当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106736

漏洞标题:窝窝团某重要敏感信息泄露(含数据库配置等)

相关厂商:窝窝团

漏洞作者: 大王叫我去巡山

提交时间:2015-04-09 09:33

修复时间:2015-05-24 11:48

公开时间:2015-05-24 11:48

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-09: 厂商已经确认,细节仅向厂商公开
2015-04-19: 细节向核心白帽子及相关领域专家公开
2015-04-29: 细节向普通白帽子公开
2015-05-09: 细节向实习白帽子公开
2015-05-24: 细节向公众公开

简要描述:

窝窝团某重要敏感信息泄露....
涉及订单、交易等接口信息.........

详细说明:

传送门:

http://116.213.178.81/data/config.php_bak


<?php
/*$db_host = "127.0.0.1:3306";
$db_name = "tuan2";
$db_user = "root";
$db_pass = "";*/
$db_host = "10.8.210.240:3306";
$db_user = "deployment";
$db_pass = "123456";
$db_name = "55tuan";
//新加分库(用户中心)连接代码
$dbuser_host = "10.8.210.240:3306";
$dbuser_name = "deployment";
$dbuser_user = "123456";
$dbuser_pass = "55tuan";
//专卖店库
$store_host = "10.8.210.240:3306";
$store_name = "stores";
$store_user = "deployment";
$store_pass = "123456";
$storerr_host = $store_host;
$storerr_name = $store_name;
$storerr_user = $store_user;
$storerr_pass = $store_pass;
//拆分的用户中心新库读取从库
$dbuserr_host = $dbuser_host;
$dbuserr_name = $dbuser_name;
$dbuserr_user = $dbuser_user;
$dbuserr_pass = $dbuser_pass;
//用户中心拆库读取完成
$dbsess_host = $db_host;
$dbsess_name = $db_name;
$dbsess_user = $db_user;
$dbsess_pass = $db_pass;
//salve 2
$dbrr_host = $db_host;
$dbrr_name = $db_name;
$dbrr_user = $db_user;
$dbrr_pass = $db_pass;
$dbrr1_host = $db_host;
$dbrr1_name = $db_name;
$dbrr1_user = $db_user;
$dbrr1_pass = $db_pass;
$cwdb_host = $db_host;
$cwdb_name = $db_name;
$cwdb_user = $db_user;
$cwdb_pass = $db_pass;
// table prefix
$prefix = "jeehe_";
$timezone = "Asia/Chongqing";
$cookie_path = "/";
$cookie_domain = ".wowotuan.com";
$session = "86400";
define('EC_CHARSET','gbk');
define('ADMIN_PATH','adminjeehe');
define('AUTH_KEY', 'this is a key');
define('OLD_AUTH_KEY', '');
define('PAY_ADMIN_NOTIFY_URL', 'http://10.8.210.3/adminNotify.do');
//支付中心异步退款接口
define('ASYN_REFUND_API', 'http://10.8.210.208/refundSubmit.do');
//支付中心同步退款接口
