当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0159988

漏洞标题:国联证券某站存在大量弱口令(涉及邮箱/职位/电话/内部文件等)

相关厂商:国联证券

漏洞作者: 心云

提交时间:2015-12-10 15:31

修复时间:2016-01-23 15:16

公开时间:2016-01-23 15:16

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-10: 细节已通知厂商并且等待厂商处理中
2015-12-10: 厂商已经确认,细节仅向厂商公开
2015-12-20: 细节向核心白帽子及相关领域专家公开
2015-12-30: 细节向普通白帽子公开
2016-01-09: 细节向实习白帽子公开
2016-01-23: 细节向公众公开

简要描述:

一大把弱口令。。。

详细说明:

这么多弱口令 也花了挺多时间 求上个首页 T_T
问题出在你们的oa系统
漏洞地址:

http://newoa.glsc.com.cn:8082/


但是
审核大大您看清楚了
我提交的这个跟

 WooYun: 国联证券某安全隐患导致可登陆多个系统(员工手机邮箱/内部文档/可找回密码/任意文件上传)

不是同一个漏洞 他提交的弱口令是 123456
而我找到了他们其他的弱口令
我先用密码 a123456爆出一个用户,然后利用该用户导出他们的通讯录
以下是通讯录+top500,后面爆破要用(可能有重复,这些都是邮箱名): 

