顺丰优选某站源码泄露|银行证书|与支付平台的公钥私钥|CDN、QQ、WEIXIN接口KEY泄露 | wooyun-2016-0191974

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2016-0191974

漏洞标题：

顺丰优选某站源码泄露|银行证书|与支付平台的公钥私钥|CDN、QQ、WEIXIN接口KEY泄露

漏洞详情

披露状态：

2016-04-03：细节已通知厂商并且等待厂商处理中
2016-04-05：厂商已经确认，细节仅向厂商公开
2016-04-15：细节向核心白帽子及相关领域专家公开
2016-04-25：细节向普通白帽子公开
2016-05-05：细节向实习白帽子公开
2016-05-20：细节向公众公开

简要描述：

内容吓尿我。

详细说明：

59.151.22.134

禁止访问了，可http://59.151.22.134/.svn/entries没设权限

http://59.151.22.134/i.php
Variable	Value
_SERVER["USER"]	nginx
_SERVER["HOME"]	/home/nginx
_SERVER["FCGI_ROLE"]	RESPONDER
_SERVER["SCRIPT_FILENAME"]	/home/www/api2/i.php
_SERVER["QUERY_STRING"]	no value
_SERVER["REQUEST_METHOD"]	GET
_SERVER["CONTENT_TYPE"]	no value
_SERVER["CONTENT_LENGTH"]	no value
_SERVER["SCRIPT_NAME"]	/i.php
_SERVER["REQUEST_URI"]	/i.php
_SERVER["DOCUMENT_URI"]	/i.php
_SERVER["DOCUMENT_ROOT"]	/home/www/api2
_SERVER["SERVER_PROTOCOL"]	HTTP/1.1
_SERVER["GATEWAY_INTERFACE"]	CGI/1.1
_SERVER["SERVER_SOFTWARE"]	nginx/1.0.0
_SERVER["REMOTE_ADDR"]	175.152.1.241
_SERVER["REMOTE_PORT"]	1122
_SERVER["SERVER_ADDR"]	10.102.36.171
_SERVER["SERVER_PORT"]	80
_SERVER["SERVER_NAME"]	api2.t.com
_SERVER["WWW_URL"]	http://www.t.com
_SERVER["HOME_URL"]	http://home.t.com
_SERVER["PASSPORT_URL"]	http://passport.t.com
_SERVER["CAS_URL"]	https://10.102.34.116:8443
_SERVER["I_URL"]	http://i.t.com
_SERVER["P_URL"]	http://p.t.com
_SERVER["IMG01_URL"]	http://img.t.com
_SERVER["P01_URL"]	http://p01.t.com
_SERVER["P02_URL"]	http://p02.t.com
_SERVER["P03_URL"]	http://p03.t.com
_SERVER["ANDROID_URL"]	http://android.t.com
_SERVER["IMG_URL"]	http://img01.t.com
_SERVER["CORP_URL"]	http://corp.t.com
_SERVER["WULIU_URL"]	http://wuliu.t.com
_SERVER["JSMS_URL"]	http://ms.t.com:8880
_SERVER["MC_URL"]	mc.t.com
_SERVER["MC1_URL"]	mc1.t.com
_SERVER["DBM_URL"]	IDC-T-sfbest
_SERVER["DBS_URL"]	dbs.t.com
_SERVER["DBS_URL_CART"]	dbs.t.com
_SERVER["API_URL"]	api.t.com
_SERVER["API2_URL"]	59.151.22.134
_SERVER["PIC_URL"]	http://pic.t.com
_SERVER["DEBUG"]	1
_SERVER["SERVER_DOMAIN"]	t.com
_SERVER["SEARCH_URL"]	http://search.t.com
_SERVER["SEARCH_ADDR_URL"]	http://searchaddr.t.com
_SERVER["LOG_SERVER"]	10.102.36.171:8081
_SERVER["LOG_VIEW_SERVER"]	10.102.36.171:8080
_SERVER["GWEBORDER_HOST"]	orderdb.t.com
_SERVER["GWEBORDER_NAME"]	sf_weborder_all
_SERVER["GWEBORDER_PWD"]	s28CbxSHrh9d
_SERVER["SEARCH1_URL"]	search1.t.com
_SERVER["GWMS_URL"]	10.0.44.92
_SERVER["GWMS_DBNAME"]	oms-platform
_SERVER["GWMS_NAME"]	oms
_SERVER["GWMS_PWD"]	SF!@_oms
_SERVER["WMSCOMPANY"]	58773096-8