//define('SYN_REFUND_API', 'http://10.8.210.7/synRefund.do');
//联合登录服务器域名和路径
define('UNION_LOGIN_SERVER','test53.wowotuan.com');
define('UNION_LOGIN_PATH','/index.php?r=site/loginapi');
define('UNION_LOGIN_PORT','8080');
//联合登录写cookie的域名
define('UNION_LOGIN_COOKIE_DOMAIN','.wowotuan.com');
//5+3访问域名
define('UNION_LOGIN_SERVER_HTTP','http://admin.55tuan.com');
// session保存的方式file|memcache|memcached
define('SESSIONHANDLER', 'memcached');
// session保存到memcache时,memcache地址
define('SESSIONMEMCACHE', 'mem24.55tuan.me:40000');
//订单中心hessian接口地址
//订单查询相关
define('HESSIAN_ORDER_QUERY','http://10.8.210.207:8086/remoting/orderQuery');
//状态修改相关
define('HESSIAN_ORDER_STATUS_UPDATE','http://10.8.210.207:8086/remoting/orderQuery');
//订单中心订单更新接口
define('ORDER_UPDATE_API', 'http://10.8.210.207:8086/remoting/orderStatusUpdate');
//订单中心券状态更新接口
define('TICKET_UPDATE_API', 'http://10.8.210.207:8086/remoting/ticketUpdate');
//订单信息修改相关
define('HESSIAN_ORDER_UPDATE','http://10.8.210.207:8086/remoting/orderUpdate');
//券查询相关
define('HESSIAN_TICKET_QUERY','http://10.8.210.207:8086/remoting/ticketQuery');
//券更新相关
define('HESSIAN_TICKET_UPDATE','http://10.8.210.207:8086/remoting/ticketUpdate');
//商品库存更新
define('HESSIAN_GOODS_STORAGE_UPDATE','http://goodscenter53.55tuan.me:3456/hession/notifyService');
define('ModifySupplierPwd', 'http://10.8.210.193:916/Service.asmx/ModifyMerchantPassword');
//更新cdn接口用户名
define('HTML_USER_NAME','55tuan.com');
//更新cdn接口用户密码
define('HTML_USER_PASSWORD','fastweb_55tuan');
//更新cdn接口用户密钥
define('HTML_USER_KEY','fastweb');
//更新cdn接口域名
define('HTML_CDN_HOST','cs.fastweb.com.cn');
//更新cdn接口端口
define('HTML_CDN_PORT',80);
//更新cdn接口程序
define('HTML_CDN_URL','/interface/push_portal.php');
define ('FTP_URL','http://shops.55tuan.com');
//define ('FTP_DIR','172.16.50.75');
define ('FTP_DIR','116.213.178.15');
define ('FTP_USER','vsftp');
define ('FTP_PASSWORD','5czcmjE(vLk2');
define ('FTP_PORT',21);
define('LOGIN_IF', UNION_LOGIN_SERVER_HTTP);
define('STORES_MANAGE_HOST', 'http://newbee.wowotuan.com:8080');
?>