jiangzq
chenkl
zhuq
hengyq
caoxt
yiq
xuzb
wujj
wangw
zhoucm
wusheng
xuw
zhangjf
wanggj
zhangfan
zhaowy
wangts
mohy
zhangyi
tangyun
zhangliang
renp
huanghao
fengkj
houhb
chenj
jiangz
shenyn
lint
gongw
renzx
zhengh
jiajh
tengyl
lihj
liangn
yangl
hualh
xuyin
zhangjy
zousf
renl
zhujh
wangwd
shutt
tangwy
zhangky
qiaoq
wangxb
sheng
rongky
zhuwj
zhangzy
xiemh
xixj
yangky
zhengmz
huyb
wanglh
xumz
shant
chensm
lixiangbj
wangyan
zhangming
liz
guoyx
wanglanyan
binh
pengyh
yangro
zongqq
jiangl
liubc
hujx
zhangchao
jizh
zhaoliang
dongy
meix
yingxw
zhangzz
wuxy
houjy
lizb
huangjy
lihaitao
jiangt
yanth
liuli
huoyq
zxy
xiaojj
liqin
yangchao
wanl
zhaom
chench
wus
zhangyj
shyl
chxj
chensy
huangjb
wuchj
zhangxiaow
liyy
lujilei
zhangby
xuej
hongl
liqt
weny
weiyl
huaxw
caik
sunzh
maqx
xusl
wangcong
chenwang
dengb
peiy
kuangh
liuc
xiangqk
wuxil
wy
yerq
liusp
zhangqiang
huangyy
yangjun
jiangzz
heyl
shaql
zhaozl
huxl
wchao
huiy
fanght
jil
gengy
yutq
fanyy
xuyi
jingli
shenjie
mazj
sunrong
mas
shil
lqq
wusb
zq
panw
huangym
chenlg
liutt
caozh
wangying
lizw
huangld
zhuchunyan
xujun
binlu
fangy
houj
zhangdan
zhujingyue
qih
wujb
yangping
jism
wj
chenkq
hy
jiangx
zhangn
baiyj
lizq
huad
zhuhz
wangyj
fangtm
lizhen
xuyihong
wangqx
chenkp
shijz
gaoj
zhd
wll
xun
guyy
zhaoliu
wangsuya
ruijz
wangjh
zhaojj
sizj
gefei
wangyh
zenghp
cuiys
ljing
qil
kej
jiangxx
sungz
zhangcg
zhoup
wangchunxiang
yangxq
fanjw
zhaosg
leilq
yinyw
guomh
yangxueq
pancl
wangyifan
chc
taojz
wangzh
wangbing
zhongwy
guxp
tianl
mabd
luq
zhuxiaoy
qianjj
zhulw
shenlj
xuanz
zhaokai
yuj
gujing
feixl
yesm
lijia
shiyq
zhangjie
xuch
zhangcr
zhangzg
wanyh
hual
zhangww
yangqy
jiw
qinj
zhoujiej
zhangym
fengwj
pib
huanglj
fuq
wangxm
tengmc
LuoXin
caoxb
lj
zhanghao
wanss
wanglj
Wangbei
yaohy
guomt
qinyh
wangj
dongye
liyaoying
zhangch
xuems
zqian
zhangxc
dongmw
wangzhenyx
qianpch
qianzhm
caosi
leijh
yinzw
xufl
luxm
liqq
luwy
heq
lux
zhup
qiand
chengxm
liuhx
fanhj
yuanhj
gej
chenjj
huafm
sunyz
shixz
yangjj
caorq
zhongq
jianghb
shenyu
weisp
liulei
cuimm
xiat
chensx
jiangjr
xueh
zhouln
jiangk
chenll
sunyh
lianghf
gaozy
chentl
wangtao
daizhen
wangly
zhouh
hud
wangxc
xus
chenbc
gumm
luxd
liangz
yaow
liuyang
yangjinw
yangxiaom
fangwt
tianhr
lvzl
renf
chengy
xuejj
zhour
zhaox
baozy
zouts
zhangxm
lub
chenq
youw
sunym
lih
zouj
liuda
shenzy
wangjie
zhough
qinxt
huangsd
jiangjj
wangq
zhangjh
chenkf
yinxq
weicj
huil
zhoujm
guib
gud
liyanz
jixl
hanxiaox
gexl
zhouyun
xuxw
wuxifang
chenhl
wangww
shenww
wangjuan
guoly
jiangsh
cxf
yib
ouxp
zhoujj
gaoyuan
gengw
mengqt
renwd
lusq
zhouyw
shenyj
wut
luok
zhangxiaom
chenlin
zhujx
ligj
panyj
zongmf
xuy
zhoul
houwr
zhoucan
yanqy
heyi
wanglei
fanx
hanx
zhuxm
qj
liangjy
zhoujg
shiwd
wangsy
luod
gengc
liy
jiangxl
wuj
tongwj
liht
xuhy
lujw
jiangmin
zongyuan
fangxj
yinsr
lixy
xujiao
wukj
wangqian
weit
liudp
liumz
wuxf
zhouwx
sujh
xiejy
houyt
jianggq
zhangkh
tianzx
yanghp
yulan
yuanna
dingyj
zhouyao
panzs
zhangj
dingjm
wuly
zhoujie
fengsh
zhub
cuiy
zhoujing
qianxl
wangshuyi
zhoulian
huangsr
chenyunsu
xujie
zhuzn
shenc
huanghy
xujian
shanxd
zhangm
zhuxl
wupp
sunxy
shenyy
liuy
tangzx
guomy
zhangjin
