当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144609

漏洞标题:航空安全之均瑶集团旗下某航空公司漏洞打包提交(泄漏内部通讯录\大量内部敏感信息\进入多个内部敏感系统)

相关厂商:juneyaoair.com

漏洞作者: harbour_bin

提交时间:2015-10-03 11:26

修复时间:2015-11-21 13:34

公开时间:2015-11-21 13:34

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-03: 细节已通知厂商并且等待厂商处理中
2015-10-07: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向核心白帽子及相关领域专家公开
2015-10-27: 细节向普通白帽子公开
2015-11-06: 细节向实习白帽子公开
2015-11-21: 细节向公众公开

简要描述:

RT
PS:花了很长时间,发个礼物呗!

详细说明:

从以前的渗透情况可知, 9元航空和吉祥航空都是均瑶集团旗下的, 而它一直没人确认, 个人感觉危害比较大, 可以的话, 麻烦转交一下, 感谢!
1、渗透分析
WooYun: 航空安全值吉祥航空内网小漫游(账号体系控制不严/内部通讯录泄漏) , 我们获取9元航空的部分人员的邮箱号, 与此同时, 我们发现邮箱为163邮箱, 其密码的常用特点是字母、数字、特殊字符3选2. 构建一个用户名字典、密码字典, 爆破pop.
2、大量邮箱存在弱口令

[+] Login successful: xiebo@9air.com abc123
        [+] Mail: 77 emails
        [+] Size: 188124346 bytes
[+] Login successful: yuxiudao@9air.com abc123
        [+] Mail: 160 emails
        [+] Size: 239599894 bytes
[+] Login successful: maguangfeng@9air.com abc123456
        [+] Mail: 32 emails
        [+] Size: 4488587 bytes
[+] Login successful: huanghe@9air.com 9air123
        [+] Mail: 207 emails
        [+] Size: 733787376 bytes


