漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0119784
漏洞标题:某地区招生考试信息网邮箱系统信息泄露导致的一系列安全问题
相关厂商:内蒙古招生考试信息网
漏洞作者: xi4ohz
提交时间:2015-06-12 11:15
修复时间:2015-07-31 11:02
公开时间:2015-07-31 11:02
漏洞类型:内部绝密信息泄漏
危害等级:高
自评Rank:20
漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-06-12: 细节已通知厂商并且等待厂商处理中
2015-06-16: 厂商已经确认,细节仅向厂商公开
2015-06-26: 细节向核心白帽子及相关领域专家公开
2015-07-06: 细节向普通白帽子公开
2015-07-16: 细节向实习白帽子公开
2015-07-31: 细节向公众公开
简要描述:
某地区招生考试信息网邮箱系统信息泄露导致的一系列安全问题
详细说明:
内蒙古招生考试信息网http://116.113.33.130:8080 使用的TurboMail低版本
后台可以使用 sec_bm 或sec_sj 的空密码登陆(sec_bm密码改为 sec_bm)
漏洞证明:
内蒙古招生考试信息网http://116.113.33.130:8080 使用的TurboMail低版本
后台可以使用 sec_bm 或sec_sj 的空密码登陆(sec_bm密码改为 sec_bm)
使用读文件漏洞读得 管理员的密码为base64加密 破解进入后台
读取所有用户
{"ret_code":0,"users":[{"useraccount":"[email protected]","firstname":"1c"},{"useraccount":"[email protected]","firstname":"23c"},{"useraccount":"[email protected]","firstname":"4c"},{"useraccount":"[email protected]","firstname":"admin"},{"useraccount":"[email protected]","firstname":"阿拉塔"},{"useraccount":"[email protected]","firstname":"阿其拉勒"},{"useraccount":"[email protected]","firstname":"阿如娜"},{"useraccount":"[email protected]","firstname":"阿日新"},{"useraccount":"[email protected]","firstname":"bgs"},{"useraccount":"[email protected]","firstname":"布和"},{"useraccount":"[email protected]","firstname":"包世恩"},{"useraccount":"[email protected]","firstname":"白双山"},{"useraccount":"[email protected]","firstname":"白涛"},{"useraccount":"[email protected]","firstname":"白托雅"},{"useraccount":"[email protected]","firstname":"蔡斐"},{"useraccount":"[email protected]","firstname":"陈凯"},{"useraccount":"[email protected]","firstname":"段志"},{"useraccount":"[email protected]","firstname":"格日乐"},{"useraccount":"[email protected]","firstname":"红红"},{"useraccount":"[email protected]","firstname":"韩荣飞"},{"useraccount":"[email protected]","firstname":"jcs"},{"useraccount":"[email protected]","firstname":"焦红梅"},{"useraccount":"[email protected]","firstname":"贾汀微"},{"useraccount":"[email protected]","firstname":"姜玉鹏"},{"useraccount":"[email protected]","firstname":"贾治国"},{"useraccount":"[email protected]","firstname":"kszx"},{"useraccount":"[email protected]","firstname":"李秉业"},{"useraccount":"[email protected]","firstname":"ld"},{"useraccount":"[email protected]","firstname":"李海容"},{"useraccount":"[email protected]","firstname":"李涛"},{"useraccount":"[email protected]","firstname":"刘斐"},{"useraccount":"[email protected]","firstname":"刘亚平"},{"useraccount":"[email protected]","firstname":"李卿"},{"useraccount":"[email protected]","firstname":"李彤"},{"useraccount":"[email protected]","firstname":"刘小凤"},{"useraccount":"[email protected]","firstname":"刘英萍"},{"useraccount":"[email protected]","firstname":"苗中文"},{"useraccount":"[email protected]","firstname":"米益平"},{"useraccount":"nobody@root","firstname":""},{"useraccount":"postmaster@root","firstname":""},{"useraccount":"[email protected]","firstname":"乔惠莉"},{"useraccount":"[email protected]","firstname":"曲晓"},{"useraccount":"[email protected]","firstname":"任俊莲"},{"useraccount":"sec_bm@root","firstname":""},{"useraccount":"sec_sj@root","firstname":""},{"useraccount":"[email protected]","firstname":"孙海东"},{"useraccount":"[email protected]","firstname":"孙慧莉"},{"useraccount":"[email protected]","firstname":"史建华"},{"useraccount":"[email protected]","firstname":"尚利"},{"useraccount":"[email protected]","firstname":"孙立涛"},{"useraccount":"[email protected]","firstname":"苏林英"},{"useraccount":"[email protected]","firstname":"孙淑娟"},{"useraccount":"[email protected]","firstname":"石岩"},{"useraccount":"[email protected]","firstname":"陶学书"},{"useraccount":"[email protected]","firstname":"王鸿义"},{"useraccount":"[email protected]","firstname":"吴琳琳"},{"useraccount":"[email protected]","firstname":"伟明"},{"useraccount":"[email protected]","firstname":"王鹏"},{"useraccount":"[email protected]","firstname":"王铁民"},{"useraccount":"[email protected]","firstname":"王一囡"},{"useraccount":"[email protected]","firstname":"王织春"},{"useraccount":"[email protected]","firstname":"肖海波"},{"useraccount":"[email protected]","firstname":"xxzx"},{"useraccount":"[email protected]","firstname":"许永和"},{"useraccount":"[email protected]","firstname":"邢宜静"},{"useraccount":"[email protected]","firstname":"岳丹"},{"useraccount":"[email protected]","firstname":"云宇"},{"useraccount":"[email protected]","firstname":"翟成珺"},{"useraccount":"[email protected]","firstname":"张国亮"},{"useraccount":"[email protected]","firstname":"张华"},{"useraccount":"[email protected]","firstname":"张培文"},{"useraccount":"[email protected]","firstname":"张瑞"},{"useraccount":"[email protected]","firstname":"赵文光"},{"useraccount":"[email protected]","firstname":"赵文明"},{"useraccount":"[email protected]","firstname":"赵智赟"}]}
获取admin用户的密码
得知admin邮箱为微信平台邮箱
使用admin密码登陆微信平台 (不要使用一样的管理密码)
到这里邮箱系统 和微信公共号 沦陷 (一点猜测 邮箱使用的管理密码为通用密码 因为时间节点比较敏感 没有继续深入)
注:一些用户的初始密码为123456 已被人用来发送垃圾邮件
修复方案:
升级邮箱系统
修改用户弱口令
版权声明:转载请注明来源 xi4ohz@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:10
确认时间:2015-06-16 11:01
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT通报,由其后续协调管理单位处置.
最新状态:
暂无