zhangy
zhangyy
panwg
chujg
zhujj
yuanl
wuxq
dongyj
lixi
yangyp
lumin
chenpu
shenlin
Douhy
mayy
zhangyunyx
daijh
luy
hanxt
zhangjunl
huaw
duoyq
lidr
xfwu
zhouwen
liuj
zongyi
zhuxy
chenw
lugp
lujn
gul
YueJJ
guoyan
zhaoy
gongcy
zhangh
mayin
yangjie
lujunwei
chenz
chenwh
xum
yangjieqiong
chenysn
xuhuan
xuym
songhongt
chenjia
mabo
zhangwh
wangning
hanll
zhouj
huangn
sunq
chenwz
yanxy
wangs
puhh
yangj
liuxj
zhangk
xitt
jiangjm
zhuli
gujie
qinfy
qinsd
mohj
quey
chenx
zhangmf
chenxyn
duhm
LiangYL
dingyf
chena
wuyb
sur
luwj
qin
zengxq
liuw
huizhang
huangzc
sunlian
shenrl
wangyif
huliang
shensh
wangch
zhuwd
yub
hebb
wangf
shenhf
zhuxyn
liud
miaomf
liw
hel
gaol
yaol
lufeng
niy
chuxy
wangzy
xuhh
liyun
Liumh
zhoumn
wangm
zhengk
gaoym
zhuyl
lihua
jial
lils
jiangqt
yuanhd
huj
chenxf
sunmx
xux
zhouf
zhangyu
wangcd
jiangyz
duj
shiyj
huyingl
guxd
lius
zhouc
liujy
youdj
xuxu
guling
lijj
liuhong
liupf
shaoyl
tongbz
fengk
xiaw
wangjw
yubin
guzm
yuxy
xuj
weih
renzd
qianj
wangn
liuchang
chenma
hangwp
shenbb
may
yanhm
mis
duwy
zhuyay
wangsb
lix
yif
luww
mann
leiq
pengyb
liangj
lichenjie
yangcongjie
lvq
huangyl
yindc
nijun
wanzz
lengj
zhaol
xiaxb
qinq
luox
huamj
wujh
suxk
jiangm
zhangw
zhuangdl
guoy
zhoukl
huayj
zhuqy
sunw
qianjie
yangx
lujian
shijk
huagl
chenh
xuezy
suw
huazz
wumy
yud
yul
qiangxb
zhangf
daiy
jiangxn
huax
zhaozy
likan
panhl
wanglc
qinz
jianglei
xuecl
xupl
lumj
guojun
gaok
yangy
chengj
zhangdm
huangq
zhoud
yangk
xuzq
nil
huangh
jinxq
pengym
huangzh
caowy
chenxy
limf
huanghm
zhout
jiangb
guyl
wangc
taomy
yangyj
chentt
jixw
xuxx
niyd
yinz
liyue
taowx
sunx
hanxn
zhoum
zhangz
zhult
lizh
changcl
lic
suy
shenhx
gaojl
wangyr
wangsj
sunyan
wucy
peiw
lxy
panhui
zzy
yangyl
guoyb
ycc
xiayf
gujt
xuke
czh
xb
wangjd
qim
tangxq
caiyl
liufh
suh
sunzht
xingyt
fenglu
changh
wqx
heping
muqq
xiaojp
zhangyang
baoyq
wangao
zhongbl
zyc
dingp
lijuan
tangyan
zhkun
zouch
shiy
fus
bihf
wangli
zj
wangdl
panx
quanjx
xhk
chenyj
wangcq
liucd
zhangqy
dingzc
duzq
yuantz
lqin
gongzh
zhangwen
taoms
shenwy
yaof
yaojl
zhangying
suncl
nizh
yliu
tangry
denghm
qiandw
denggf
yanl
yangkai
yxu
zhanghy
zhangyb
xushl
zhubc
peizy
jiangxi
guoyuan
zhuy
qiums
mayx
wuyuj
liujh
cwang
zhouzhp
niqy
houxq
shihy
jinz
huangjc
qiur
liuhuan
yuanz
liliu
zongyun
zhangjianw
zhulc
liujiangyu
dingyl
fujy
juewang
daim
chenk
zhoulinan
lichun
fengyc
tangt
mad
huada
guix
zhangxj
tangxt
jiangq
baoyf
zhangyanl
shaoy
zhangyf
liulang
fengmj
xinglt
zhutt
nanzhang
yinlj
kaichen
limd
luyy
duk
liuwf
gaoyx
liaos
caoyang
yulei
dongwn
fanyz
zhaisn
zhangnan
xfeng
majie
zhangyq
qiny
wangxinyi
zhouqin
huafc
fuxy
xusy
zhangheyi
huangjun
guocy
yey
wxj
syy
luow
chenxuey
yangzl
jiangyim
wusc
liuyuc
guor
fanyx
xucmx
bwang
susf
wujie
liudefa
dongll
shencheng
zhangdy
zhangyx
zouwd
yandd
chengjun
qianlei
wd
yuanlj
chuj
yaos
fangw
zhangyuw
lihan
fuyj
dongyl
wangg
qiandb
zhyh
zx
yusm
zengss
liyahui
chenyu
ll
liqiong
renzhix
huangll
hub
gongxuey
wuxianqin
wug
yaoql
zhangrui
maojq
chenming
helk
zhy
lir
zhujw
wangyn
zhangxin
yyue
sunz
zhull
wxl
zhanghes
baocc
lvxq
chenqw
chenjr
liusr
xiawq
weizy
qianfz
zhangfw
lvty
jiaxc
caiyf
shaolin
