人人乐集团官网任意文件下载漏洞致商品信息泄漏

  漏洞通过修改文件路径实现任意文件下载:系统为linux,直接下载shadow文件

人人乐集团官网任意文件下载漏洞致商品信息泄漏

  可以直接读取shadow,web服务权限比较高。通过读取源文件追踪到配置文件路径:/opt/jboss/server/default/deploy/ws.war/WEB-INF/web.xml/opt/jboss/server/default/deploy/ws.war/WEB-INF/conf/app-context.xml/opt/jboss/server/default/deploy/ws.war/WEB-INF/sql.tld/opt/jboss/server/default/deploy/mpwx.war/WEB-INF/web.xml/opt/jboss/server/default/deploy/testws.war/WEB-INF/classes/conf/MallWSConfig.xml/home/ftp1007/exportConfig.xml/opt/jboss/server/default/deploy/scm.war/WEB-INF/struts-config.xml读取这些配置文件获得旗下商城上传产品信息所用FTP用户和密码:本服务器FTP链接信息:

  127.0.0.1

  21

  ftp1003

  ac1003ln

  /download

人人乐集团官网任意文件下载漏洞致商品信息泄漏

  配置文件存在大量ftp登录信息,登录不同账户对应不同商城的信息,通过登录这些账户可获得大量销售信息:配置文件:/opt/jboss/server/default/deploy/scm.war/WEB-INF/classes/exportConfig.xml内容如下:

  ?

  1

  2

  3

  4

  5

  6

  7

  8

  9

  10

  11

  12

  13

  14

  15

  16

  17

  18

  19

  20

  21

  22

  23

  24

  25

  26

  27

  28

  29

  30

  31

  32

  33

  34

  35

  36

  37

  38

  39

  40

  41

  42

  43

  44

  45

  46

  47

  48

  49

  50

  51

  52

  53

  54

  55

  56

  57

  58

  59

  60

  61

  62

  63

  64

  65

  66

  67

  68

  69

  70

  71

  72

  73

  74

  75

  76

  77

  78

  79

  80

  81

  82

  83

  84

  85

  86

  87

  88

  89

  90

  91

  92

  93

  94

  95

  96

  97

  98

  99

  100

  101

  102

  103

  104

  105

  106

  107

  108

  109

  110

  111

  112

  113

  114

  115

  116

  117

  118

  119

  120

  121

  122

  123

  124

  125

  126

  127

  128

  129

  130

  131

  132

  133

  134

  135

  136

  137

  138

  139

  140

  141

  142

  143

  144

  145

  146

  147

  148

  149

  150

  151

  152

  153

  154

  155

  156

  157

  158

  159

  160

  161

  162

  163

  164

  165

  166

  167

  168

  169

  170

  171

  172

  173

  174

  175

  176

  177

  178

  179

  180

  181

  182

  183

  184

  185

  186

  187

  188

  189

  190

  191

  192

  193

  194

  195

  196

  197

  198

  199

  200

  201

  202

  203

  204

  205

  206

  207

  208

  209

  210

  211

  212

  213

  214

  215

  216

  217

  218

  219

  220

  221

  222

  223

  224

  225

  226

  227

  228

  229

  230

  231

  232

  233

  234

  235

  236

  237

  238

  239

  240

  241

  242

  243

  244

  245

  246

  247

  248

  249

  250

  251

  252

  253

  254

  255

  256

  257

  258

  259

  260

  261

  262

  263

  264

  265

  266

  267

  268

  269

  270

  271

  272

  273

  274

  275

  276

  277

  278

  279

  280

  281

  282

  283

  284

  285

  286

  287

  288

  289

  290

  291

  292

  293

  294

  295

  296

  297

  298

  299

  300

  301

  302

  303

  304

  

  

  

  

  

   ? and a.sdate <= ? group by 1,2,3,4,5,6,7]]>

   8859_1

   |

  

   2014-07-20

   7

   D

   ftp

   127.0.0.1

   21

   ftp1003

   ac1003ln

   /download

  

  

  

  

  

   = ? and a.sdate < ? and substr(b.deptid,1,1)=4 and b.runtype=0 group by 1,2,3,4,5,6,7 order by 1,2]]>

