当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0137165

漏洞标题:奥凯航空某系统用户信息泄漏

相关厂商:奥凯航空有限公司

漏洞作者: redare

提交时间:2015-08-28 09:46

修复时间:2015-10-12 09:48

公开时间:2015-10-12 09:48

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-12: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

路人没法使用搜索很蛋疼啊,为了变成实习白帽子,我也是拼了!
奥凯航空有限公司是经中国民用航空总局批准,中国内地第一家开飞的民营航空企业。奥凯航空总部设在北京,以天津滨海国际机场、长沙黄花国际机场为主运营基地,目前,奥凯航空拥有28架飞机(13架B737系列客机、1架B737系列货机、13架新舟60飞机、1架B737-900ER客机),执飞100多条国内外航线。
经过10年的创新发展,奥凯航空已发展成为总资产超过40亿元、年营业收入30亿元以上的中型企业。服务范围包括干线运营、支线运营、飞机维修、航空业务培训等多种业务,并被评选为北京市重点总部企业。

详细说明:

奥凯航空办公系统登录日志泄露,http://oa.okair.net/seeyon/logs/login.log无法获取,方法是再加一个目录符http://oa.okair.net/seeyon//logs/login.log:

1.jpg

日志泄露了大量用户名,看了下截止提交漏洞时共1153个用户,使用123456爆破看看有多少弱口令:

2.jpg

一共313个,啧啧,这么多弱口令如果泄露出去危害可想而知!

漏洞证明:

随便登陆个看一下,涉及敏感信息就乱翻了

3.jpg

修复方案:

好人做到底,把弱口令用户整理出来去修改吧,另外此处仅测试了123456,其余弱口令请自行测试。求高rank脱离路人!

Payload
liujianxin
piaochengxue
laishuhai
tsnguitai
tsnguitai
zhoujian
zhoujian
jipiaoyudingxi
zhangwenlei
zhaizhaoqi
zhaoqingpu
chenyidan
zhangchun
pangdongliang
wangyang2
dongxuefeng
liuzhongfu
xiaoxue
yinxianhong
baidanni
limingjie
zhangjunsuo
gengxiangzhang
zhangfengjiao
zhangqiyan
lirongrong
liuxu1
guoyu
liuweidong
chenxiangju
hanxu3
penglina
zhoujian
tiandeyu
baoyuzhu
xuzhengwei
liuchenfang
huanghedong
qianguoliang
luzheng
daiweizhao
zhangkun2
yangting
dongzengning
zhujing
huangchongcheng
chensi
lidan3
zhouqichao
jipiaoyudingxi
dongzhen
yanxiao
dongzhen
zhouqichao
shenli2
wangpengxiang
dongzhen
jiangqiujing
chenxiangju
zhoujian
hanjianzhu
jiashengjun
liumeixia
daiwenbin
wucong
wucong
wangbin
wucong
wucong
youjia
jiaolong
chutiancang
wangbin
menglinlin
liyanping
liuzixuan
zhangchao
chenjun
xujingyun
gubinbin
jiashengjun
chenou
huichen
jipiaoyudingxi
chenxiangju
zhoujian
yangchunmei
chenzhiyi
liweiyi
hanxu3
scsys
zhangxupeng
wuwei2
jiangtao
yangwei
csxguitai
mengdexu
xiebing
xiaoling
wanglamei
zhangxin3
chenxiangju
zhoujian
yejing
zhangying2
qidongming
sunwei2
zhoujian
zhaomengying
chenbei
chenxiangju
liuchang
longquan
chenxiangju
sunjihao
sunhao
liuzhongfu
liyuanhong
jipiaoyudingxi
chenxiangju
liujianxin
jiashengjun
liuhuifang
chenweiqing
zhangchao
zhangbowen
lirongrong
ligang
chenxiangju
lixin2
baimingtao
zhouqichao
lizhaoping
chenxiangju
guxueying
chenxiangju
muyonghong
chenxiangju
zhangjunsuo
lidan3
guomeili
guomeili
caojunying
yejing
baoyuzhu
tsnguitai
zhoujian
chenxiangju
wangzengbo
yangyanhui
zhangbin2
zengcheng
tsnguitai
zhangbin2
xufangfei
daidi
sunjianmin
jiazhen
longxuanguo
longxuanguo
wangpengxiang
zhangbin2
baishuang
zhoujian
jiaoxiuxian
hejinquan
lijian
lijian
wucong
chenxiangju
jipiaoyudingxi
huanghedong
wangbeidi
sunwei2
madongtao
lizhigang
madongtao
zhaoyichun
cuimengyao
chixu
wangshu
zhoujian
lizhaoping
fengqingqing
chenxiangju
wangyuanyuan
zhoujian
lidan3
zhoujian
zengcheng
houyuxuan
zhangjunsuo
chenxiangju
zhoujian
jipiaoyudingxi
chenxiangju
zhangzhe
longxuanguo
zhoujian
liaoxin
zhoujian
liumeixia
longxuanguo
wangbin
menglinlin
honghelong
zhangying2
wangmeng
zhangying2
chenzhiyi
sunjianmin
zhoujian
liujianxin
limingjie
chenweiqing
liuzhongfu
yanxinda
zhoujian
menglinlin
lixun
chenxiangju
dingpeilong
chenxiangju
gaozerui
liaoxin
qianguoliang
panxiaofang
xujingyun
huangchongcheng
zhoujian
baishuang
wutuxing
menglinlin
liaoxin
wutuxing
madongtao
zhaosongdong
liyang5
chenxiangju
zhaosongdong
zhoujian
tongyang
chenxiangju
linmengmeng
scsys
lichao2
zhoujian
gaozerui
chenjun
tangwei
hanjiang
lijian
chenxiangju
zhoujian
zhangxupeng
chenweiqing
baidanni
wutuxing
chenxiangju
zhangdayu
chenxiangju
zhoujian
chenxiangju
qiwenjuan
hanzhixin
lixisong
linhao
zhangchao
niurui
xuchanglong
liuchang
chenxiangju
liuhuifang
wangyuanyuan
lizhigang
dongxin
geyun
chenxiangju
xujingyun
xiaoxue
zengcheng
zhoujian
lina
zhaosongdong
wangzengbo
panxiaofang
wangzengbo
jiazhen
wangzengbo
yinxianhong
dongzhen
gengxiangzhang
wangxinyu
xiaoxue
liangbaohai
zhangying2
zhangying2
lina
wangshu
zhaosongdong
jiangtao
lilingyu
zhangxingda
wangshu
zhaoyichun
menglinlin
zhaosongdong
zhaosongdong
zhaosongdong
zhaosongdong
zhoujian
chenxiangju
zhouqichao

版权声明:转载请注明来源 redare@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞评价:

评论