zhaoyi
zhangzhiyong
chensimeng
xychen
jiaoxp
genghr
lur
yuyc
cuiwj
yyp
wangsl
chenxu
wyan
zhj
weixt
wuc
gelq
zhangb
wuxm
yangrq
xuzh
songtb
shixinlin
gelis
chenjiaz
guquan
chenzz
chenzy
shaoxq
wujiay
zhongyf
liulian
luomh
lilei
lyj
molj
wanghuan
zhangxuan
pzh
xy
zhmy
meih
wangliy
lukw
xuyj
yanghan
zhjw
linfy
nigy
luoyu
zhly
zhxy
zhym
zhzy
xuxiaom
mazf
sunh
liry
fanglj
shentc
zengl
yyhuang
yangxiy
caoy
wangmy
wangye
zhouxiang
zhanghg
sunbin
yumk
dingliang
zhouds
xupx
xutz
zhangql
liuzq
lizi
suhp
zhuj
wjian
jl
lyl
jiangxy
chult
dingjun
luxl
leimy
daiyk
leyj
fuyt
guoyf
qiank
zhaoxiao
zhaojiong
xiaofei
fanzhang
xiexl
lijw
liaoyf
shenzg
lixinr
lilin
wangliang
luozz
wyj
xumh
zl
liub
huajie
humj
huarr
luqx
wl
yanxc
fjy
chenmeng
konglt
caox
zhanglx
yudong
qiwang
lizhx
wuxian
chenzp
yuziyue
guanf
xiefang
caol
xjie
gongp
wangyx
zhuz
sunyumei
tengwy
chenlj
huawl
wuwq
yuhr
chenhy
lixuan
lijunlyg
pun
liliang
panbb
xubw
xumin
wangmm
zhengyc
wanghui
wangquan
fenghj
xuyp
jiangdh
tangj
wangwq
zhouqing
yaozy
liuxiaom
wangyy
cuiws
zhanghui
chenhonglx
chend
chengrj
lijing
zhuw
huangj
cuik
lin
gucq
zhangjingha
yulp
huyangl
liyj
weixiang
zhouyu
chenhua
shaol
yanghua
sunmingxiang
xuc
kongw
zhaj
guanym
lixz
liugj
qindm
gaoyi
yuxiao
zhonghf
lucx
tangxinfu
lchao
whao
yuancq
taoww
caowb
xurx
caiyz
yaogm
yujl
yinyun
muy
youp
liuxi
liut
chenww
zengyj
zhangli
qianry
wangjing
lumingh
yangq
xiawf
sheny
xuejt
linjj
sunhd
helh
wlj
yuyi
cuijx
xiasy
duxy
niwj
chenxu1
wangchao1
zhaoxw
jiangmk
jiay
mengy
yinf
songbo
lus
yanjw
liufy
wuting
yangyu
kongxm
mengjx
huangzx
nicd
zhangyuwei
chusy
wum
yaozy
yinzw
leijh
pengyb
jiangzq
lizq
xufl
huizhang
chenxu
linfy
liw
xueh
jiangxn
liqq
lvzl
yangx
liz
cuiy
pun
jiangjr
zhoum
zhangwei
wangwei
wangfang
liwei
lina
zhangmin
lijing
wangjing
liuwei
wangxiuying
zhangli
lixiuying
wangli
zhangjing
zhangxiuying
liqiang
wangmin
limin
wanglei
liuyang
wangyan
wangyong
lijun
zhangyong
lijie
zhangjie
zhanglei
wangqiang
lijuan
wangjun
zhangyan
zhangtao
wangtao
liyan
wangchao
liming
liyong
wangjuan
liujie
liumin
lixia
lili
zhangjun
wangjie
zhangqiang
wangxiulan
wanggang
wangping
liufang
zhangyan
liuyan
liujun
liping
wanghui
wangyan
chenjing
liuyong
liling
liguiying
wangdan
ligang
lidan
liping
wangpeng
liutao
chenwei
zhanghua
liujing
litao
wangguiying
zhangxiulan
lihong
lichao
liuli
zhangguiying
wangyulan
liyan
zhangpeng
lixiulan
zhangchao
wangling
zhangling
lihua
wangfei
zhangyulan
wangguilan
wangying
liuqiang
chenxiuying
liying
lihui
limei
chenyong
wangxin
lifang
zhangguilan
libo
yangyong
wangxia
liguilan
wangbin
lipeng
zhangping
zhangli
zhanghui
zhangyu
liujuan
libin
wanghao
chenjie
wangkai
chenli
chenmin
wangxiuzhen
liyulan
liuxiuying
wangping
wangping
zhangbo
liuguiying
yangxiuying
zhangying
yangli
zhangjian
lijun4
lili
wangbo
zhanghong
liudan
lixin
wangli
yangjing
liuchao
zhangjuan
yangfan
liuyan
liuying
lixue
lixiuzhen
zhangxin
wangjian
liuyulan
liuhui
liubo
zhanghao
zhangming
chenyan
zhangxia
chenyan
yangjie
wangshuai
lihui
wangxue
yangjun
zhangxu
liugang
wanghua
yangmin
wangning
lining
wangjun
liuguilan
liubin
zhangping
wangting
chentao
