乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-01: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-02-12: 厂商已经主动忽略漏洞,细节向公众公开
上海海博投资有限公司是光明食品集团有限公司旗下的全资二级子公司。拥有“海博出租汽车”、“香港万安食品”、“思乐得不锈钢制品”三大产业结构。
burpsuite爆破上海海博投资有限公司OA系统:
http://oa.haiboinvest.com/Login.aspx
抓包:
POST /login.aspx HTTP/1.1Host: oa.haiboinvest.comContent-Length: 379Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://oa.haiboinvest.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://oa.haiboinvest.com/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: HBOA_User=UserID=chenyan&UserIdentity=bcfaa25a-e006-4e85-a3b8-dcf8afe9164c; __guid=118750871.1637023060371456000.1451331591016.4336; ASP.NET_SessionId=eokhtz45zwf43o45usq54iaq; count=2__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTU3NTUyOTMxNg9kFgICAw9kFgICAQ8PFgIeBFRleHRlZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFCkJ0bkNvbmZpcm3hitYCZx2MOAMVCzpoAmxoKDSkhg%3D%3D&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTVALIDATION=%2FwEWBAKp7uwBAvyCl4wHAtLF4JEPAs2t7%2BYLS5SWDg6G2uXrGBudIBTgRxPPED4%3D&User=zhangwei&Password=123456&BtnConfirm.x=47&BtnConfirm.y=18
开始爆破:
一个帐号弱口令可导致(24154+33286+55+318+5324+22743=85880)数万条身份证信息及驾驶证信息泄漏赶紧修复漏洞吧,防止被不法分子利用。
改密码
未能联系到厂商或者厂商积极拒绝