乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-24: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-11: 厂商已经主动忽略漏洞,细节向公众公开
首先是数据库配置文件泄露https://github.com/hwf452/efb/blob/master/efb/resources/jdbc.properties
#[192.168.8.3]jdbc.url=jdbc:mysql://192.168.8.3:3306/EFB#[121.40.183.68 - 10.168.63.223]#jdbc.url=jdbc:mysql://121.40.183.68:3306/efb-1-3#jdbc.url=jdbc:mysql://rdsr3u3ammzjyau.mysql.rds.aliyuncs.com/efb-1-3 invalid#[121.40.200.101 - 10.168.80.17]#jdbc.url=jdbc:mysql://rdsy6vzb2y6vzb2.mysql.rds.aliyuncs.com/efb-1-1-4jdbc.username=efbjdbc.password=edao2014EDAO
能链接的有两台服务器
最新的验证码信息找了好久没找到用户表,不知道在哪里下面贴一些配置文件
<?xml version="1.0" encoding="utf-8"?><config> <sendSmsParam> <yunTongXun> <smsServiceUrl>sandboxapp.cloopen.com</smsServiceUrl> <smsServicePort>8883</smsServicePort> <accountSid>aaf98f89488d0aad0148b15dd9da10f7</accountSid> <authToken>9e670cc2aede48c8a712e538877d1047</authToken> <appId>8a48b551488d07a80148ba0c033b1469</appId> <templateId>5043</templateId> <registerSuccessTemplateId>7710</registerSuccessTemplateId> <registerSuccessDownloadLink>http://www.jyb360.com/</registerSuccessDownloadLink> <registerSuccessDownloadQrcode>http://web.jyb360.com/web/images/qrcode.png</registerSuccessDownloadQrcode> </yunTongXun> <juhe> <smsServiceUrl>http://v.juhe.cn/sms/send</smsServiceUrl> <appKey>302efec9b344ae81a7e2a78d6b7d890a</appKey> <paramPattern>#?#=*</paramPattern> </juhe> </sendSmsParam> <financialParam> <annualInterestRate>0.0035</annualInterestRate> </financialParam> <fundTradeParam> <lionfund> <requestApplyUrl>http://210.21.212.7:8080/febop/requestApply.go</requestApplyUrl> <!-- <requestApplyUrl>https://trade.lionfund.com.cn/febop/requestApply.go</requestApplyUrl> --> <edaoInstitutionId>YD01</edaoInstitutionId> <edaoCertificationId>YD0101</edaoCertificationId> <edaoPrivateKeyPath>yidao_private_key_101.pem</edaoPrivateKeyPath> <lionfundPublicKeyPath>lionfund_public_key_101.pem</lionfundPublicKeyPath> <ftpUrl>210.21.212.7</ftpUrl> <ftpUserName>yd</ftpUserName> <ftpPassWord>1q2w3e</ftpPassWord> <ftpProt>21</ftpProt> <ftpPath>E:/Projects/FTP/</ftpPath> <sftpUrl>121.34.253.167</sftpUrl> <sftpUserName>yd</sftpUserName> <sftpPassWord>271614</sftpPassWord> <sftpProt>22</sftpProt> <sftpPath>E:/Projects/FTP/</sftpPath> </lionfund> </fundTradeParam> <aliyunOSSParam> <endpoint>http://oss.aliyuncs.com</endpoint> <accessKeyId>I5pYapkHvS4Sz0JI</accessKeyId> <accessKeySecret>tPOsmNYMDX8Vb7H83FJShQquXdr9eq</accessKeySecret> <resExpiration>3600000</resExpiration> <bucketNameSystemRes>efb-system-res-101</bucketNameSystemRes> <bucketNameCommonRes>efb-common-res-101</bucketNameCommonRes> <bucketNameEnterpriseRes>efb-enterprise-res-101</bucketNameEnterpriseRes> <bucketNameTempRes>efb-temp-res-101</bucketNameTempRes> <ossHttpUrl>http://${bucketName}.oss-cn-hangzhou.aliyuncs.com</ossHttpUrl> </aliyunOSSParam> <pushMessageParam> <apns> <apnsHost>gateway.sandbox.push.apple.com</apnsHost> <apnsPort>2195</apnsPort> <certificate>efb_apns_dev_java_key.p12</certificate> <certificatePassword>yidao</certificatePassword> </apns> <android> <getui> <jyb> <appId>wRWdEFahtq8UdHswebaFg1</appId> <appKey>lZCPdNFdE16aIxKbZS1ndA</appKey> <masterSercret>NBY5fiugDW8zBDkTv919S2</masterSercret> <appSecret>2EKHgvc4D17nSJSaDArOZ6</appSecret> <host>http://sdk.open.api.igexin.com/apiex.htm</host> </jyb> </getui> </android> </pushMessageParam> <globalRes> <clientUpdateDataFilePath>E:/EFB/Sources/trunch/efb/resources/efb.db</clientUpdateDataFilePath> </globalRes></config>
一些sql数据
就这样吧不找了
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)