   8859_1

   |

  

   2008-06-01

   1

   M

   ftp

   172.25.100.18

   21

   ftp1004

   sh1004gfk

   /download

  

  

  

  

  

   = ? and a.sdate < ? and substr(b.deptid,1,1)=4 and b.runtype=0 group by 1,2,3,4,5 order by 1,2]]>

   8859_1

   |

  

   2014-06-01

   1

   M

   ftp

   127.0.0.1

   21

   ftp1005

   bj1005zyk

   /download

  

  

  

  

  

   ? and a.editDate<=? and substr(a.SheetID,1,4) in(‘A001′,’G001′) and a.shopid=f.shopid and a.purchaseshopid=g.shopid and a.shopid=’L001’ order by a.sheetid]]>

  

   8859_1

   ,

  

   2009-02-19

   0

   N

   ftp

   127.0.0.1

   21

   ftp1006

   gz1006pg

   /download

  

  

  

  

  

   =today-30 and a.ActiveFlag in(0,3) order by a.refsheetid]]>

   =today-30 and ActiveFlag in(0,3) and (EDISendTime is null or EDISendTime<=current)]]>

   =today-30 and ActiveFlag in(0,3)]]>

  

   8859_1

   |

   2014-07-27

   0

   N

   ftp

  

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edi/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edi/backup/

   .txt

  

   0

   pngftp.myb2bi.com

   9090

   renrenle

   renrenle

  

  

  

  

  

   =today-30 and a.ActiveFlag in(0,3) order by a.refsheetid]]>

   =today-30 and ActiveFlag in(0,3) and (EDISendTime is null or EDISendTime<=current)]]>

   =today-30 and ActiveFlag in(0,3)]]>

  

   8859_1

   |

   2014-07-27

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edixj/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/edixj/backup/

   .txt

  

   0

   119.147.24.89

   15923

   edi_rrl

   Edi_Rrl_2013

  

  

  

  

  

  

  

  

   8859_1

   |

  

   2014-07-27

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdaysale/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdaysale/backup/

   .txt

  

   0

   119.147.24.89

   15923

   rrl_pos

   rrl_pos_20130806

   RENRENLEBJ

   PGPOS

   Original.txt

  

  

  

  

  

  

  

  

  

   8859_1

   |

  

   2014-07-17

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdeptsale/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjdeptsale/backup/

   .txt

  

   0

   119.147.24.89

   15923

   rrl_pos

   rrl_pos_20130806

   RENRENLEBJ

   PGCategory

   Original.txt

  

  

  

  

  

  

  

  

  

  

   8859_1

   |

  

   2014-05-26

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjgoods/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjgoods/backup/

   .txt

  

   0

   119.147.24.89

   15923

   rrl_pos

   rrl_pos_20130806

   RENRENLEBJ

   PGArticles

   Original.txt

  

  

  

  

  

  

  

  

  

   8859_1

   |

  

   2014-05-21

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjshop/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjshop/backup/

   .txt

  

   0

   119.147.24.89

   15923

   rrl_pos

   rrl_pos_20130806

   RENRENLEBJ

   StoreArticles

   Original.txt

  

  

  

  

  

  

  

  

  

   8859_1

   |

  

   2014-05-25

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjprom/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/bjprom/backup/

   .txt

  

   0

   119.147.24.89

   15923

   rrl_pos

   rrl_pos_20130806

   RENRENLEBJ

   PGPromPlan

   Original.txt

  

  

  

  

  

  

  

  

  

   8859_1

   |

   05/25/2014

   @UNZ-END

   2014-05-25

   0

   N

   ftp

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/download/

   /opt/jboss-4.2.3.GA/server/default/deploy/scm.war/order/download/backup/

   .txt

   0

   127.0.0.1

   21

   ftp1007

   pg1007$2014

   /download

   RENRENLEBJ

   supplygoods.txt

  

  

  

  

  

  泄漏所有集团旗下个商城商品数据和销售数据:

人人乐集团官网任意文件下载漏洞致商品信息泄漏

  解决方案

  逻辑过滤

发表评论