翻看邮箱, 发现企业邮箱通讯录和默认邮箱账号

QQ截图20150930163725.jpg


3、根据企业邮箱账号和默认邮箱账号9air.com进一步爆破

[+] Login successful: lizi@9air.com 9air.com
        [+] Mail: 7531 emails
        [+] Size: 176717828 bytes
[+] Login successful: xiongshaoshen@9air.com 9air.com
        [+] Mail: 798 emails
        [+] Size: 1201525373 bytes
[+] Login successful: zhouhuanan@9air.com 9air.com
        [+] Mail: 132 emails
        [+] Size: 265981162 bytes
[+] Login successful: 4001595999@9air.com 9air.com
        [+] Mail: 15 emails
        [+] Size: 874841 bytes
[+] Login successful: noc@9air.com 9air.com
        [+] Mail: 18 emails
        [+] Size: 1277714 bytes
[+] Login successful: luchuan@9air.com 9air.com
        [+] Mail: 463 emails
        [+] Size: 229775322 bytes
[+] Login successful: kefu@9air.com 9air.com
        [+] Mail: 471 emails
        [+] Size: 64557932 bytes
[+] Login successful: zhuzhaoqiang@9air.com 9air.com
        [+] Mail: 47 emails
        [+] Size: 43661143 bytes
[+] Login successful: zengqi@9air.com 9air.com
        [+] Mail: 38 emails
        [+] Size: 49132443 bytes
[+] Login successful: jira@9air.com 9air.com
        [+] Mail: 3 emails
        [+] Size: 20961 bytes
[+] Login successful: zhangzhihua@9air.com 9air.com
        [+] Mail: 157 emails
        [+] Size: 331412670 bytes
[+] Login successful: wangxiaopu@9air.com 9air.com
        [+] Mail: 33 emails
        [+] Size: 40064550 bytes
[+] Login successful: wangren@9air.com 9air.com
        [+] Mail: 153 emails
        [+] Size: 441027252 bytes
[+] Login successful: wangchenqu@9air.com 9air.com
        [+] Mail: 40 emails
        [+] Size: 41547555 bytes
[+] Login successful: sunlei@9air.com 9air.com
        [+] Mail: 34 emails
        [+] Size: 40778203 bytes
[+] Login successful: haohaixu@9air.com 9air.com
        [+] Mail: 38 emails
        [+] Size: 20938791 bytes
[+] Login successful: hanjinglong@9air.com 9air.com
        [+] Mail: 33 emails
        [+] Size: 40064557 bytes
[+] Login successful: chaiminji@9air.com 9air.com
        [+] Mail: 42 emails
        [+] Size: 50979826 bytes
[+] Login successful: caozhi@9air.com 9air.com
        [+] Mail: 636 emails
        [+] Size: 149931229 bytes
[+] Login successful: bixiangfei@9air.com 9air.com
        [+] Mail: 54 emails
        [+] Size: 82977717 bytes
[+] Login successful: liyuzhu@9air.com 9air.com
        [+] Mail: 22 emails
        [+] Size: 4489707 bytes
[+] Login successful: lvyong@9air.com 9air.com
        [+] Mail: 4 emails
        [+] Size: 763695 bytes
[+] Login successful: zhanglu@9air.com 9air.com
        [+] Mail: 4 emails
        [+] Size: 78373 bytes
[+] Login successful: zhangdajun@9air.com 9air.com
        [+] Mail: 1236 emails
        [+] Size: 4237431725 bytes
[+] Login successful: lianghanzhao@9air.com 9air.com
        [+] Mail: 3622 emails
        [+] Size: 4253055307 bytes
[+] Login successful: lixiaojian@9air.com 9air.com
        [+] Mail: 249 emails
        [+] Size: 694871405 bytes
[+] Login successful: zhangwenzhao@9air.com 9air.com
        [+] Mail: 279 emails
        [+] Size: 800910426 bytes
[+] Login successful: zhangwenting@9air.com 9air.com
        [+] Mail: 251 emails
        [+] Size: 696815028 bytes
[+] Login successful: wgzp@9air.com 9air.com
        [+] Mail: 558 emails
        [+] Size: 853391407 bytes
[+] Login successful: wgtm@9air.com 9air.com
        [+] Mail: 378 emails
        [+] Size: 989266599 bytes
[+] Login successful: wgqc@9air.com 9air.com
        [+] Mail: 304 emails
        [+] Size: 559520627 bytes
[+] Login successful: wgcd@9air.com 9air.com
        [+] Mail: 134 emails
        [+] Size: 462501565 bytes
[+] Login successful: outstation@9air.com 9air.com
        [+] Mail: 77 emails
        [+] Size: 300824836 bytes
[+] Login successful: hxzby@9air.com 9air.com
        [+] Mail: 327 emails
        [+] Size: 706473426 bytes
[+] Login successful: hxgjj@9air.com 9air.com
        [+] Mail: 175 emails
        [+] Size: 472742701 bytes
[+] Login successful: hc@9air.com 9air.com
        [+] Mail: 87 emails
        [+] Size: 302370101 bytes
[+] Login successful: et@9air.com 9air.com
        [+] Mail: 36 emails
        [+] Size: 78339109 bytes
[+] Login successful: engine@9air.com 9air.com
        [+] Mail: 201 emails
        [+] Size: 684885387 bytes
[+] Login successful: dingjianchejian@9air.com 9air.com
        [+] Mail: 261 emails
        [+] Size: 821981380 bytes
[+] Login successful: zhangzhuwei@9air.com 9air.com
        [+] Mail: 363 emails
        [+] Size: 623684541 bytes
[+] Login successful: diaodu@9air.com 9air.com
        [+] Mail: 3594 emails
        [+] Size: 901574058 bytes
[+] Login successful: aqzlc@9air.com 9air.com
        [+] Mail: 41 emails
        [+] Size: 25342215 bytes
[+] Login successful: lichengbin@9air.com 9air.com
        [+] Mail: 25 emails
        [+] Size: 60366763 bytes
[+] Login successful: zhouhuiru@9air.com 9air.com 管理员
        [+] Mail: 410 emails
        [+] Size: 284712377 bytes
[+] Login successful: zhaoyujie@9air.com 9air.com
        [+] Mail: 88 emails
        [+] Size: 31655178 bytes
[+] Login successful: zhangyuning@9air.com 9air.com
        [+] Mail: 29 emails
        [+] Size: 4286469 bytes
[+] Login successful: wutianqi@9air.com 9air.com
        [+] Mail: 24 emails
        [+] Size: 1791180 bytes
[+] Login successful: wuhuirong@9air.com 9air.com
        [+] Mail: 53 emails
        [+] Size: 7140306 bytes
[+] Login successful: wangxuezi@9air.com 9air.com
        [+] Mail: 6 emails
        [+] Size: 4695584 bytes
[+] Login successful: songwanwan@9air.com 9air.com
        [+] Mail: 24 emails
        [+] Size: 1786616 bytes
[+] Login successful: hezhongxin@9air.com 9air.com
        [+] Mail: 37 emails
        [+] Size: 8507485 bytes
[+] Login successful: fengsheng@9air.com 9air.com
        [+] Mail: 45 emails
        [+] Size: 8185301 bytes
[+] Login successful: zhaohaiyang@9air.com 9air.com
        [+] Mail: 10 emails
        [+] Size: 249146 bytes
[+] Login successful: baidu@9air.com 9air.com
        [+] Mail: 4 emails
        [+] Size: 29600 bytes
[+] Login successful: liangjieming@9air.com 9air.com
        [+] Mail: 4 emails
        [+] Size: 53948 bytes
[+] Login successful: hejian@9air.com 9air.com
        [+] Mail: 918 emails
        [+] Size: 619106007 bytes
[+] Login successful: jiazhenxiu@9air.com 9air.com
        [+] Mail: 43 emails
        [+] Size: 92876704 bytes
[+] Login successful: yangyusheng@9air.com 9air.com
        [+] Mail: 134 emails
        [+] Size: 285560311 bytes


