appSettings>

<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
autoReload="true">
<targets>
<!--日志自动分卷 5242880 bytes(5MB)-->
<target name="file"
xsi:type="File"
fileName="d:/log/app/${shortdate}.txt"
layout="${longdate} ${level} ${message} ${exception:format=tostring}"
archiveAboveSize="5242880"
ConcurrentWrites="false"
archiveNumbering="Rolling"/>
</targets>
<rules>
<!--Trace,Debug,Info,Warn,Error,Fatal-->
<logger name="*" minlevel="Info" writeTo="file"/>
</rules>
</nlog>

<connectionStrings>
<clear />
<!--<add name="StarConnectionString" connectionString="Data Source=STAREDM-EB92CF8;Initial Catalog=StarEdm;Persist Security Info=True;User ID=sa;Password=123456" providerName="System.Data.SqlClient"/>-->
<add name="StarConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=StarEdm;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient"/>
<add name="UserDataConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=UserData;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient" />
<add name="LinqModel.Properties.Settings.EmailSenderConnectionString"
connectionString="Data Source=192.168.0.10;Initial Catalog=EmailSender;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient" />
<add name="LinqModel.Properties.Settings.StarEdmConnectionString"
connectionString="Data Source=192.168.0.10;Initial Catalog=StarEdm;Persist Security Info=True;User ID=sa;Password=data@0401"
providerName="System.Data.SqlClient" />
<add name="LinqModel.Properties.Settings.WebServiceConnectionString"
connectionString="Data Source=192.168.0.10;Initial Catalog=WebService;Persist Security Info=True;User ID=sa;Password=data@0401"
providerName="System.Data.SqlClient" />
<add name="StarEdmOldConnectionString" connectionString="Data Source=192.168.0.10;Initial Catalog=StarEdm_Old;Persist Security Info=True;User ID=sa;Password=data@0401" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>


<!--
设置 compilation debug="true" 可将调试符号插入
已编译的页面中。但由于这会
影响性能,因此只在开发过程中将此值
设置为 true。
-->
<identity impersonate="true" userName="xing1zhao" password="Liu@Focussend#1987Xing" />
<compilation debug="true">
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Data.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<!--
通过 <authentication> 节可以配置 ASP.NET 用来
识别进入用户的
安全身份验证模式。
-->
<!--<authentication mode="Windows"/>-->
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" name=".StarAuth" defaultUrl="~/Default.aspx"></forms>
</authentication>

<customErrors mode="RemoteOnly" defaultRedirect="wrong.html">
<error statusCode="403" redirect="wrong.html" />
<error statusCode="404" redirect="wrong.html" />
</customErrors>
<!--
如果在执行请求的过程中出现未处理的错误,
则通过 <customErrors> 节可以配置相应的处理步骤。具体说来,
开发人员通过该节可以配置
要显示的 html 错误页
以代替错误堆栈跟踪。
<customErrors mode="Off" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
<pages>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</controls>
</pages>
<httpHandlers>
<add verb="POST,GET" path="ajaxpro/*.ashx" type="AjaxPro.AjaxHandlerFactory,AjaxPro.2"/>
<remove verb="*" path="*.asmx"/>

<add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
</httpHandlers>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</httpModules>
<httpRuntime maxRequestLength="8096" />
</system.web>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4" type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="OptionInfer" value="true"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
</compilers>
</system.codedom>
<!--
在 Internet 信息服务 7.0 下运行 ASP.NET AJAX 需要 system.webServer
节。对早期版本的 IIS 来说则不需要此节。
-->
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="ScriptModule"/>
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated"/>
<remove name="ScriptHandlerFactory"/>
<remove name="ScriptHandlerFactoryAppServices"/>
<remove name="ScriptResource"/>
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</handlers>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>

</configuration>

漏洞证明:

0x02:多处配置不当

http://vip.haolyy.com/.viminfo
http://sub.haolyy.com/.git/config
http://m.haolyy.com/.git/config
http://weixin.haolyy.com/.git/config

修复方案:

我是来找礼物的!

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-11-30 17:02

厂商回复:

感谢提交,谢谢。

最新状态:

暂无


漏洞评价:

评价