缺陷编号:WooYun-2015-0127968
漏洞标题:亿航BBS源码包泄露及后台弱口令
相关厂商:ehang.com
漏洞作者:W@1NUT
提交时间:2015-07-21 08:13
公开时间:2015-09-04 10:30
漏洞类型:敏感信息泄露
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
Tags标签:
2015-07-21: 细节已通知厂商并且等待厂商处理中
2015-07-21: 厂商已经确认,细节仅向厂商公开
2015-07-31: 细节向核心白帽子及相关领域专家公开
2015-08-10: 细节向普通白帽子公开
2015-08-20: 细节向实习白帽子公开
2015-09-04: 细节向公众公开
安全意识不足。。。
源码包泄露地址:
1 |
http://bbs.ehang.com/uc_server.zip |
配置信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
<?php$_config = array();// ---------------------------- CONFIG DB ----------------------------- //<br> $_config['db']['1']['dbhost'] = 'localhost';<br> $_config['db']['1']['dbuser'] = 'root';<br> $_config['db']['1']['dbpw'] = 'ehang2014';<br> $_config['db']['1']['dbcharset'] = 'utf8';<br> $_config['db']['1']['pconnect'] = '0';<br> $_config['db']['1']['dbname'] = 'bbs_ehang';<br> $_config['db']['1']['tablepre'] = 'pre_';<br> $_config['db']['slave'] = '';<br> $_config['db']['common']['slave_except_table'] = '';// -------------------------- CONFIG MEMORY --------------------------- //<br> $_config['memory']['prefix'] = 'jpW8xj_';<br> $_config['memory']['redis']['server'] = '';<br> $_config['memory']['redis']['port'] = 6379;<br> $_config['memory']['redis']['pconnect'] = 1;<br> $_config['memory']['redis']['timeout'] = '0';<br> $_config['memory']['redis']['requirepass'] = '';<br> $_config['memory']['redis']['serializer'] = 1;<br> $_config['memory']['memcache']['server'] = '';<br> $_config['memory']['memcache']['port'] = 11211;<br> $_config['memory']['memcache']['pconnect'] = 1;<br> $_config['memory']['memcache']['timeout'] = 1;<br> $_config['memory']['apc'] = 1;<br> $_config['memory']['xcache'] = 1;<br> $_config['memory']['eaccelerator'] = 1;<br> $_config['memory']['wincache'] = 1;// -------------------------- CONFIG SERVER --------------------------- //<br> $_config['server']['id'] = 1;// ------------------------- CONFIG DOWNLOAD -------------------------- //<br> $_config['download']['readmod'] = 2;<br> $_config['download']['xsendfile']['type'] = '0';<br> $_config['download']['xsendfile']['dir'] = '/down/';// -------------------------- CONFIG OUTPUT --------------------------- //<br> $_config['output']['charset'] = 'utf-8';<br> $_config['output']['forceheader'] = 1;<br> $_config['output']['gzip'] = '0';<br> $_config['output']['tplrefresh'] = 1;<br> $_config['output']['language'] = 'zh_cn';<br> $_config['output']['staticurl'] = 'static/';<br> $_config['output']['ajaxvalidate'] = '0';<br> $_config['output']['iecompatible'] = '0';// -------------------------- CONFIG COOKIE --------------------------- //<br> $_config['cookie']['cookiepre'] = 'kuUn_';<br> $_config['cookie']['cookiedomain'] = '';<br> $_config['cookie']['cookiepath'] = '/';// ------------------------- CONFIG SECURITY -------------------------- //<br> $_config['security']['authkey'] = 'c16166FiNAF2HARV';<br> $_config['security']['urlxssdefend'] = 1;<br> $_config['security']['attackevasive'] = '0';<br> $_config['security']['querysafe']['status'] = 1;<br> $_config['security']['querysafe']['dfunction']['0'] = 'load_file';<br> $_config['security']['querysafe']['dfunction']['1'] = 'hex';<br> $_config['security']['querysafe']['dfunction']['2'] = 'substring';<br> $_config['security']['querysafe']['dfunction']['3'] = 'if';<br> $_config['security']['querysafe']['dfunction']['4'] = 'ord';<br> $_config['security']['querysafe']['dfunction']['5'] = 'char';<br> $_config['security']['querysafe']['daction']['0'] = '@';<br> $_config['security']['querysafe']['daction']['1'] = 'intooutfile';<br> $_config['security']['querysafe']['daction']['2'] = 'intodumpfile';<br> $_config['security']['querysafe']['daction']['3'] = 'unionselect';<br> $_config['security']['querysafe']['daction']['4'] = '(select';<br> $_config['security']['querysafe']['daction']['5'] = 'unionall';<br> $_config['security']['querysafe']['daction']['6'] = 'uniondistinct';<br> $_config['security']['querysafe']['dnote']['0'] = '/*';<br> $_config['security']['querysafe']['dnote']['1'] = '*/';<br> $_config['security']['querysafe']['dnote']['2'] = '#';<br> $_config['security']['querysafe']['dnote']['3'] = '--';<br> $_config['security']['querysafe']['dnote']['4'] = '"';<br> $_config['security']['querysafe']['dlikehex'] = 1;<br> $_config['security']['querysafe']['afullnote'] = '0';// -------------------------- CONFIG ADMINCP -------------------------- //<br> // -------- Founders: $_config['admincp']['founder'] = '1,2,3'; --------- //<br> $_config['admincp']['founder'] = '1';<br> $_config['admincp']['forcesecques'] = '0';<br> $_config['admincp']['checkip'] = 1;<br> $_config['admincp']['runquery'] = '0';<br> $_config['admincp']['dbimport'] = 1;// -------------------------- CONFIG REMOTE --------------------------- //<br> $_config['remote']['on'] = '0';<br> $_config['remote']['dir'] = 'remote';<br> $_config['remote']['appkey'] = '62cf0b3c3e6a4c9468e7216839721d8e';<br> $_config['remote']['cron'] = '0';// --------------------------- CONFIG INPUT --------------------------- //<br> $_config['input']['compatible'] = 1;// ------------------- THE END -------------------- //?> |
uc_key:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<?phpdefine('UC_CONNECT', 'mysql');define('UC_DBHOST', 'localhost');<br> define('UC_DBUSER', 'root');<br> define('UC_DBPW', 'ehang2014');<br> define('UC_DBNAME', 'bbs_ehang');<br> define('UC_DBCHARSET', 'utf8');<br> define('UC_DBTABLEPRE', '`bbs_ehang`.pre_ucenter_');<br> define('UC_DBCONNECT', 0);define('UC_CHARSET', 'utf-8');<br> define('UC_KEY', '6aXcE6H0Hau7I528ofZ3L6Y7k9D6Zfu9MeT9R8Jczd1bW0v4D688c1teGcG3gcw2');<br> define('UC_API', 'http://bbs.ehang.com/uc_server');<br> define('UC_APPID', '1');<br> define('UC_IP', '');<br> define('UC_PPP', 20);<br> ?> |
ucenter弱口令:
1 |
ehang2014 |
危害等级:高
漏洞Rank:15
确认时间:2015-07-2110:29
已经确认,谢谢!
暂无
原文连接
的情况下转载,若非则不得使用我方内容。