当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134081

漏洞标题:IDC服务商安全之睿江科技邮箱密码泄漏以及多个系统源码泄漏(可连接数据库)

相关厂商:efly.cc

漏洞作者: prolog

提交时间:2015-08-15 17:03

修复时间:2015-09-30 00:12

公开时间:2015-09-30 00:12

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-16: 厂商已经确认,细节仅向厂商公开
2015-08-26: 细节向核心白帽子及相关领域专家公开
2015-09-05: 细节向普通白帽子公开
2015-09-15: 细节向实习白帽子公开
2015-09-30: 细节向公众公开

简要描述:

广东睿江科技有限公司成立于2007年,总部位于广东省佛山市,是中国领先的互联网基础服务提供商,致力于为全球的金融、电子商务、移动互联网、网络游戏、门户网站等企业提供最专业的互联网数据中心(IDC)、内容加速服务(CDN)、云计算(私有云解决方案及公有云云平台)及行业应用的整体解决方案。是一家在业务领域专注和专业的云计算数据中心运营商。

详细说明:

1.邮箱密码泄露可登陆
https://github.com/k518/ddd/blob/270d789b4f7fde0025adea88abcccbdb3cd5103b/monitor/test.py
mail = SendEmail('smtp.efly.cc', 'eflydns@efly.cc', 'eflydns123')
http://mail.efly.cc/src/login.php

mail_814.PNG


2.数据库密码员工用户名,qq邮箱泄露
https://github.com/k518/ddd/blob/270d789b4f7fde0025adea88abcccbdb3cd5103b/monitor/proxy_test.py
db = MySQLdb.connect("localhost","root","rjkj@rjkj","dns_device_monitor")
mailto_list = ['huangyb@efly.cc']
#mailto_list = ['dns_monitor@efly.cc']
#mailto_list = ['dns_monitor@efly.cc','110569339@qq.com','280057670@qq.com','13760974339@139.com','kunhho@qq.com','823969275@qq.com','56185089@qq.com','261572183@qq.com','349657492@qq.com']
#mailto_list = ['huangyb@efly.cc','maij@efly.cc','shiw@efly.cc','likx@efly.cc','chenjh@efly.cc','zengxl@efly.cc']
mail = SendEmail('smtp.efly.cc', 'eflydns@efly.cc', 'eflydns123')
3.员工邮箱密码泄露
https://github.com/k518/ddd/blob/270d789b4f7fde0025adea88abcccbdb3cd5103b/monitor/mail_day.py
mail = SendEmail('smtp.163.com', 'chinabobby@163.com', 'xinyi520')

ashash.PNG


4.数据库密码泄露
https://github.com/k518/ddd/blob/270d789b4f7fde0025adea88abcccbdb3cd5103b/mgr/dbback.sh
mysqldump -h121.201.12.58 -uroot -prjkj@rjkj --opt -RB dnspro_core |gzip -9 > /media/wdata/linuxshare/db_backup/dnspro_core58-`date +%Y-%m-%d_%H%M%S`.sql.gz
mysqldump -h121.201.12.68 -uroot -prjkj@rjkj --opt -RB dnspro_core |gzip -9 > /media/wdata/linuxshare/db_backup/dnspro_core68-`date +%Y-%m-%d_%H%M%S`.sql.gz
https://github.com/k518/ddd/blob/270d789b4f7fde0025adea88abcccbdb3cd5103b/mgr/mgr_conf.py
g_db_ip= 'localhost' #经测试ip是121.201.12.68可连接
g_db_user= 'root'
g_db_passwd = 'rjkj@rjkj'
g_db_db = 'dnspro_core'
g_zkClis = '121.201.12.58:2181,121.201.12.60:2181,121.201.12.68:2181'

