当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0135274

漏洞标题:国内著名金融服务公司OA系统及邮箱泄露

相关厂商:cardpay-sh.com

漏洞作者: 天天向上

提交时间:2015-08-19 15:05

修复时间:2015-10-03 15:06

公开时间:2015-10-03 15:06

漏洞类型:基础设施弱口令

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-19: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

乾康(上海)金融信息服务有限公司是一家专注于金融领域专业管理咨询以及运营实施的服务机构。公司的主营业务是为银行等金融机构提供微小贷款和信用卡业务的咨询及运营、人力资源管理、新产品创新等咨询服务以及协助实现银行互联网金融平台建设----金融OTO商业模式服务平台。

详细说明:

泄露地址 https://github.com/JohnCny/oa/tree/1b6578d650546b489fd73d5afa577f4dbe9bb123
OA地址 oa.cardpay-sh.com

INSERT INTO `oa_user` VALUES ('1', 'admin', 'ad1b4af4e801d0bdb79ec20ca6a57cff', '管理员', '1', '1', '1', '1', '1', null, '1', null), ('2', 'qk_leihy', 'd553d148479a268914cecb77b2b88e6a', '雷海燕', '0', '-', '3', '1', '1', '2014-01-15 21:12:25', '1', '2014-01-15 21:12:25'), ('3', 'qk_tanxy', '96e79218965eb72c92a549dd5a330112', '檀晓阳', '1', '-', '5', '1', '1', '2014-01-15 21:13:22', '1', '2014-01-20 15:19:31'), ('4', 'qk_chenkai', '96e79218965eb72c92a549dd5a330112', '陈凯', '1', '-', '2', '1', '1', '2014-01-15 21:14:14', '1', '2014-01-15 21:14:14'), ('5', 'qk_fuxd', '96e79218965eb72c92a549dd5a330112', '傅晓东', '1', '-', '2', '1', '1', '2014-01-15 21:16:03', '1', '2014-01-15 21:16:03'), ('6', 'qk_gexiang', '46f227e9cf17e2e1e88b14e679047bd9', '葛祥', '1', '-', '3', '1', '1', '2014-01-15 21:17:13', '1', '2014-01-17 15:35:24'), ('7', 'qk_gulq', '96e79218965eb72c92a549dd5a330112', '顾刘庆', '1', '-', '3', '1', '1', '2014-01-15 21:19:01', '1', '2014-01-15 21:19:01'), ('8', 'qk_jijie', '96e79218965eb72c92a549dd5a330112', '嵇杰', '1', '', '3', '1', '1', '2014-01-15 21:19:39', '1', '2014-01-17 15:35:39'), ('9', 'qk_jili', '96e79218965eb72c92a549dd5a330112', '吉力', '1', '-', '2', '1', '1', '2014-01-15 21:20:41', '1', '2014-01-21 10:40:35'), ('10', 'qk_jianghs', '61d018e349f109f66e96594f068085c1', '蒋瀚湜', '1', '-', '3', '1', '1', '2014-01-15 21:21:48', '1', '2014-01-17 15:36:00'), ('11', 'qk_lily', '96e79218965eb72c92a549dd5a330112', '李丽', '0', '-', '2', '1', '1', '2014-01-15 21:22:30', '1', '2014-01-21 10:41:13'), ('12', 'qk_liyz', '80a2d6176c101ab903928a35810175a1', '李依重', '1', '-', '2', '1', '1', '2014-01-15 21:23:10', '1', '2014-01-15 21:23:10'), ('13', 'qk_liuchao', '96e79218965eb72c92a549dd5a330112', '刘超', '1', '-', '3', '1', '1', '2014-01-15 21:23:51', '1', '2014-01-17 15:36:18'), ('14', 'qk_liuwx', '96e79218965eb72c92a549dd5a330112', '刘文新', '1', '-', '3', '1', '1', '2014-01-15 21:24:19', '1', '2014-01-15 21:24:19'), ('15', 'qk_liuxj', '96e79218965eb72c92a549dd5a330112', '刘学军', '1', '-', '2', '1', '1', '2014-01-15 21:24:49', '1', '2014-01-20 15:20:55'), ('16', 'qk_mayh', '96e79218965eb72c92a549dd5a330112', '马颖涵', '0', '-', '2', '1', '1', '2014-01-15 21:25:58', '1', '2014-01-15 21:25:58'), ('17', 'qk_panyh', 'c8837b23ff8aaa8a2dde915473ce0991', '潘跃华', '1', '-', '3', '1', '1', '2014-01-15 21:26:41', '1', '2014-01-17 15:36:38'), ('18', 'qk_tanwh', '96e79218965eb72c92a549dd5a330112', '谭文华', '1', '-', '3', '1', '1', '2014-01-15 21:27:38', '1', '2014-01-17 15:36:50'), ('19', 'qk_wanglj', '670b14728ad9902aecba32e22fa4f6bd', '王丽君', '0', '-', '3', '1', '1', '2014-01-15 21:28:27', '1', '2014-01-15 21:28:27'), ('20', 'qk_wanglu', '96e79218965eb72c92a549dd5a330112', '王路', '1', '-', '2', '1', '1', '2014-01-15 21:29:02', '1', '2014-01-21 10:41:32'), ('21', 'qk_wangxu', '96e79218965eb72c92a549dd5a330112', '王旭', '0', '-', '3', '1', '1', '2014-01-15 21:29:57', '1', '2014-01-17 15:37:04'), ('22', 'qk_zhangjw', '96e79218965eb72c92a549dd5a330112', '张金巍', '1', '-', '3', '1', '1', '2014-01-15 21:30:37', '1', '2014-01-17 15:37:21'), ('23', 'qk_zhangxi', '4010df838807f17c69c01a78a4d769e8', '张熙', '1', '-', '5', '1', '1', '2014-01-15 21:31:21', '1', '2014-01-15 21:34:49'), ('24', 'qk_zhaojy', '96e79218965eb72c92a549dd5a330112', '赵军扬', '1', '-', '2', '1', '1', '2014-01-15 21:31:55', '1', '2014-01-21 10:41:54'), ('25', 'qk_zhoubin', '96e79218965eb72c92a549dd5a330112', '周滨', '1', '-', '2', '1', '1', '2014-01-15 21:32:31', '1', '2014-01-15 21:32:31'), ('27', 'qk_chendan', '96e79218965eb72c92a549dd5a330112', '陈丹', '1', '-', '5', '1', '1', '2014-01-15 21:35:18', '1', '2014-01-15 21:35:18'), ('28', 'qk_caorx', '96e79218965eb72c92a549dd5a330112', '曹如玺', '1', '-', '5', '1', '1', '2014-01-15 21:35:58', '1', '2014-01-15 21:35:58'), ('29', 'qk_weizl', '96e79218965eb72c92a549dd5a330112', '魏子龙', '1', '-', '5', '1', '1', '2014-01-15 21:36:26', '1', '2014-01-15 21:36:26'), ('30', 'qk_wangzl', '96e79218965eb72c92a549dd5a330112', '王质琳', '0', '-', '5', '1', '1', '2014-01-15 21:36:58', '1', '2014-01-15 21:37:48'), ('31', 'qk_xufei', '96e79218965eb72c92a549dd5a330112', '徐飞', '0', '-', '5', '1', '1', '2014-01-15 21:37:29', '1', '2014-01-15 21:37:29'), ('32', 'qk_chenzp', '96e79218965eb72c92a549dd5a330112', '程志鹏', '1', '-', '5', '1', '1', '2014-01-15 21:38:17', '1', '2014-01-15 21:38:17'), ('33', 'qk_shenyf', '96e79218965eb72c92a549dd5a330112', '沈一枫', '1', '-', '3', '1', '1', '2014-01-15 21:38:50', '1', '2014-01-17 15:37:58'), ('34', 'qk_luxiao', '96e79218965eb72c92a549dd5a330112', '卢霄', '1', '-', '2', '1', '1', '2014-01-15 21:39:28', '1', '2014-01-15 21:39:28'), ('35', 'qk_xionglei', '96e79218965eb72c92a549dd5a330112', '熊雷', '1', '-', '2', '1', '1', '2014-01-15 21:39:50', '1', '2014-01-21 10:42:30'), ('36', 'qk_cw', 'd553d148479a268914cecb77b2b88e6a', '财务', '1', '', '2', '1', '1', '2014-01-23 11:49:01', '1', '2014-01-23 11:49:01'), ('37', 'qk_houqin', '96e79218965eb72c92a549dd5a330112', '公司费用报销', '1', '', '2', '1', '1', '2014-02-08 11:13:48', '1', '2014-02-08 11:13:48');
COMMIT


