当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090347

漏洞标题:MES每实内部敏感信息泄露

相关厂商:MES每实

漏洞作者: orange

提交时间:2015-01-07 12:18

修复时间:2015-02-21 12:20

公开时间:2015-02-21 12:20

漏洞类型:内部绝密信息泄漏

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-02-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

MES每实内部敏感信息泄露,危及21cake

详细说明:

0x00 关键字

github,llllllllllllllllllllllll


0x01 过程
由于昨天提交了一个21cake的漏洞,出于习惯就上了一下github,搜索关键字 “21cake”

21cake.png


code那里好像有东西

2015-01-06 16:59:33屏幕截图.png


嗯?! (●′ω`●) svn,顺势看了下去

2015-01-06 17:06:46屏幕截图.png


貌似是短信接口,登了一下发现账户被禁用

2015-01-06 17:09:33屏幕截图.png


继续往下翻

2015-01-06 17:19:14屏幕截图.png


2015-01-06 17:23:02屏幕截图.png


2015-01-06 17:26:49屏幕截图.png


<?php
2	/**
3	 * Cake Detail
4	 * @copyright Copyright (c) 2012, 21cake food co.ltd
5	 * @author 21Cake Dev Team

5	 * @author 21Cake Dev Team
6	 */
7	
8	require(dirname(__FILE__) . '/includes/init.php');
9	$_REQUEST['act'] = empty($_REQUEST['act']) ? 'list' : trim($_REQUEST['act']);


直接进入作者的github主页

https://github.com/llllllllllllllllllllllll?tab=repositories


2015-01-06 17:37:09屏幕截图.png


2015-01-06 17:39:08屏幕截图.png


2015-01-06 17:39:14屏幕截图.png


粗略看了下,源码属于www.mescake.com,加上之前看到@author 21Cake Dev Team于是就联系了一下21cake的工作人员,询问mes与21cake的联系,得知mes是他们在北京的团队

m_alladmin    m-cmsold  m_db_old       m_paltformadmin  m_webadmin
m_call        m_crm     m_html_static  m_security       mweb_main
m_callsearch  m_db      mordercms      mstatic_main     mweb_touch


信息量略大,就用github自带的检索功能,搜索 pass, pwd ,admin,mes等关键字

https://github.com/llllllllllllllllllllllll/mweb_main/search?utf8=%E2%9C%93&q=pass


$db_name   = "shop";
7	
8	// database username
9	$db_user   = "yucheng";
10	
11	// database password
12	$db_pass   = "yucheng";
13	
14	// table prefix


2015-01-06 17:51:16屏幕截图.png


https://github.com/llllllllllllllllllllllll/mordercms/search?utf8=%E2%9C%93&q=pass


5	$my_db_name_write   = "mescake";
6	$my_db_user_write   = "root";
7	$my_db_pass_write   = "";
8	
9	
10	//读操作服务器配置
11	$my_db_host_read   = "210.51.166.149";

11	$my_db_host_read   = "210.51.166.149";
12	$my_db_name_read   = "mescake";
13	$my_db_user_read   = "root";
14	$my_db_pass_read   = "";


https://github.com/llllllllllllllllllllllll/m_crm/search?p=2&q=admin&type=Code&utf8=%E2%9C%93


1	-- phpMyAdmin SQL Dump
2	-- version 4.0.10
3	-- http://www.phpmyadmin.net
4	--
5	-- 主机: localhost
6	-- 生成日期: 2014-04-25 09:43:43

553	INSERT INTO `userinfo` (`id`, `userid`, `userpwd`, `username`, `xingb`, `usertel`, `usermail`, `addtime`, `modytime`, `departmentid`, `parentid`, `departmentname`, `fuze`) VALUES
554	(00000000001, 'admin', 'admin', '管理员', '女', '1890115550', '', '', '', 0, -1, 'admin', '1');


2015-01-06 18:20:28屏幕截图.png


https://github.com/llllllllllllllllllllllll/m_db/search?utf8=%E2%9C%93&q=admin


create table mes_admin(
2	 id int(4) not null primary key auto_increment,
3	 username char(20) not null,

8	INSERT INTO mes_admin (username,password,type) values ('mescakewebadmin','0B6763665B8AB1786EA78780E590ABFB',1);


https://github.com/llllllllllllllllllllllll/m_paltformadmin/search?utf8=%E2%9C%93&q=admin


create table platform_admin_user(
2	 id int(5) not null primary key auto_increment,
3	 realname char(20) not null,

6	 password varchar(256) not null,
7	 extension varchar(256)
8	);
9	
10	insert into platform_admin_user (realname,email,type,password) values ('renyuan','renyuan','0','123456');


https://github.com/llllllllllllllllllllllll/m_paltformadmin/blob/5b74ba982b859c2128894cadf8a3f93cddbadb1c/config.json


[{
  "name":"new_admin",
  "chnName":"新版商品管理平台",
  "url":"http://www.mescake.com/mescakewebadmin/index.php",
  "icon":"iconfont-edit.png"
},{
  "name":"old_admin",
  "chnName":"旧版商品管理平台",
  "url":"http://mes.admin.n.mescake.com/newcake/admin/privilege.php?act=login",
  "icon":"iconfont-edit.png"
},{
  "name":"order_search",
  "chnName":"订单追踪系统(打单,配送)",
  "url":"http://mes.admin.n.mescake.com/ordercms/privilege.php?act=login",
  "icon":"iconfont-tijiaodingdan.png"
},{
  "name":"cash_card",
  "chnName":"礼金卡生成",
  "url":"http://mes.admin.n.mescake.com/czk2/privilege.php?act=login",
  "icon":"iconfont-huiyuanqia.png"
},{
  "name":"email",
  "chnName":"邮件系统",
  "url":"http://ym.163.com/",
  "icon":"iconfont-youjian.png"
},{
  "name":"call",
  "chnName":"客服系统",
  "url":"http://mescall.n.mescake.com/order_all.php?agentuid=1000",
  "icon":"iconfont-edit.png"
},{
  "name":"bug",
  "chnName":"BUG管理系统",
  "url":"http://easybug.net/Member/Login?url=http%3a%2f%2feasybug.net%2fProject%2fProjectInfo%2f10557",
  "icon":"iconfont-bug.png"
},{
  "name":"wiki",
  "chnName":"wiki系统",
  "url":"http://wiki.n.mescake.com",
  "icon":"iconfont-bug.png"
},{
  "name":"sms",
  "chnName":"短信平台",
  "url":"http://sdk.kuai-xin.com:8888/logins.html",
  "icon":"iconfont-faduanxin.png"
},{
  "name":"crm",
  "chnName":"客户关系管理系统",
  "url":"http://crm.n.mescake.com:8081/",
  "icon":"iconfont-crm.png"
}]


其中客服系统可以直接访问

http://mescall.n.mescake.com/order_all.php?agentuid=1


2015-01-06 18:29:24屏幕截图.png


下面的好像涉及到加密算法

https://github.com/llllllllllllllllllllllll/m_security


就贴这些吧

漏洞证明:

如上

修复方案:

删除吧, 提高安全意识

版权声明:转载请注明来源 orange@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