当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090347

漏洞标题:MES每实内部敏感信息泄露

相关厂商:MES每实

漏洞作者: orange

提交时间:2015-01-07 12:18

修复时间:2015-02-21 12:20

公开时间:2015-02-21 12:20

漏洞类型:内部绝密信息泄漏

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-02-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

MES每实内部敏感信息泄露,危及21cake

详细说明:

0x00 关键字

github,llllllllllllllllllllllll


0x01 过程
由于昨天提交了一个21cake的漏洞,出于习惯就上了一下github,搜索关键字 “21cake”

21cake.png


code那里好像有东西

2015-01-06 16:59:33屏幕截图.png


嗯?! (●′ω`●) svn,顺势看了下去

2015-01-06 17:06:46屏幕截图.png


貌似是短信接口,登了一下发现账户被禁用

2015-01-06 17:09:33屏幕截图.png


继续往下翻

2015-01-06 17:19:14屏幕截图.png


2015-01-06 17:23:02屏幕截图.png


2015-01-06 17:26:49屏幕截图.png


<?php
2 /**
3 * Cake Detail
4 * @copyright Copyright (c) 2012, 21cake food co.ltd
5 * @author 21Cake Dev Team

5 * @author 21Cake Dev Team
6 */
7
8 require(dirname(__FILE__) . '/includes/init.php');
9 $_REQUEST['act'] = empty($_REQUEST['act']) ? 'list' : trim($_REQUEST['act']);


直接进入作者的github主页

https://github.com/llllllllllllllllllllllll?tab=repositories


2015-01-06 17:37:09屏幕截图.png


2015-01-06 17:39:08屏幕截图.png


2015-01-06 17:39:14屏幕截图.png


粗略看了下,源码属于www.mescake.com,加上之前看到@author 21Cake Dev Team于是就联系了一下21cake的工作人员,询问mes与21cake的联系,得知mes是他们在北京的团队

m_alladmin    m-cmsold  m_db_old       m_paltformadmin  m_webadmin
m_call m_crm m_html_static m_security mweb_main
m_callsearch m_db mordercms mstatic_main mweb_touch


信息量略大,就用github自带的检索功能,搜索 pass, pwd ,admin,mes等关键字

https://github.com/llllllllllllllllllllllll/mweb_main/search?utf8=%E2%9C%93&q=pass


$db_name   = "shop";
7
8 // database username
9 $db_user = "yucheng";
10
11 // database password
12 $db_pass = "yucheng";
13
14 // table prefix


2015-01-06 17:51:16屏幕截图.png


https://github.com/llllllllllllllllllllllll/mordercms/search?utf8=%E2%9C%93&q=pass


5	$my_db_name_write   = "mescake";
6 $my_db_user_write = "root";
7 $my_db_pass_write = "";
8
9
10 //读操作服务器配置
11 $my_db_host_read = "210.51.166.149";

11 $my_db_host_read = "210.51.166.149";
12 $my_db_name_read = "mescake";
13 $my_db_user_read = "root";
14 $my_db_pass_read = "";


https://github.com/llllllllllllllllllllllll/m_crm/search?p=2&q=admin&type=Code&utf8=%E2%9C%93


1	-- phpMyAdmin SQL Dump
2 -- version 4.0.10
3 -- http://www.phpmyadmin.net
4 --
5 -- 主机: localhost
6 -- 生成日期: 2014-04-25 09:43:43

553 INSERT INTO `userinfo` (`id`, `userid`, `userpwd`, `username`, `xingb`, `usertel`, `usermail`, `addtime`, `modytime`, `departmentid`, `parentid`, `departmentname`, `fuze`) VALUES
554 (00000000001, 'admin', 'admin', '管理员', '女', '1890115550', '', '', '', 0, -1, 'admin', '1');


2015-01-06 18:20:28屏幕截图.png


https://github.com/llllllllllllllllllllllll/m_db/search?utf8=%E2%9C%93&q=admin


create table mes_admin(
2 id int(4) not null primary key auto_increment,
3 username char(20) not null,

8 INSERT INTO mes_admin (username,password,type) values ('mescakewebadmin','0B6763665B8AB1786EA78780E590ABFB',1);


https://github.com/llllllllllllllllllllllll/m_paltformadmin/search?utf8=%E2%9C%93&q=admin


create table platform_admin_user(
2 id int(5) not null primary key auto_increment,
3 realname char(20) not null,

6 password varchar(256) not null,
7 extension varchar(256)
8 );
9
10 insert into platform_admin_user (realname,email,type,password) values ('renyuan','renyuan','0','123456');


https://github.com/llllllllllllllllllllllll/m_paltformadmin/blob/5b74ba982b859c2128894cadf8a3f93cddbadb1c/config.json


[{
"name":"new_admin",
"chnName":"新版商品管理平台",
"url":"http://www.mescake.com/mescakewebadmin/index.php",
"icon":"iconfont-edit.png"
},{
"name":"old_admin",
"chnName":"旧版商品管理平台",
"url":"http://mes.admin.n.mescake.com/newcake/admin/privilege.php?act=login",
"icon":"iconfont-edit.png"
},{
"name":"order_search",
"chnName":"订单追踪系统(打单,配送)",
"url":"http://mes.admin.n.mescake.com/ordercms/privilege.php?act=login",
"icon":"iconfont-tijiaodingdan.png"
},{
"name":"cash_card",
"chnName":"礼金卡生成",
"url":"http://mes.admin.n.mescake.com/czk2/privilege.php?act=login",
"icon":"iconfont-huiyuanqia.png"
},{
"name":"email",
"chnName":"邮件系统",
"url":"http://ym.163.com/",
"icon":"iconfont-youjian.png"
},{
"name":"call",
"chnName":"客服系统",
"url":"http://mescall.n.mescake.com/order_all.php?agentuid=1000",
"icon":"iconfont-edit.png"
},{
"name":"bug",
"chnName":"BUG管理系统",
"url":"http://easybug.net/Member/Login?url=http%3a%2f%2feasybug.net%2fProject%2fProjectInfo%2f10557",
"icon":"iconfont-bug.png"
},{
"name":"wiki",
"chnName":"wiki系统",
"url":"http://wiki.n.mescake.com",
"icon":"iconfont-bug.png"
},{
"name":"sms",
"chnName":"短信平台",
"url":"http://sdk.kuai-xin.com:8888/logins.html",
"icon":"iconfont-faduanxin.png"
},{
"name":"crm",
"chnName":"客户关系管理系统",
"url":"http://crm.n.mescake.com:8081/",
"icon":"iconfont-crm.png"
}]


其中客服系统可以直接访问

http://mescall.n.mescake.com/order_all.php?agentuid=1


2015-01-06 18:29:24屏幕截图.png


下面的好像涉及到加密算法

https://github.com/llllllllllllllllllllllll/m_security


就贴这些吧

漏洞证明:

如上

修复方案:

删除吧, 提高安全意识

版权声明:转载请注明来源 orange@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