_SERVER["MODU_RELIABLEIPS"]	127.0.0.1|10.102.105.*|10.103.14.*|10.102.106.*|10.102.102.*|10.103.3.*|10.103.16.*|10.103.11.*|10.103.9.*|10.102.36.173
_SERVER["API_RELIABLEIPS"]	127.0.0.1|10.90.100.37|10.90.100.3|10.90.100.12|10.0.38.41|10.103.20.42|10.103.16.*|10.103.11.*|10.103.11.32|10.103.9.178
_SERVER["GCACHE_NAME"]	sf_best_soa
_SERVER["GCACHE_PWD"]	MXgpOIDZfTuw
_SERVER["GCACHEM_URL"]	10.102.36.130
_SERVER["GCACHES_URL"]	10.102.36.130
_SERVER["SFV_URL"]	http://sfvweb.sf-express.com/index.php?app=yxservicesoap&action=require_action
_SERVER["REDIRECT_STATUS"]	200
_SERVER["MAIL_HOST"]	mail.sfbest.cn
_SERVER["MAIL_PORT"]	25
_SERVER["MAIL_USERNAME"]	customer@sfbest.cn
_SERVER["MAIL_PASSWORD"]	bJsF!WLB888
_SERVER["SF_HR_URL"]	http://10.103.16.18
_SERVER["CHK_KEY"]	sfsfslkjlsdjfkslfjf
_SERVER["BIRE_DBM_URL"]	10.103.16.199
_SERVER["BIRE_NAME"]	sfr_php_rmf
_SERVER["BIRE_PWD"]	sf-express.com
_SERVER["CRMAPI_SIGN"]	123456
_SERVER["P_IMG"]	001.timg.cn|002.timg.cn|003.timg.cn|004.timg.cn|005.timg.cn|006.timg.cn|007.timg.cn|008.timg.cn|009.timg.cn|010.timg.cn|011.timg.cn|012.timg.cn|013.timg.cn|014.timg.cn|015.timg.cn|016.timg.cn|017.timg.cn|018.timg.cn|019.timg.cn|020.timg.cn
_SERVER["P02_IMG"]	201.timg.cn|202.timg.cn|203.timg.cn|204.timg.cn|205.timg.cn|206.timg.cn|207.timg.cn|208.timg.cn|209.timg.cn|210.timg.cn
_SERVER["P01_IMG"]	101.timg.cn|102.timg.cn|103.timg.cn|104.timg.cn|105.timg.cn
_SERVER["P03_IMG"]	301.timg.cn
_SERVER["SEO_MONGO_URL"]	10.103.16.89
_SERVER["SEO_MONGO_USER"]	pseo
_SERVER["SEO_MONGO_PWD"]	2w4r6y8i0p
_SERVER["SEO_MONGO_PORT"]	27017
_SERVER["GCOLLECT_DBM_URL"]	IDC-T-sfbest
_SERVER["GCOLLECT_DBS_URL"]	dbs.t.com
_SERVER["GCOLLECT_NAME"]	sf_best_all
_SERVER["GCOLLECT_PWD"]	gUpohxX9Gx67
_SERVER["MONGODB_USER"]	sf_jsms
_SERVER["MONGODB_PWD"]	M.Jsms#2012
_SERVER["MONGODB_HOST"]	10.102.36.137
_SERVER["MASTER_SLAVE_SWITCH"]	true
_SERVER["CACHE_SERVERS"]	10.102.36.152:11211,10.102.36.152:11212
_SERVER["GUSER_NAME"]	sf_best_all
_SERVER["GUSER_PWD"]	gUpohxX9Gx67
_SERVER["GWEB_NAME"]	sf_best_all
_SERVER["GWEB_PWD"]	gUpohxX9Gx67
_SERVER["GSHOP_NAME"]	sf_best_all
_SERVER["GSHOP_PWD"]	gUpohxX9Gx67
_SERVER["GLOG_NAME"]	sf_best_all
_SERVER["GLOG_PWD"]	gUpohxX9Gx67
_SERVER["GQUEUE_NAME"]	sf_best_all
_SERVER["GQUEUE_PWD"]	gUpohxX9Gx67
_SERVER["GSFV_NAME"]	sf_best_all
_SERVER["GSFV_PWD"]	gUpohxX9Gx67
_SERVER["GREPORT_NAME"]	sf_best_all
_SERVER["GREPORT_PWD"]	gUpohxX9Gx67
_SERVER["GLOGIS_NAME"]	sf_best_all
_SERVER["GLOGIS_PWD"]	gUpohxX9Gx67