wangyumei
wangna
zhangbin
chenlong
lilin
wangyuzhen
zhangfengying
wanghong
lifengying
yangyang
liting
zhangjun
wanglin
chenying
chenjun
liuxia
chenhao
zhangkai
wangjing
chenfang
zhangting
yangtao
yangbo
chenhong
liuhuan
wangyuying
chenjuan
chengang
wanghui
zhangying
zhanglin
zhangna
zhangyumei
wangfengying
zhangyuying
lihongmei
liujia
liulei
zhangqian
liupeng
wangxu
zhangxue
liyang
zhangxiuzhen
wangmei
wangjianhua
liyumei
wangying
liuping
yangmei
lifei
wangliang
lilei
lijianhua
wangyu
chenling
zhangjianhua
liuxin
wangqian
zhangshuai
lijian
chenlin
liyang
chenqiang
zhaojing
wangcheng
zhangyuzhen
chenchao
chenliang
liuna
wangqin
zhanglanying
zhanghui
liuchang
liqian
yangyan
zhangliang
zhangjian
liyun
zhangqin
wanglanying
liyuzhen
liuping
chenguiying
liuying
yangchao
zhangmei
chenping
wangjian
liuhong
zhaowei
zhangyun
zhangning
yanglin
zhangjie
gaofeng
wangjianguo
yangyang
chenhua
yanghua
wangjianjun
yangliu
liuyang
wangshuzhen
yangfang
lichunmei
liujun
wanghaiyan
liuling
chenchen
wanghuan
lidongmei
zhanglong
chenbo
chenlei
wangyun
wangfeng
wangxiurong
wangrui
liqin
liguizhen
chenpeng
wangying
liufei
wangxiuyun
chenming
wangguirong
lihao
wangzhiqiang
zhangdan
lifeng
zhanghongmei
liufengying
liyuying
wangxiumei
lijia
wanglijuan
chenhui
zhangtingting
zhangfang
wangtingting
wangyuhua
zhangjianguo
lilanying
wangguizhen
lixiumei
chenyulan
chenxia
liukai
zhangyuhua
liuyumei
liuhua
libing
zhanglei
wangdong
lijianjun
liuyuzhen
wanglin
lijianguo
liying
yangwei
liguirong
wanglong
liuting
chenxiulan
zhangjianjun
lixiurong
liuming
zhoumin
zhangxiumei
lixuemei
huangwei
zhanghaiyan
wangshulan
lizhiqiang
yanglei
lijing
litingting
zhangxiurong
liujianhua
wanglili
zhaomin
chenyun
lihaiyan
zhangguirong
zhangjing
liuli
likai
zhangyu
zhangfeng
liuxiulan
zhangzhiqiang
lilong
lixiuyun
lixiufang
lishuai
lixin
liuyun
zhanglili
lijie
zhangxiuyun
wangshuying
wangchunmei
wanghongmei
chenbin
liyuhua
liguifang
zhangying
chenfei
wangbo
liuhao
huangxiuying
liuyuying
lishuzhen
huangyong
zhouwei
wangxiufang
wanglihua
wangdandan
libin
wangguixiang
wangkun
liuhui
lixiang
zhangrui
zhangguizhen
wangshuhua
liushuai
zhangfei
zhangxiufang
wangyang
chenjie
zhangguifang
zhanglijuan
wangrong
wuxiuying
yangming
liguixiang
mali
liuqian
yangxiulan
yangling
wangxiuhua
yangping
wangbin
liliang
lirong
liguizhi
lilin
liyan
lijian
wangbing
wangguifang
wangming
chenmei
zhangchunmei
liyang
wangyan
wangdongmei
liufeng
lixiuhua
lidandan
yangxue
liuyuhua
maxiuying
zhanglihua
zhangshuzhen
lixiaohong
zhangbo
wangxin
wangguizhi
zhaoli
zhangxiuhua
zhanglin
huangmin
yangjuan
wangjinfeng
zhoujie
wanglei
chenjianhua
liumei
yangguiying
lishuying
chenyuying
yangxiuzhen
sunxiuying
zhaojun
zhaoyong
liubing
yangbin
liwen
chenlin
chenping
sunwei
zhangli
chenjun
zhangnan
liuguizhen
liuyu
liujianjun
zhangshuying
lihongxia
zhaoxiuying
libo
wangli
zhangrong
zhangfan
wangjianping
zhangguizhi
zhangyu
zhouyong
zhangkun
xuwei
wangguihua
liuqin
zhoujing
xumin
liutingting
xujing
yanghong
wanglu
zhangshulan
zhangwen
yangyan
chenguilan
zhouli
lishuhua
chenxin
machao
liujianguo
liguihua
wangfenglan
lishulan
chenxiuzhen


