2014-12-19: 细节已通知厂商并且等待厂商处理中 2014-12-24: 厂商已经主动忽略漏洞,细节向公众公开
...
钱方互动哈巴https://github.com/jinstrive/hack_flavor/blob/cc9310b651e1eb0bf1ed17c1773fec2751ad841a/server/conf/settings.py
#-*- coding:utf-8 -*-import osfrom qfcommon.base import loggerlogger.install()SITE = 'china'SITE = 'inter'class const: MYSQL_USER = "qf" MYSQL_PASS = "123456" MYSQL_HOST = "127.0.0.1" MYSQL_PORT = "3306"class redis_conf: host = '172.100.101.150' port = 6388 db = 1import loggingDATA_NAME = "test_qf_trade"WX_EMAIL = "qmmzh@qfpay.com"WX_PW = "qmm2013"YEEPAY_PUBLIC_KEY = '/home/zzzz/zhonglin/gitlib/weidian/conf/yeepay/rsa_public_key.pem'YEEPAY_PRIVATE_KEY ='/home/zzzz/zhonglin/gitlib/weidian/conf/yeepay/pkcs8_rsa_private_key.pem'SUBSCRIBE_PIC = ""#openapi调用keyQFPAY_OPENAPI_KEY = "qf_api_key"#范围DIS = 3000#openapi地址QFPAY_OPENAPI_LOACTION_URL = "http://1.openapi2.qfpay.com/merchant/v1/search?key=%s&lng=%s&lat=%s&dis=%s&mcc=%s&pagesize=%s&page=%s"QFPAY_OPENAPI_CARD_URL = "http://1.openapi2.qfpay.com/membercard/v1/member/shops?key=%s&mobile=%s&limit=%s&offset=%s"QFPAY_OPENAPI_RECORD_URL = "http://1.openapi2.qfpay.com/trade/v1/customerdeal?key=%s&mobile=%s&stat=%s&month=%s"QFPAY_SMS_URL = "http://1.openapi2.qfpay.com/util/v1/sendsms"BANNER_PIC = "%s/static/banner/%s.png"MONTH_PIC = "%s/static/icon/m%s.png"MCC_PIC = "%s/static/icon/l%s.png"BIND_PIC = "%s/static/icon/bind.png"GUA_PIC = "%s/static/icon/gua.png"COUPON_PIC = "%s/static/icon/coupon.png"FIND_LOCATION_PIC = "%s/static/location.jpg"#"http://www.qfpay.com/wp-content/uploads/2013/06/2.0C.png"MERCHANT_PIC_URL = "http://gezipuzi.com/img/%s/shop_midd.jpg"MERCHANT_PIC_URL_ = "%s/static/shop/%s.jpg"MAX_PAGE_LEN = 10#PAGE_RETURN_HOME = "http://0.qfuser.duapp.com" #web.ctx.homePAGE_RETURN_HOME = "http://dev.qfpay.net"#商家对应的MCCNAIL_MCC= "3007"CLOTH_MCC = "1"FOOD_MCC = "13"BEAUTY_MCC = "3001"TOOL_SERVER = {'ip': '192.168.10.4', 'port': 4401, 'timeout': 2000}QFUSER_SERVER = {'ip': '192.168.10.11', 'port': 4900, 'timeout': 4000}SESSION_SERVER = {'ip': '192.168.30.4', 'port':4700, 'timeout':4000}#cache失效时间SESSION_TIMEOUT = 600#自动关闭订单时间 单位 分钟ORDER_SYS_AUTO_CLOSED_INTERVAL = 30textTpl = """<xml> <ToUserName><![CDATA[%s]]></ToUserName> <FromUserName><![CDATA[%s]]></FromUserName> <CreateTime>%s</CreateTime> <MsgType><![CDATA[%s]]></MsgType> <Content><![CDATA[%s]]></Content> <FuncFlag>0</FuncFlag> </xml>"""imgTpl = """<xml> <ToUserName><![CDATA[%s]]></ToUserName> <FromUserName><![CDATA[%s]]></FromUserName> <CreateTime>%s</CreateTime> <MsgType><![CDATA[%s]]></MsgType> <ArticleCount>2</ArticleCount> <Articles> </Articles> </xml>"""imgTextTpl = """<xml> <ToUserName><![CDATA[%s]]></ToUserName> <FromUserName><![CDATA[%s]]></FromUserName> <CreateTime>%s</CreateTime> <MsgType><![CDATA[%s]]></MsgType> <ArticleCount>%s</ArticleCount> <Articles> %s </Articles> </xml>"""itemTpl = """<item> <Title><![CDATA[%s]]></Title> <Description><![CDATA[%s]]></Description> <PicUrl><![CDATA[%s]]></PicUrl> <Url><![CDATA[%s]]></Url> </item>"""#优惠列表couponList =[ ["麦当劳","http://m.qfpay.com/qpos/coupon/","http://m.qfpay.com/wp-content/uploads/2013/07/mlogo.jpg"], ["东方既白","http://m.qfpay.com/coupon_d/","http://m.qfpay.com/wp-content/uploads/2013/09/dongfanglogo.png"], ["汉堡王","http://m.qfpay.com/coupon_b/","http://m.qfpay.com/wp-content/uploads/2013/09/burgerkinglogo.jpg"], ["呷浦呷浦","http://m.qfpay.com/coupon_s/","http://m.qfpay.com/wp-content/uploads/2013/09/shabulogo.jpg"], ["好伦哥","http://m.qfpay.com/coupon_o/","http://m.qfpay.com/wp-content/uploads/2013/09/origus.jpg"], ["豪客来","http://m.qfpay.com/coupon_h/","http://m.qfpay.com/wp-content/uploads/2013/09/houcallerlogo.jpg"],]APP_ROOT_PATH = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))GRAY_VERSION = 0log_conf = { 'version': 1, 'disable_existing_loggers': True, 'formatters': { 'myformat': { 'format': '%(asctime)s %(process)d,%(threadName)s %(filename)s:%(lineno)d [%(levelname)s] %(message)s' } }, 'handlers': { 'console': { 'class': 'logging.ScreenHandler', 'formatter': 'myformat', 'level': 'DEBUG', 'stream': 'ext://sys.stdout' }, 'info_file': { 'class': 'logging.handlers.RotatingFileHandler', 'formatter': 'myformat', 'level': 'DEBUG', 'filename': '%s/log/%s.membercard_wx.info.log'% (APP_ROOT_PATH, GRAY_VERSION) }, 'error_file': { 'class': 'logging.handlers.RotatingFileHandler', 'formatter': 'myformat', 'level': 'ERROR', 'filename': '%s/log/%s.membercard_wx.error.log'% (APP_ROOT_PATH, GRAY_VERSION) } }, 'loggers': { 'openapi2': { 'level': 'INFO', 'handlers': ['info_file'] } }}logger.logging.config.dictConfig(log_conf)log = logger.logging.getLogger('openapi2')# 钱喵喵WX_URL= 'http://wx.qfpay.com'WX_DOMAIN = 'wx.qfpay.com'WX_MP_USERNAME = 'qmmzh@qfpay.com'WX_MP_PASSWORD = 'qmm2013'WX_APP_ID = 'wx214b9b77b6501add'WX_APP_SECRET = '1c18008a1c98fc471ba1699e35e26de6'#STATIC_URL = 'http://wxstatic.u.qiniudn.com'STATIC_URL = '/static'
ok
···
危害等级:无影响厂商忽略
忽略时间:2014-12-24 18:58
暂无
偷偷修复了