漏洞证明:

<?php
/*$db_host = "127.0.0.1:3306";
$db_name = "tuan2";
$db_user = "root";
$db_pass = "";*/
$db_host = "10.8.210.240:3306";
$db_user = "deployment";
$db_pass = "123456";
$db_name = "55tuan";
//新加分库(用户中心)连接代码
$dbuser_host = "10.8.210.240:3306";
$dbuser_name = "deployment";
$dbuser_user = "123456";
$dbuser_pass = "55tuan";
//专卖店库
$store_host = "10.8.210.240:3306";
$store_name = "stores";
$store_user = "deployment";
$store_pass = "123456";
$storerr_host = $store_host;
$storerr_name = $store_name;
$storerr_user = $store_user;
$storerr_pass = $store_pass;
//拆分的用户中心新库读取从库
$dbuserr_host = $dbuser_host;
$dbuserr_name = $dbuser_name;
$dbuserr_user = $dbuser_user;
$dbuserr_pass = $dbuser_pass;
//用户中心拆库读取完成
$dbsess_host = $db_host;
$dbsess_name = $db_name;
$dbsess_user = $db_user;
$dbsess_pass = $db_pass;
//salve 2
$dbrr_host = $db_host;
$dbrr_name = $db_name;
$dbrr_user = $db_user;
$dbrr_pass = $db_pass;
$dbrr1_host = $db_host;
$dbrr1_name = $db_name;
$dbrr1_user = $db_user;
$dbrr1_pass = $db_pass;
$cwdb_host = $db_host;
$cwdb_name = $db_name;
$cwdb_user = $db_user;
$cwdb_pass = $db_pass;
// table prefix
$prefix = "jeehe_";
$timezone = "Asia/Chongqing";
$cookie_path = "/";
$cookie_domain = ".wowotuan.com";
$session = "86400";
define('EC_CHARSET','gbk');
define('ADMIN_PATH','adminjeehe');
define('AUTH_KEY', 'this is a key');
define('OLD_AUTH_KEY', '');
define('PAY_ADMIN_NOTIFY_URL', 'http://10.8.210.3/adminNotify.do');
//支付中心异步退款接口
define('ASYN_REFUND_API', 'http://10.8.210.208/refundSubmit.do');
//支付中心同步退款接口
//define('SYN_REFUND_API', 'http://10.8.210.7/synRefund.do');
//联合登录服务器域名和路径
define('UNION_LOGIN_SERVER','test53.wowotuan.com');
define('UNION_LOGIN_PATH','/index.php?r=site/loginapi');
define('UNION_LOGIN_PORT','8080');
//联合登录写cookie的域名
define('UNION_LOGIN_COOKIE_DOMAIN','.wowotuan.com');
//5+3访问域名
define('UNION_LOGIN_SERVER_HTTP','http://admin.55tuan.com');
// session保存的方式file|memcache|memcached
define('SESSIONHANDLER', 'memcached');
// session保存到memcache时,memcache地址
define('SESSIONMEMCACHE', 'mem24.55tuan.me:40000');
//订单中心hessian接口地址
//订单查询相关
define('HESSIAN_ORDER_QUERY','http://10.8.210.207:8086/remoting/orderQuery');
//状态修改相关
define('HESSIAN_ORDER_STATUS_UPDATE','http://10.8.210.207:8086/remoting/orderQuery');
//订单中心订单更新接口
define('ORDER_UPDATE_API', 'http://10.8.210.207:8086/remoting/orderStatusUpdate');
//订单中心券状态更新接口
define('TICKET_UPDATE_API', 'http://10.8.210.207:8086/remoting/ticketUpdate');
//订单信息修改相关
define('HESSIAN_ORDER_UPDATE','http://10.8.210.207:8086/remoting/orderUpdate');
//券查询相关
define('HESSIAN_TICKET_QUERY','http://10.8.210.207:8086/remoting/ticketQuery');
//券更新相关
define('HESSIAN_TICKET_UPDATE','http://10.8.210.207:8086/remoting/ticketUpdate');
//商品库存更新
define('HESSIAN_GOODS_STORAGE_UPDATE','http://goodscenter53.55tuan.me:3456/hession/notifyService');
define('ModifySupplierPwd', 'http://10.8.210.193:916/Service.asmx/ModifyMerchantPassword');
//更新cdn接口用户名
define('HTML_USER_NAME','55tuan.com');
//更新cdn接口用户密码
define('HTML_USER_PASSWORD','fastweb_55tuan');
//更新cdn接口用户密钥
define('HTML_USER_KEY','fastweb');
//更新cdn接口域名
define('HTML_CDN_HOST','cs.fastweb.com.cn');
//更新cdn接口端口
define('HTML_CDN_PORT',80);
//更新cdn接口程序
define('HTML_CDN_URL','/interface/push_portal.php');
define ('FTP_URL','http://shops.55tuan.com');
//define ('FTP_DIR','172.16.50.75');
define ('FTP_DIR','116.213.178.15');
define ('FTP_USER','vsftp');
define ('FTP_PASSWORD','5czcmjE(vLk2');
define ('FTP_PORT',21);
define('LOGIN_IF', UNION_LOGIN_SERVER_HTTP);
define('STORES_MANAGE_HOST', 'http://newbee.wowotuan.com:8080');
?>

修复方案:

你懂的。

版权声明:转载请注明来源 大王叫我去巡山@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-04-09 11:46

厂商回复:

非生产系统历史遗留问题。感谢白帽子帮我们发现问题~

最新状态:

2015-04-11:长期不用的测试机确实容易成为管理死角,已清理。