证明内部敏感信息泄漏, 航空公司的工资真的高啊

敏感信息.jpg


敏感信息1.jpg


不继续列出来了
4、进入多个系统

http://oa.9air.com:8081 oa系统

默认账号:9air.com
多个账号是默认密码, 拿一个账号证明, 不深入了 证明:顾小光

oa.jpg


oa1.jpg

内部通讯录, 你们懂的, 第一个你们董事长

oa2.jpg


http://sms.9air.com/ sms系统

证明一下吧
默认密码:jyh9air.com (很多的都是默认密码, 不一一证明了, 自查一下呗)

sms.jpg

危害你们知道的, 我就不截图了

网上准备系统http://crew.9air.com/ 密码:888888


144	congwenlong	200	false	false	1174	
455	yangjian	200	false	false	1178	
508	huoxin	200	false	false	1178	
511	huangxiaoli	200	false	false	1178	
528	dingjun	200	false	false	1178	
539	lihailong	200	false	false	1178	
543	wenxudong	200	false	false	1178	
546	wangzhijun	200	false	false	1178	
550	hanqi	200	false	false	1178	
557	sunshina	200	false	false	1178	
559	liujingwen	200	false	false	1178	
578	zhaoyafang	200	false	false	1178	
580	weihanjun	200	false	false	1178	
588	hejian	200	false	false	1178	
119	wangren	200	false	false	1184	
133	liuguangping	200	false	false	1184	
157	zhengxiongfei	200	false	false	1184	
159	zhanglu	200	false	false	1184


crew1.jpg


crew2.jpg

通讯信息

crew3.jpg

还有的不截图了, 你们懂得

http://203.156.207.29:8080/mes/飞机维修管理系统


234	suohai	200	false	false	22717	
273	liyirui	200	false	false	15064	
366	wuweibiao	200	false	false	11833	
246	zhangguanghui	200	false	false	8024	
310	fuyongpeng	200	false	false	8021	
301	liuyifeng	200	false	false	8020	
243	zhouwen1	200	false	false	7568	
382	zhongshaofeng	200	false	false	7495	
317	zhangyingjie	200	false	false	7494	
327	zhangzongjie	200	false	false	7494	
349	huangguanwei	200	false	false	7494	
363	liangweidong	200	false	false	7494	
374	chentianming	200	false	false	7494	
375	zhangjianwen	200	false	false	7494	
330	guoyingquan	200	false	false	7493	
338	zhangyinzhu	200	false	false	7493	
341	lizhengbing	200	false	false	7493	
345	lishengcai	200	false	false	7492	
358	guoyaoming	200	false	false	7492	
372	kongyuhang	200	false	false	7492	
347	huaweilai	200	false	false	7491	
376	yanglifei	200	false	false	7491	
391	yinjieyan	200	false	false	7491	
359	zhonghui	200	false	false	7488	
377	qincong	200	false	false	7487	
379	zhanjie	200	false	false	7487	
386	luochen	200	false	false	7487	
331	hanbin	200	false	false	7486	
333	zhaole	200	false	false	7486	
378	liutao	200	false	false	7486	
387	jiqing	200	false	false	7486	
388	chenze	200	false	false	7486	
540	liubao	200	false	false	7486	
364	lihao	200	false	false	7485	
369	xutao	200	false	false	7485


mes1.jpg


mes2.jpg


东西很多, 仅证明, 不深入了吧!

漏洞证明:

已证明!
危害不够, 可补充, 谢谢!

修复方案:

你们更专业!

版权声明:转载请注明来源 harbour_bin@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-10-07 13:33

厂商回复:

漏洞已确认

最新状态:

暂无

漏洞评价:

评论

  1. 2015-10-07 17:03 | 找寻者 ( 路人 | Rank:2 漏洞数:1 | 学习啊)

    沙发 9:10收10WB,手续协商...进社区学习ing