乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-03: 细节已通知厂商并且等待厂商处理中 2015-08-04: 厂商已经确认,细节仅向厂商公开 2015-08-14: 细节向核心白帽子及相关领域专家公开 2015-08-24: 细节向普通白帽子公开 2015-09-03: 细节向实习白帽子公开 2015-09-18: 细节向公众公开
大智慧某站svn信息泄露导致大量内网数据库配置泄露
大智慧某站svn信息泄露导致大量内网数据库配置泄露,可读任意目录,可读任cgi源代码导致内部多个系统数据库信息泄露!
class DBConnInfo{ static $URL = "10.15.144.182:11123"; //数据库地址 static $UserName = ""; //登录名 static $Password = ""; //登录密码 static $DbName = "jtlcs"; //数据库
//discuz地址 static $DISCUZ_URL = "http://10.15.44.72/discuz/forum.php?mod=guide&view=newthread&mobile=2"; //discuz加密key(用于和家庭理财师或discode通信时加密) static $DISCUZ_ENCRYPTION_KEY = "homefinancial";
//websocket配置 static $WS_SERVER = 'wss://fe.gw.com.cn/dataproxy'; //static $WS_SERVER = 'ws://10.15.107.214:20718/dataproxy'; //static $WS_SERVER = 'ws://10.15.107.138:20718/dataproxy'; //金牌投顾理财师接口地址 static $JPTG_LCS_SERVER = 'http://10.15.108.155:8891'; //static $JPTG_LCS_SERVER = 'http://xctg.gw.com.cn'; //金牌投顾自选股接口地址 static $JPTG_ZXG_SERVER = 'http://10.15.108.155:8893';
//账号中心-webservice api static $USERCENTER_NEW_URL = 'http://10.15.108.114:9001/AccService/AccServlet.do?'; //帐号中心-webservice appId userget接口需要 static $USERCENTER_APP_ID =5; //wap登录注册跳转地址 上线前需要提供域名给对方授权 static $USERCENTER_URL= 'http://10.15.108.114:9001/UserCenter/page/account/'; //wap登录注册需要的source static $USERCENTER_SOURCE = 41; //TOKEN 验证API static $TOKEN_SERVER = array('10.15.107.167'); //湘才开户 static $XCKH_URL = 'http://10.15.108.151/xckhhd/wap/'; //家庭理财师日志输出路径 static $LOG_PATH = 'd:/logs/'; static $LOG_SERVER_URL = 'http://10.15.44.126:800/writeLog'; //crm 开户接口 资金重置 static $CLOUND_API = 'http://10.15.88.57/bank/'; //家庭理财师提供给李宁接口设定的密钥 static $API_KEY = 'jk;.fd/dfd@^d'; // 李宁接口 static $USER_RANK_URL='http://10.15.108.154:9080/seca/api/familyfin'; //static $USER_RANK_URL='http://10.10.1.37:9080/seca/api/familyfin'; //online
8dir50535https://svn.gw.com.cn:10000/svn/Platform/homefinancial/trunk/homefinancialhttps://svn.gw.com.cn:10000/svn/Platform2015-03-06T06:58:02.701200Z50532xiangshenhas-propssvn:special svn:externals svn:needs-lock852d2bc5-fa74-a04a-b0b0-a93b6df14016.htaccessfile2014-12-17T06:56:15.000000Z11c369ee2be2d63b4753ec6a615827922014-12-02T01:34:58.144000Z47924chenxueshuangbuild.propertiesfile2014-12-17T06:56:15.000000Ze9fe8151b00bd2456facc96f0219833a2014-12-16T09:29:57.524400Z48572xiangshencrondirdatadirdooframeworkdirglobaldirguesszddirindex.phpfile2015-01-06T05:46:14.000000Z13d6203030369c647097e99220db4bb52015-01-06T02:02:48.288400Z49015lihaiweiprotecteddir
可读源代码http://jiacai.gw.com.cn/protected/config/.svn/text-base/system.conf.php.svn-base