接下来就开始爆破:
0X01 密码为12345678

密码为12345678的有1个.png


wj 12345678


0X02 密码为glsc8888

密码为glsc8888的有1个.png


fangtm  glsc8888


0X03 密码为123456

密码为123456的9个.png


91	huoyq	302	false	false	544	
149	mazj	302	false	false	544	
312	chensx	302	false	false	544	
445	yanghp	302	false	false	544	
529	zhangwh	302	false	false	544	
601	chenxf	302	false	false	544	
623	fengk	302	false	false	544	
626	yubin	302	false	false	544	
953	sunz	302	false	false	544	
1120	fenghj	302	false	false	544


0X04 密码为a123456

密码为a123456的有4个.png


wangjie a123456
zhoujj a123456
lumin a123456


0X05 密码为888888

密码为888888的有个.png


39	xuyin	302	false	false	544	
80	meix	302	false	false	544	
181	lizq	302	false	false	544	
189	chenkp	302	false	false	544	
255	zhangym	302	false	false	544	
277	zqian	302	false	false	544	
330	gumm	302	false	false	544	
464	xujie	302	false	false	544	
471	zhuxl	302	false	false	544	
503	zhouwen	302	false	false	544	
602	sunmx	302	false	false	544	
641	duwy	302	false	false	544	
680	xuezy	302	false	false	544	
722	taomy	302	false	false	544	
952	yyue	302	false	false	544	
1061	qiank	302	false	false	544	
1125	zhouqing	302	false	false	544	
1139	gucq	302	false	false	544	
1142	huyangl	302	false	false	544	
1220	lizq	302	false	false	544	
265	zhanghao	302	false	false	556


0X06 密码为666666

密码为666666的有3个.png


974	jiaoxp	302	false	false	544	
998	shaoxq	302	false	false	544	
1123	tangj	302	false	false	544


0X07 密码为111111

密码为111111的有2个.png


213	wangchunxiang	302	false	false	544	
1150	xuc	302	false	false	544


以下是登录后的截图:

wangjie登录成功.png


可直接登录邮箱:

wangjie邮箱.png


通讯录:

姓名-电话-邮箱.png


财务部-姓名-电话-邮箱.png


内部通知:

内部文件.png


漏洞证明:

证明:

财务部-姓名-电话-邮箱.png


huoyq-123456.png

修复方案:

1、希望你们能大整改 杜绝弱口令
2、登录处加验证码 提高安全性

版权声明:转载请注明来源 心云@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-10 15:58

厂商回复:

感谢发现

最新状态:

暂无