_SERVER["ADDR_NAME"]	sf_best_all
_SERVER["ADDR_PWD"]	gUpohxX9Gx67
_SERVER["GTMALL_NAME"]	sf_best_all
_SERVER["GTMALL_PWD"]	gUpohxX9Gx67
_SERVER["AJAX_PRICE_LOCAL"]	1
_SERVER["DBS_URL_02"]	dbs.t.com
_SERVER["CART_URL"]	http://cart.t.com
_SERVER["GCART_HOST"]	IDC-T-sfbest
_SERVER["GCART_NAME"]	sf_best_all
_SERVER["GCART_PWD"]	gUpohxX9Gx67
_SERVER["BI_NAME"]	sf_best_all
_SERVER["BI_PWD"]	gUpohxX9Gx67
_SERVER["BI_DBM_URL"]	IDC-T-sfbest
_SERVER["BI_DBS_URL"]	dbs.t.com
_SERVER["GMAPP_NAME"]	sf_best_all
_SERVER["GMAPP_PWD"]	gUpohxX9Gx67
_SERVER["JD_DBM_URL"]	IDC-T-sfbest
_SERVER["JD_DBS_URL"]	IDC-T-sfbest
_SERVER["GJD_NAME"]	sf_best_all
_SERVER["GJD_PWD"]	gUpohxX9Gx67
_SERVER["GDC_DBM_URL"]	IDC-T-sfbest
_SERVER["GDC_DBS_URL"]	dbs.t.com
_SERVER["GDC_NAME"]	sf_best_all
_SERVER["GDC_PWD"]	gUpohxX9Gx67
_SERVER["WWW_FILECACHE_OPEN"]	false
_SERVER["WWW_FILECACHE_TIME"]	160
_SERVER["CART_FILECACHE_OPEN"]	false
_SERVER["CART_FILECACHE_TIME"]	160
_SERVER["Recommend_SERVICE_URL"]	http://10.102.36.175:8081
_SERVER["SHUNFEN_SERVICE_URL"]	http://10.102.34.113:8080
_SERVER["USERS_LOG_DBM_URL"]	IDC-T-sfbest
_SERVER["USERS_LOG_DBS_URL_02"]	dbs.t.com
_SERVER["GUSERS_LOG_NAME"]	sf_best_all
_SERVER["GUSERS_LOG_PWD"]	gUpohxX9Gx67
_SERVER["CERT_DIR"]	/sfbest/code/key
_SERVER["GACTIVE_DBM_URL"]	IDC-T-sfbest
_SERVER["GACTIVE_DBS_URL"]	dbs.t.com
_SERVER["GACTIVE_NAME"]	sf_best_all
_SERVER["GACTIVE_PWD"]	gUpohxX9Gx67
_SERVER["GFD_DBM_URL"]	IDC-T-sfbest
_SERVER["GFD_DBS_URL"]	dbs.t.com
_SERVER["GFD_NAME"]	sf_best_all
_SERVER["GFD_PWD"]	gUpohxX9Gx67
_SERVER["DOMAIN"]	T
_SERVER["PINFO_GSHOP_NAME"]	sfr_pinfo_gshop
_SERVER["PINFO_GSHOP_PWD"]	ItKTW]&@RA
_SERVER["銆€M_URL"]	http://m.sfbest.com
_SERVER["PL_MERCHANT_DB_MURL"]	IDC-T-sfbest
_SERVER["PL_MERCHANT_DB_SURL"]	IDC-T-sfbest
_SERVER["PL_MERCHANT_NAME"]	sf_best_all
_SERVER["PL_MERCHANT_PWD"]	gUpohxX9Gx67
_SERVER["PL_CONTRACT_DB_MURL"]	IDC-T-sfbest
_SERVER["PL_CONTRACT_DB_SURL"]	IDC-T-sfbest
_SERVER["PL_CONTRACT_NAME"]	sf_best_all
_SERVER["PL_CONTRACT_PWD"]	gUpohxX9Gx67
_SERVER["FD_DOMAIN"]	http://fd.t.com/
_SERVER["PL_ORDER_DB_MURL"]	IDC-T-sfbest
_SERVER["PL_ORDER_DB_SURL"]	IDC-T-sfbest
_SERVER["PL_ORDER_NAME"]	sf_best_all
_SERVER["PL_ORDER_PWD"]	gUpohxX9Gx67
_SERVER["WEBLOG_NAME"]	sf_best_all
_SERVER["WEBLOG_PWD"]	gUpohxX9Gx67
_SERVER["QUALIFICATION_URL"]	qualification.t.com
_SERVER["VENDOR_DBM_URL"]	IDC-T-sfbest
_SERVER["VENDOR_DBS_URL"]	dbs.t.com
_SERVER["VENDOR_NAME"]	sf_best_all
_SERVER["VENDOR_PWD"]	gUpohxX9Gx67
_SERVER["SHOWAT1111"]	no