<?php class SystemConfig{ //image、javascript、css、flv等文件服务地址 static $RESOURCE_HOST = ''; //memcache地址 host, port, persistent, weight static $MEMCACHE_SERVER = array(array('10.15.108.155', '21220', true, 40)); //家庭理财师缓存redis 读写 队列 专用 static $REDIS_SERVER = array('10.15.108.151:6380'); //redis //读取排行日期数据的redis接口-和二次计算共用的 static $REDIS_SERVER_RANK = array('10.15.108.151:6380'); //redis //家庭理财师redis队列key static $REDIS_QUEUE_KEY ='jtlcs_msg_queue'; //经验值升级规则 static $JYZ_UPGRADE_CONFIG = 1000; //交易赠送经验值配置 s每次赠送 limit每级上限 static $TRADE_SEND_JYZ = array('s'=>50,'limit'=>500); //资金初始化配置 static $FUNDS_INIT =array(0=>50000,1=>200000,2=>500000,3=>1000000,4=>1000000,5=>1000000,6=>1000000,7=>1000000,8=>1000000,9=>1000000); //每日登录送一次经验值 static $LOGIN_SEND_JYZ = 10; //账号中心-webservice api static $USERCENTER_NEW_URL = 'http://10.15.108.114:9001/AccService/AccServlet.do?'; //帐号中心-webservice appId userget接口需要 static $USERCENTER_APP_ID =5; //wap登录注册跳转地址 上线前需要提供域名给对方授权 static $USERCENTER_URL= 'http://10.15.108.114:9001/UserCenter/page/account/'; //wap登录注册需要的source static $USERCENTER_SOURCE = 41; //TOKEN 验证API static $TOKEN_SERVER = array('10.15.107.167'); //湘才开户 static $XCKH_URL = 'http://10.15.108.151/xckhhd/wap/'; //家庭理财师日志输出路径 static $LOG_PATH = 'd:/logs/'; static $LOG_SERVER_URL = 'http://10.15.44.126:800/writeLog'; //crm 开户接口 资金重置 static $CLOUND_API = 'http://10.15.88.57/bank/'; //家庭理财师提供给李宁接口设定的密钥 static $API_KEY = 'jk;.fd/dfd@^d'; // 李宁接口 static $USER_RANK_URL='http://10.15.108.154:9080/seca/api/familyfin'; //static $USER_RANK_URL='http://10.10.1.37:9080/seca/api/familyfin'; //online //token有效期6小时 登录cookie保存token6小时 static $TOKEN_TIMEOUT = 21600; //交易柜台地址 static $COUNTER_SOCKET = "10.15.107.15:16990"; //交易柜台活动id static $COUNTER_HUODONG_ID = "FAFP"; //行情服务器配置 static $HQ_SERVER = array( //host=主机名或IP地址,port=端口,weight=权重 array('host'=>'122.228.80.109','port'=>'12345','weight'=>10), array('host'=>'122.228.80.112','port'=>'12345','weight'=>20), array('host'=>'122.228.80.116','port'=>'12345','weight'=>30), array('host'=>'122.228.80.124','port'=>'12345','weight'=>40), //......可添加多个 ); //phpsocket行情默认缓存时间(秒) static $HQ_EXPIRES = 60; //websocket默认超时时间(秒) static $WS_TIMEOUT = 3; //websocket配置 static $WS_SERVER = 'wss://fe.gw.com.cn/dataproxy'; //static $WS_SERVER = 'ws://10.15.107.214:20718/dataproxy'; //static $WS_SERVER = 'ws://10.15.107.138:20718/dataproxy'; //金牌投顾理财师接口地址 static $JPTG_LCS_SERVER = 'http://10.15.108.155:8891'; //static $JPTG_LCS_SERVER = 'http://xctg.gw.com.cn'; //金牌投顾自选股接口地址 static $JPTG_ZXG_SERVER = 'http://10.15.108.155:8893'; //跳转discuz url static $LOGIN_TO_DISCUZ_URL = 'http://10.15.44.72/uchack/login.php'; //同步discuz頭像 static $SYNC_AVATAR_NICKNAME_URL = 'http://10.15.44.72/uchack/syncavatarnickname.php' ; //discuz地址 static $DISCUZ_URL = "http://10.15.44.72/discuz/forum.php?mod=guide&view=newthread&mobile=2"; //discuz加密key(用于和家庭理财师或discode通信时加密) static $DISCUZ_ENCRYPTION_KEY = "homefinancial"; //微社区url static $WSQ_URL = "http://wsq.qq.com/reflow/263998497"; //图片域名 static $IMP_HOST = "http://static.ads.gw.com.cn/cdn"; //REDIS 中控服务器 同步微信 access_token static $REDIS_WX_TOKEN = array('10.10.3.20:6379'); //redis} //mongodb配置信息class DBConnInfo{ static $URL = "10.15.144.182:11123"; //数据库地址 static $UserName = ""; //登录名 static $Password = ""; //登录密码 static $DbName = "jtlcs"; //数据库}class FunctionConfig{ static $IS_HTTPS = false; //网站版本号 static $VERSION = '1.00034';}
关闭
危害等级:中
漏洞Rank:10
确认时间:2015-08-04 08:50
已通知运维负责人处理
暂无