当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0215516

漏洞标题:金融圈某处账户泄露涉及内部敏感数据

相关厂商:jrq.com

漏洞作者: 火云邪神

提交时间:2016-06-03 10:10

修复时间:2016-06-03 20:45

公开时间:2016-06-03 20:45

漏洞类型:系统/服务补丁不及时

危害等级:中

自评Rank:10

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-06-03: 细节已通知厂商并且等待厂商处理中
2016-06-03: 厂商已经确认,细节仅向厂商公开
2016-06-03: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

RT.

详细说明:

https://github.com/Vonwey/oa.com/blob/69e8e9a7ee0c5e60097dc568d00f9a92b41c4355/app/config/development/mail.yaml

漏洞证明:

s.png


4.png


QQ图片20160602160559.png


看来还是有一定安全意识的,试了有几个邮箱账户是OK的,幸好有动态密码防御~

3.png


1.png


51.png


51.png


54.png


77.png


c1.png


c2.png


用户信息:

c3.png


c4.png


c5.png


可直接篡改模板(诱导客户):

c6.png


还有很多东西,就不列出了。
这些试了都不行,应该是做了限制,不过安全起见,这些还是处理下吧,还有一些源码。

https://github.com/Vonwey/oa.com/blob/69e8e9a7ee0c5e60097dc568d00f9a92b41c4355/app/config/production/databases.php


<?php
/**
 * @see http://docs.phalconphp.com/zh/latest/reference/db.html
 * @see http://docs.phalconphp.com/zh/latest/api/Phalcon_Db_Adapter_Pdo_Mysql.html
 */
return array(
    'db'             => array(
        'adapter'  => 'Mysql',
        'host'     => 'localhost',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'formax_oa',
        'prefix'   => null,
        // @link http://www.php.net/manual/zh/pdo.setattribute.php
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8';",
            PDO::ATTR_CASE               => PDO::CASE_LOWER,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
            PDO::ATTR_ORACLE_NULLS       => PDO::NULL_TO_STRING, // 所有 null 转换为 string
        ),
    ),
    'dbFormaxJrq'    => array(
        'adapter'  => 'Mysql',
        'host'     => '127.0.0.1',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'formax_jrq',
        // @link http://www.php.net/manual/zh/pdo.setattribute.php
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_CASE               => PDO::CASE_LOWER,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
            PDO::ATTR_ORACLE_NULLS       => PDO::NULL_TO_STRING, // 所有 null 转换为 string
        ),
    ),
    'dbSCopy'        => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.119',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'scopy_info',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbCollect'      => array(
        'adapter'  => 'Mysql',
        'host'     => 'T0207.eformax.com',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'collect_invest_db',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
            PDO::ATTR_CASE               => PDO::CASE_LOWER,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
            PDO::ATTR_ORACLE_NULLS       => PDO::NULL_TO_STRING, // 所有 null 转换为 string
        ),
    ),
    'dbUserPayInfo'  => array(
        'adapter'  => 'Mysql',
        'host'     => 't0207.eformax.com',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'user_pay_info_db',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbApp'          => array(
        'adapter'  => 'Mysql',
        'host'     => '180.153.115.105',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'app_db',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbForbag'       => array(
        'adapter'  => 'Mysql',
        'host'     => '180.153.115.104',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'forbag',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbStock'        => array(
        'adapter'  => 'Mysql',
        'host'     => '180.153.115.104',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'forbag_stock_allocation',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbEmail'        => array(
        'adapter'  => 'Mysql',
        'host'     => '180.153.115.104',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'forbag_email_list',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbFuyi231'      => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.231',
        'username' => 'jinshagu',
        'password' => 'jinshaguWeb',
        'dbname'   => 'report',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbFuyi232'      => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.232',
        'username' => 'jinshagu',
        'password' => 'jinshaguWeb',
        'dbname'   => 'fuyi_tradeweb',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbFuyiShanghai' => array(
        'adapter'  => 'Mysql',
        'host'     => 'T0207.eformax.com',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'fuyi_tradeweb',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbE4max'        => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.119',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'e4max_user_info',
        // @link http://www.php.net/manual/zh/pdo.setattribute.php
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
            PDO::ATTR_CASE               => PDO::CASE_LOWER,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
        ),
    ),
    'dbCredit'       => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.119',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'credit',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_CASE               => PDO::CASE_LOWER,
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
        ),
    ),
    'dbCreditCloud'  => array(
        'adapter'  => 'Mysql',
        'host'     => 'fmax.creditcloud.com',
        'port'     => 4040,
        'username' => 'root',
        'password' => 'fmax135@$^',
        'dbname'   => 'Biz',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
        ),
    ),
    'dbCmatch'       => array(
        'adapter'  => 'Mysql',
        'host'     => 't0207.eformax.com',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'credit_match_db',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbFormaxUser'   => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.119',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'formax_group_user_info_real',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbJihelicai'    => array(
        'adapter'  => 'Mysql',
        'host'     => 't0207.eformax.com',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'jihelicai',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbEquity'       => array(
        'adapter'  => 'Mysql',
        'host'     => 't0207.eformax.com',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'collect_statistic',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
    'dbFund'         => array(
        'adapter'  => 'Mysql',
        'host'     => '10.1.1.119',
        'username' => 'root',
        'password' => 'jsg-9898w',
        'dbname'   => 'formax_fund',
        'options'  => array(
            PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
        ),
    ),
);

修复方案:

1.修改邮箱密码
2.删除github敏感数据
3.加强员工安全意识。

版权声明:转载请注明来源 火云邪神@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-06-03 20:42

厂商回复:

感谢洞主汇报该问题,本次确实泄露了一些信息,还好对外端口已做限制,个人邮件也使用动态验证,所以未造成进一步危害。
最后再次感谢洞主对我司安全工作的支持,后续会有小礼物表示感谢。请提供一下联系方式

最新状态:

2016-06-03:1.邮箱密码已修改,相关信息已删除2.github 相关数据也已删除

漏洞评价:

评价