_SERVER["SAP_GDC_DBM_URL"]	IDC-T-sfbest
_SERVER["SAP_GDC_DBS_URL"]	dbs.t.com
_SERVER["SAP_GDC_NAME"]	sf_best_all
_SERVER["SAP_GDC_PWD"]	gUpohxX9Gx67
_SERVER["SAP_DBM_URL"]	IDC-T-sfbest
_SERVER["SAP_DBS_URL"]	dbs.t.com
_SERVER["SAP_GUSER_NAME"]	sf_best_all
_SERVER["SAP_GUSER_PWD"]	gUpohxX9Gx67
_SERVER["GFS_DBM_URL"]	IDC-T-sfbest
_SERVER["GFS_DBS_URL"]	dbs.t.com
_SERVER["GFS_NAME"]	sf_best_all
_SERVER["GFS_PWD"]	gUpohxX9Gx67
_SERVER["GORDERLOG_DBM_URL"]	IDC-T-sfbest
_SERVER["GORDERLOG_DBS_URL"]	dbs.t.com
_SERVER["GORDERLOG_NAME"]	sf_best_all
_SERVER["GORDERLOG_PWD"]	gUpohxX9Gx67
_SERVER["STOCK_SERVICE_URL"]	http://stockservice.t.com
_SERVER["ACTIVITY_SERVICE_URL"]	http://activityservice.t.com
_SERVER["ORDER_SERVICE_URL"]	http://orderapi.t.com:8080
_SERVER["DELIVERY_SERVICE_URL"]	http://10.102.36.151:8080
_SERVER["PRODUCT_CHANNEL_URL"]	http://10.102.36.151:8088
_SERVER["ERCHANT_DBM_URL"]	dbm.t.com
_SERVER["MERCHANT_DBS_URL"]	dbs.t.com
_SERVER["MERCHANT_NAME"]	sf_best_all
_SERVER["MERCHANT_PWD"]	gUpohxX9Gx67
_SERVER["STORE_DBM_URL"]	dbm.t.com
_SERVER["STORE_DBS_URL"]	dbs.t.com
_SERVER["STORE_NAME"]	sf_best_all
_SERVER["STORE_PWD"]	gUpohxX9Gx67
_SERVER["GSALE_DBM_URL"]	dbm.t.com
_SERVER["GSALE_DBS_URL"]	dbs.t.com
_SERVER["GSALE_NAME"]	sf_best_all
_SERVER["GSALE_PWD"]	gUpohxX9Gx67
_SERVER["CAS_LOGIN"]	1
_SERVER["GMAPP_DBM_URL"]	IDC-T-sfbest
_SERVER["GMAPP_DBS_URL"]	IDC-T-sfbest
_SERVER["GROUP_BUY_SERVICE_URL"]	http://10.102.36.151:8058
_SERVER["CHANNEL_SERVICE_URL"]	http://10.103.16.104:8010
_SERVER["CANCEL_ORDER_STORE_SERVICE_URL"]	http://10.102.36.183:8080
_SERVER["HTTP_HOST"]	59.151.22.134
_SERVER["HTTP_USER_AGENT"]	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
_SERVER["HTTP_ACCEPT"]	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
_SERVER["HTTP_ACCEPT_LANGUAGE"]	zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
_SERVER["HTTP_ACCEPT_ENCODING"]	gzip, deflate
_SERVER["HTTP_CONNECTION"]	keep-alive
_SERVER["PHP_SELF"]	/i.php
_SERVER["REQUEST_TIME"]	1459611175

phpinfo泄露大量敏感信息！

//↓↓↓↓↓↓↓↓↓↓请在这里配置您的基本信息↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓
//合作身份者id，以2088开头的16位纯数字
$aliapy_config['partner']      = '2088011868358875';
//安全检验码，以数字和字母组成的32位字符
$aliapy_config['key']          = 'o49vf4jxuwmfymox0y5gtlz8xun1klgt';
//签约支付宝账号或卖家支付宝帐户
//$aliapy_config['seller_email'] = 'bjsfdzswcwb@sf-express.com';
$aliapy_config['seller_email'] = 'bjsfdzswcwb1@sf-express.com';
//↑↑↑↑↑↑↑↑↑↑请在这里配置您的基本信息↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑

其他看截图了。