当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0173331

漏洞标题:拉卡拉众筹平台配置不当导致信息泄漏威胁内网

相关厂商:拉卡拉网络技术有限公司

漏洞作者: 路人甲

提交时间:2016-01-28 14:13

修复时间:2016-03-14 15:10

公开时间:2016-03-14 15:10

漏洞类型:系统/服务运维配置不当

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-28: 细节已通知厂商并且等待厂商处理中
2016-02-01: 厂商已经确认,细节仅向厂商公开
2016-02-11: 细节向核心白帽子及相关领域专家公开
2016-02-21: 细节向普通白帽子公开
2016-03-02: 细节向实习白帽子公开
2016-03-14: 细节向公众公开

简要描述:

RT

详细说明:

漏洞证明:

备份源码下载地址:
http://zc.lakala.com/default.zip
泄漏短信接口:

<?php
return array(
	/* 短信平台配置 */
	'KAOLA' => array(
		'SMS_API_KEY'=>'sadreaman',
		'SMS_SIGN'=>'yyb123456',
	)
);


配置文件在这里:

<div class="bg padding ">短信平台配置</div>
		<div class="height-large padding border-bottom x12">
			<span class="text-gray x2 padding height">短信平台</span>
			<span class="x5" >
  				<a href="http://www.smsbao.com/reg?r=5001" target="_blank">短信宝增值平台</a>
				<span class="text-gray padding-left"></span>
			</span>
			<span class="x1" >
				<button class="config button border-sub">配置</button>
			</span>
		</div>
		<div class="height-large padding border-bottom x12">
			<span class="text-gray x2 padding height">短信接口帐号</span>
			<span class="x5" >
				{$Think.config.KAOLA.SMS_API_KEY}
				<span class="text-gray padding-left"></span>
			</span>


数据库配置文件:

<?php	return array ( 'DB_TYPE' => 'mysql', 'DB_HOST' => 'localhost', 'DB_NAME' => 'lakala_zc', 'DB_USER' => 'root', 'DB_PWD' => '', 'tiyan' => '1', 'DB_PREFIX' => 'kl_', 'DB_PORT' => '3306', );?>


空密码
内网:

$config = array(
	//'配置项'=>'配置值'
	'URL_MODEL'            =>3,    //2是去除index.php
    'DB_FIELDTYPE_CHECK'   =>true,
    'TMPL_STRIP_SPACE'     =>true,
    'OUTPUT_ENCODE'        =>true, // 页面压缩输出
    'MODULE_ALLOW_LIST'    =>    array('Home','User','Admin','Install'),
    'DEFAULT_MODULE'       =>    'Home',  // 默认模块
    //加密混合值
	'AUTH_CODE' => 'KAOLA',
    //数据库配置
	
	/* 'SESSION_OPTIONS'=>array(
		'type'=> 'db',//session采用数据库保存
		'expire'=>604800,//session过期时间,如果不设就是php.ini中设置的默认值
		), */
	'SESSION_TABLE'=>'kl_session', //必须设置成这样,如果不加前缀就找不到数据表,这个需要注意
	'TAGLIB_BUILD_IN' => 'cx,TagLib\Kl',//拉卡拉标签库
	'TAGLIB_PRE_LOAD' => 'TagLib\Kl',//拉卡拉命名范围
	'URL'=> 'http://10.5.31.13:9060/adaptor/convert.do',  //Lakala URL


得到这台服务器是通向内网:
http://10.5.31.13:9060/adaptor/convert.do

<?php	return array ( 'sitename' => '拉卡拉众筹系统', 'domain' => 'http://www.zc.lakala.com', 'logo' => '/uploads/3/20151127/klcms_1448610573678.png', 'title' => '拉卡拉众筹系统', 'keywords' => '拉卡拉众筹管理后台', 'desc' => '拉卡拉众筹管理后台', 'huancun' => '3600', 'upload_exts' => '', 'rootPath' => '', 'URL_MODEL' => '3', );?>


内网与投资人一些信息:

