当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0215516

漏洞标题:金融圈某处账户泄露涉及内部敏感数据

相关厂商:jrq.com

漏洞作者: 火云邪神

提交时间:2016-06-03 10:10

修复时间:2016-06-03 20:45

公开时间:2016-06-03 20:45

漏洞类型:系统/服务补丁不及时

危害等级:中

自评Rank:10

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-06-03: 细节已通知厂商并且等待厂商处理中
2016-06-03: 厂商已经确认,细节仅向厂商公开
2016-06-03: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

RT.

详细说明:

https://github.com/Vonwey/oa.com/blob/69e8e9a7ee0c5e60097dc568d00f9a92b41c4355/app/config/development/mail.yaml

漏洞证明:

s.png


4.png


QQ图片20160602160559.png


看来还是有一定安全意识的,试了有几个邮箱账户是OK的,幸好有动态密码防御~

3.png


1.png


51.png


51.png


54.png


77.png


c1.png


c2.png


用户信息:

c3.png


c4.png


c5.png


可直接篡改模板(诱导客户):

c6.png


还有很多东西,就不列出了。
这些试了都不行,应该是做了限制,不过安全起见,这些还是处理下吧,还有一些源码。

https://github.com/Vonwey/oa.com/blob/69e8e9a7ee0c5e60097dc568d00f9a92b41c4355/app/config/production/databases.php


<?php
/**
* @see http://docs.phalconphp.com/zh/latest/reference/db.html
* @see http://docs.phalconphp.com/zh/latest/api/Phalcon_Db_Adapter_Pdo_Mysql.html
*/
return array(
'db' => array(
'adapter' => 'Mysql',
'host' => 'localhost',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_oa',
'prefix' => null,
// @link http://www.php.net/manual/zh/pdo.setattribute.php
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8';",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
PDO::ATTR_ORACLE_NULLS => PDO::NULL_TO_STRING, // 所有 null 转换为 string
),
),
'dbFormaxJrq' => array(
'adapter' => 'Mysql',
'host' => '127.0.0.1',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_jrq',
// @link http://www.php.net/manual/zh/pdo.setattribute.php
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
PDO::ATTR_ORACLE_NULLS => PDO::NULL_TO_STRING, // 所有 null 转换为 string
),
),
'dbSCopy' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'scopy_info',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbCollect' => array(
'adapter' => 'Mysql',
'host' => 'T0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'collect_invest_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
PDO::ATTR_ORACLE_NULLS => PDO::NULL_TO_STRING, // 所有 null 转换为 string
),
),
'dbUserPayInfo' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'user_pay_info_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbApp' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.105',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'app_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbForbag' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.104',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'forbag',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbStock' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.104',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'forbag_stock_allocation',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbEmail' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.104',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'forbag_email_list',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFuyi231' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.231',
'username' => 'jinshagu',
'password' => 'jinshaguWeb',
'dbname' => 'report',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFuyi232' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.232',
'username' => 'jinshagu',
'password' => 'jinshaguWeb',
'dbname' => 'fuyi_tradeweb',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFuyiShanghai' => array(
'adapter' => 'Mysql',
'host' => 'T0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'fuyi_tradeweb',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbE4max' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'e4max_user_info',
// @link http://www.php.net/manual/zh/pdo.setattribute.php
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
),
),
'dbCredit' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'credit',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
),
),
'dbCreditCloud' => array(
'adapter' => 'Mysql',
'host' => 'fmax.creditcloud.com',
'port' => 4040,
'username' => 'root',
'password' => 'fmax135@$^',
'dbname' => 'Biz',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
),
),
'dbCmatch' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'credit_match_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFormaxUser' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_group_user_info_real',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbJihelicai' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'jihelicai',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbEquity' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'collect_statistic',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFund' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_fund',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
);

修复方案:

1.修改邮箱密码
2.删除github敏感数据
3.加强员工安全意识。

版权声明:转载请注明来源 火云邪神@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-06-03 20:42

厂商回复:

感谢洞主汇报该问题,本次确实泄露了一些信息,还好对外端口已做限制,个人邮件也使用动态验证,所以未造成进一步危害。
最后再次感谢洞主对我司安全工作的支持,后续会有小礼物表示感谢。请提供一下联系方式

最新状态:

2016-06-03:1.邮箱密码已修改,相关信息已删除2.github 相关数据也已删除


漏洞评价:

评价