邮箱泄露

_DBUSER = "root"  # 数据库用户名
_DBPASS = "root" # 数据库用户名密码
_DBHOST = "localhost" # 服务器
_DBPORT = '3306' #服务器端口
_DBNAME = "new_oa" # 数据库名称
PER_PAGE = 10 # 每页数量
UPLOAD_FOLDER_REL = '/static/upload' #上传目录(相对路径)
UPLOAD_FOLDER_ABS = os.path.join(_HERE,'static/upload') #上传目录(绝对路径)
# EMAIL_SERVER = "http://192.168.0.105:8888"
EMAIL_SERVER = "http://oa.cardpay-sh.com"
EMAIL_SEND = "qkjr_no_reply@163.com"
Approval_type_ORG = 1#部门
Approval_type_PRJ = 2#项目
Approval_type_CAIWU = 3#财务
class Config(object):
SECRET_KEY = '\xb5\xc8\xfb\x18\xba\xc7*\x03\xbe\x91{\xfd\xe0L\x9f\xe3\\\xb3\xb1P\xac\xab\x061'
DEBUG = False
TESTING = False
SQLALCHEMY_DATABASE_URI = 'sqlite:///%s' % _DB_SQLITE_PATH
BABEL_DEFAULT_TIMEZONE = 'Asia/Chongqing'
# 当前用的数据库配置 重写"SQLALCHEMY_DATABASE_URI"为mysql
class ProConfig(Config):
# 微贷系统数据库配置
SQLALCHEMY_DATABASE_URI = 'mysql://%s:%s@%s:%s/%s' % (_DBUSER, _DBPASS, _DBHOST, _DBPORT, _DBNAME)
#SQLALCHEMY_DATABASE_URI = 'ibm_db_sa://%s:%s@%s:%s/%s' % (_DBUSER, _DBPASS, _DBHOST, _DBPORT, _DBNAME)
DEBUG = True
app.config.update(dict(
DEBUG = True,
MAIL_SERVER = 'smtp.163.com',
MAIL_PORT = 25,
MAIL_USE_SSL = False,
MAIL_USE_TSL = False,
MAIL_USERNAME = "qkjr_no_reply@163.com",
MAIL_PASSWORD = "qkjradmin45"))

漏洞证明:

2.jpg

1.jpg


修复方案:

加强安全意识

版权声明:转载请注明来源 天天向上@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:8 (WooYun评价)