dns_818.PNG


5.文档泄露
https://github.com/k518/ddd/tree/270d789b4f7fde0025adea88abcccbdb3cd5103b/doc
6.数据库脚本泄露管理员用户名密码
https://github.com/k518/ddd/blob/270d789b4f7fde0025adea88abcccbdb3cd5103b/dnsbroker/dnspro.sql
insert into `admin`(`id`,`user`,`pwd`,`desc`) values (1,'admin','rjkj@rjkj','');
insert into `server_list`(`id`,`sid`,`ip`,`type`,`subtype`,`status`,`desc`) values (1,'dns_broker_primary','121.201.12.60','dns_broker','primary','true','dns broker 中山BGP'),(2,'db_broker_primary','121.201.12.60','db_broker','primary','true','db broker 中山BGP'),(3,'task_mgr_primary','121.201.12.60','task_mgr','primary','true','task mgr 中山BGP'),(4,'db_primary','121.201.12.60','db','primary','true','主DB 中山BGP'),(5,'db_secondary','121.201.12.60','db','secondary','true','从DB 中山BGP'),(6,'node_mgr_primary_zs_bgp','121.201.12.57','node_mgr','primary','true','node_mgr 中山BGP'),(7,'node_proxy_primary_zs_bgp','121.201.12.56','node_proxy','primary','true','node_proxy 中山BGP'),(8,'node_core_primary_zs_bgp','121.201.12.57','node_core','primary','true','node_core 中山BGP'),(9,'node_mgr_primary_zs_bgp_bak','121.201.12.67','node_mgr','secondary','true','从node_mgr 中山BGP');
DBS_MAIN => array('ip' => 'localhost', 'port' => 3306, 'user' => 'root', 'passwd' => 'rjkj@rjkj' )
7 各个系统源码泄漏,里面大多含有数据库密码,管理员密码,经测试不能连接。。
https://github.com/k518/xxx/
https://github.com/k518/xxx/blob/master/eventCenter/syslogic/mysql.php
$rs=mysql_connect('api.efly.cc','root','rjkj@rjkj');
mysql_query('set names utf8');
mysql_select_db('eventCenter');
https://github.com/k518/xxx/blob/master/productCenter/syslogic/mysql.php
$rs=mysql_connect('api.efly.cc','root','rjkj@rjkj');
mysql_query('set names utf8');
mysql_select_db('productCenter');
https://github.com/k518/xxx/blob/master/gift.efly.cc/webroot/gift/db.class.php
function DB($host='ibss.efly.cc', $username='root', $password='rjkj@2009#8', $dbname='gift'){

https://github.com/k518/xxx/blob/master/web/web%E8%AE%BE%E8%AE%A1/ibss_user/Home/Conf/config.php
'DB_TYPE' => 'mysql',
'DB_HOST' => '121.9.13.254',
'DB_NAME' => 'platform',
'DB_USER' => 'root',
'DB_PWD' => 'rjkj@2009#8',
'DB_PORT' => '3306',
'DB_PREFIX' => '', //数据库表前缀
'INTERFACE_URL' => 'http://api.efly.cc',
'OPERATION_VM' => 'http://119.145.147.88:8080'

https://github.com/k518/xxx/blob/master/xen/ecloud_admin.sql
INSERT INTO `Pool` (`ID`, `GroupID`, `PoolCode`, `Data`, `State`, `NetVlanBegin`, `NetVlanEnd`, `PrivateIPBegin`, `PrivateIPEnd`, `PrivateMask`, `PrivateGateway`) VALUES
(7, 5, 'HJ-G001-P001', '{"master":"10.11.253.45","user":"root","pass":"Rjkj@efly#123","vnc_proxy_host":"121.201.55.35","vnc_proxy_port":"9000","uuid":"605c0b0b-d8d4-44a5-bba4-f82b4194186b"}', 'enabled', '2', '201', '10.11.0.2', '10.11.0.254', 24, '10.11.0.1'),
(9, 5, 'test1`22332', '111sssss', 'enabled', '99', '88', '77', '66', 55, '4444');
https://github.com/k518/xxx/blob/master/xen/uwsgi/create_temp_vm.py
master_url = "http://%s/"%('10.11.253.43')
session = XenAPI.Session(master_url)
session.xenapi.login_with_password('root', 'Rjkj@efly#123')
https://github.com/k518/xxx/blob/master/xen/mgr-script/collect2.py
master = '10.11.253.43'
slaves = ['10.11.253.44', '10.11.253.45']
user='root'
passwd='Rjkj@efly#123'
https://github.com/k518/xxx/blob/master/xen/uwsgi/create_vlan.py
session = XenAPI.Session('http://121.201.60.66:8000')
session.xenapi.login_with_password('root', 'Rjkj@free7248#8')

漏洞证明:

rt

修复方案:

rt

版权声明:转载请注明来源 prolog@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:17

确认时间:2015-08-16 00:11

厂商回复:

谢谢黑客作者的辛苦劳动,目前我们的技术人员已经在紧急排查中。

最新状态:

暂无


漏洞评价:

评论