NOTIC: [8] Undefined variable: where /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 60 行.
SQL: SHOW COLUMNS FROM `kl_user_attest` [ RunTime:0.0008s ]
SQL: SELECT COUNT(*) AS tp_count FROM kl_user_attest as a LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined variable: where /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 67 行.
SQL: SELECT a.*,a.status as attest_status,b.name as user_name,`age`,`points`,`create_time`,`phone`,`sex`,`area`,`address` FROM kl_user_attest as a LEFT JOIN kl_user b ON a.uin = b.uin  ORDER BY time desc LIMIT 0,10   [ RunTime:0.0006s ]
SQL: SHOW COLUMNS FROM `kl_user` [ RunTime:0.0011s ]
SQL: SELECT * FROM `kl_user` WHERE ( uin=37 ) LIMIT 1   [ RunTime:0.0004s ]
SQL: SELECT * FROM `kl_user` WHERE ( uin=35 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 107 行.
SQL: SELECT * FROM `kl_user` WHERE ( uin=33 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 98 行.
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 116 行.
SQL: SELECT * FROM `kl_user` WHERE ( uin=30 ) LIMIT 1   [ RunTime:0.0003s ]
SQL: SELECT * FROM `kl_user` WHERE ( uin=20 ) LIMIT 1   [ RunTime:0.0003s ]
SQL: SELECT * FROM `kl_user` WHERE ( uin=32 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 98 行.
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 107 行.
SQL: SELECT * FROM `kl_user` WHERE ( uin=3 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 107 行.
SQL: SELECT * FROM `kl_user` WHERE ( uin=31 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 98 行.
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 107 行.
SQL: SELECT * FROM `kl_user` WHERE ( uin=14 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 107 行.
SQL: SELECT * FROM `kl_user` WHERE ( uin=27 ) LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 98 行.
NOTIC: [8] unserialize(): Error at offset 0 of 1 bytes /opt/lampp/www/default/App/Admin/Controller/UserController.class.php 第 107 行.
INFO: [ view_parse ] --START--
NOTIC: [2] file_get_contents(./Template/Admin/default/User/foot.html): failed to open stream: No such file or directory /opt/lampp/www/default/Inc/Library/Think/Template.class.php 第 696 行.
INFO: [ template_filter ] --START--
INFO: Run Behavior\ContentReplaceBehavior [ RunTime:0.000103s ]
INFO: [ template_filter ] --END-- [ RunTime:0.000176s ]
NOTIC: [8] Undefined index: status /opt/lampp/www/default/Runtime/Cache/Admin/e3073fa1c95fbd9f5317e56f5b33ee79.php 第 162 行.
NOTIC: [8] Undefined index: status /opt/lampp/www/default/Runtime/Cache/Admin/e3073fa1c95fbd9f5317e56f5b33ee79.php 第 163 行.
NOTIC: [8] Undefined index: status /opt/lampp/www/default/Runtime/Cache/Admin/e3073fa1c95fbd9f5317e56f5b33ee79.php 第 164 行.
SQL: SHOW COLUMNS FROM `kl_region` [ RunTime:0.0008s ]
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0003s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 210204 LIMIT 1   [ RunTime:0.0003s ]
SQL: SELECT * FROM `kl_region` WHERE `id` = 210200 LIMIT 1   [ RunTime:0.0003s ]
SQL: SELECT * FROM `kl_region` WHERE `id` = 210000 LIMIT 1   [ RunTime:0.0003s ]
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
SQL: SELECT * FROM `kl_region` WHERE `id` = 0 LIMIT 1   [ RunTime:0.0002s ]
NOTIC: [8] Undefined index: b /opt/lampp/www/default/App/Common/Common/function.php 第 80 行.
INFO: Run Behavior\ParseTemplateBehavior [ RunTime:0.025350s ]
INFO: [ view_parse ] --END-- [ RunTime:0.025414s ]
INFO: [ view_filter ] --START--
INFO: Run Behavior\WriteHtmlCacheBehavior [ RunTime:0.000250s ]
INFO: [ view_filter ] --END-- [ RunTime:0.000312s ]
INFO: [ app_end ] --START--
INFO: Run Behavior\ShowPageTraceBehavior [ RunTime:0.000567s ]
INFO: [ app_end ] --END-- [ RunTime:0.000645s ]
[ 2015-12-03T17:48:06+08:00 ] 10.5.16.88 /lakalazc.php?s=/Admin/User/attest_pass
