Baidu leaked git information to getshell roaming Intranet

Baidu leaked git information to getshell roaming Intranet

The killer is in hand. I have it all!

Http://hybrid.baidu.com/.git/config

A git Information Leak allows you to download code;

➜  hybrid.baidu.com git:(master) ✗ ls -lhtotal 0drwxr-xr-x  22 tank  staff   748B  5 15 12:46 generaldrwxr-xr-x  20 tank  staff   680B  5 15 13:09 wenku

There is an upload. php file in it. Check it out.

 /*** Upload */error_reporting (0); session_start (); $ allow_sep = "1"; // restrict the upload repeat time to prevent refresh of this file in a short time, in seconds, if (isset ($ _ SESSION ['Post _ sep']) {if (time () -$ _ SESSION ['Post _ sep'] <$ allow_sep) {exit ('wait 1 second ');} else {$ _ SESSION ['Post _ sep'] = time () ;}} else {$ _ SESSION ['Post _ sep'] = time ();} date_default_timezone_set ('Asia/Shanghai'); if ($ _ SERVER ['request _ URI ']) {$ temp = urldecode ($ _ SERVER ['request _ URI']); if (strpos ($ Temp, '<')! = False | strpos ($ temp, '> ')! = False | strpos ($ temp ,'(')! = False | strpos ($ temp ,'"')! = False) {exit ('request Bad url') ;}} if ($ _ FILES ['filedata'] ['SIZE']! = 0) {if (isset ($ _ FILES ['filedata']) & is_array ($ _ FILES ['filedata']) {$ attach = $ _ FILES ['filedata'];} $ max_upload_size = 10485760; // in bytes $ old_attachName = mb_detect_encoding ($ attach ['name']) = 'utf-8 '? $ Attach ['name']: iconv ('gbk', "UTF-8", $ attach ['name']); $ attach ['text'] = explode ('. ', $ attach ['name']); if ($ length = count ($ attach ['text'])> 1) {$ ext = strtolower ($ attach ['text'] [$ length-1]);} $ year = date ("Y "); $ month = date ("m"); $ day = date ("d"); $ fnamehash = md5 (uniqid (microtime ())); // The fnamehash variable is the MD5 hash of the current time. Rename the attachment name $ new_dir_name = $ year. '-'. $ month. '-'. $ day. '-'. $ fnamehash; $ object = '/www '. '. '. $ ext; if (! File_exists (dirname (_ FILE __). '/temp /'. $ new_dir_name) {mkdir (dirname (_ FILE __). '/temp /'. $ new_dir_name, 0777);} $ path = $ attach ['tmp _ name']; $ opt = array ("filename" => $ old_attachName, "acl" => "public-read"); move_uploaded_file ($ path, dirname (_ FILE __). "/temp /". $ new_dir_name. $ object); // echo" http://10.42.82.59/zhaojie/temp ". $ Object; echo dirname (_ FILE __). "/temp /". $ new_dir_name. $ object; return; // require_once ('. /bcs. class. php ');/* $ host = 'bcs -sandbox.baidu.com'; // offline $ ak = 'hangzhou'; $ sk = '6xvpohr2tcpkhxgbhltfzpqrq0ogamywa '; $ bucket = 'auto-pack-bucket-nanjing '; $ baidu_bcs = new BaiduBCS ($ ak, $ sk, $ host ); if ($ attach ['SIZE']> $ max_upload_size) {// @ unlink ($ attach ['tmp _ name']); ech O 'max limited';} $ response = $ baidu_bcs-> create_object ($ bucket, $ object, $ path, $ opt); // upload the attachment if (! $ Response-> isOK () die ("upload object failed. "); $ opt = array (); $ opt [" time "] = time () + 3600; // optional, the link takes effect for one hour after the linux timestamp */echo $ baidu_bcs-> generate_get_object_url ($ bucket, $ object, $ opt);}?>

Getshell
 

 
Http://hybrid.baidu.com/wenku/temp/2015-05-15-e876c4f4056327c58fa22e467e8e5d7f/www.php
 




 


 

 
Solution:
Git