INFO: [ app_init ] --START--
INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000020s ]
INFO: [ app_init ] --END-- [ RunTime:0.000417s ]
INFO: [ app_begin ] --START--
INFO: Run Behavior\ReadHtmlCacheBehavior [ RunTime:0.000542s ]
INFO: [ app_begin ] --END-- [ RunTime:0.000619s ]
SQL: SHOW COLUMNS FROM `kl_admin_user` [ RunTime:0.0009s ]
SQL: SELECT * FROM `kl_admin_user` WHERE `id` = 1 LIMIT 1   [ RunTime:0.0004s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_group_access` [ RunTime:0.0007s ]
SQL: SELECT g.title FROM kl_admin_auth_group_access a INNER JOIN kl_admin_auth_group g ON a.group_id=g.id  WHERE a.uid = '1' LIMIT 1   [ RunTime:0.0004s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_group_access` [ RunTime:0.0007s ]
SQL: SELECT `group_id` FROM `kl_admin_auth_group_access` WHERE `uid` = 1 LIMIT 1   [ RunTime:0.0003s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_group` [ RunTime:0.0008s ]
SQL: SELECT `rules` FROM `kl_admin_auth_group` WHERE `id` = 1 LIMIT 1   [ RunTime:0.0003s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_rule` [ RunTime:0.0008s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 0  [ RunTime:0.0005s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 1  [ RunTime:0.0005s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 13  [ RunTime:0.0005s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 11  [ RunTime:0.0005s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 14  [ RunTime:0.0005s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 24  [ RunTime:0.0005s ]
SQL: SELECT * FROM `kl_admin_auth_rule` WHERE `id` IN ('1','13','22','11','3','4','5','6','7','8','9','10','12','52','53','54','55','64','65','14','15','16','17','18','19','20','21','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41','42','43','44','45','46','47','48','49','50','51','56','63','57','58','60','61','66') AND `menu` = 1 AND `pid` = 60  [ RunTime:0.0005s ]
SQL: SHOW COLUMNS FROM `kl_user` [ RunTime:0.0011s ]
SQL: UPDATE `kl_user` SET `position2`='2' WHERE `uin` = 37 [ RunTime:0.0004s ]
SQL: SHOW COLUMNS FROM `kl_user_do_log` [ RunTime:0.0008s ]
NOTIC: [8] Undefined index: validate /opt/lampp/www/default/Inc/Library/Think/Model.class.php 第 1185 行.
NOTIC: [8] Undefined index: auto /opt/lampp/www/default/Inc/Library/Think/Model.class.php 第 1128 行.
SQL: INSERT INTO `kl_user_do_log` (`content`,`uin`,`time`,`ip`) VALUES ('您的领投人认证申请已通过','37','1449136086','10.5.16.88') [ RunTime:0.0003s ]
[ 2015-12-03T17:48:06+08:00 ] 10.5.16.88 /lakalazc.php?s=/Admin/User/user_attest.html
INFO: [ app_init ] --START--
INFO: Run Behavior\BuildLiteBehavior [ RunTime:0.000020s ]
INFO: [ app_init ] --END-- [ RunTime:0.000410s ]
INFO: [ app_begin ] --START--
INFO: Run Behavior\ReadHtmlCacheBehavior [ RunTime:0.000530s ]
INFO: [ app_begin ] --END-- [ RunTime:0.000615s ]
SQL: SHOW COLUMNS FROM `kl_admin_user` [ RunTime:0.0009s ]
SQL: SELECT * FROM `kl_admin_user` WHERE `id` = 1 LIMIT 1   [ RunTime:0.0004s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_group_access` [ RunTime:0.0007s ]
SQL: SELECT g.title FROM kl_admin_auth_group_access a INNER JOIN kl_admin_auth_group g ON a.group_id=g.id  WHERE a.uid = '1' LIMIT 1   [ RunTime:0.0004s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_group_access` [ RunTime:0.0007s ]
SQL: SELECT `group_id` FROM `kl_admin_auth_group_access` WHERE `uid` = 1 LIMIT 1   [ RunTime:0.0003s ]
SQL: SHOW COLUMNS FROM `kl_admin_auth_group` [ RunTime:0.0008s ]
SQL: SELECT `rules` FROM `kl_admin_auth_group` WHERE `id` = 1 LIMIT 1   [ RunTime:0.0003s ]


路径 Runtime\Logs\Admin\15_12_03.log

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2016-02-01 11:31

厂商回复:

配置不当造成,已处理,谢谢。

最新状态:

暂无