记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

国内著名金融服务公司OA系统及邮箱泄露

2015-10-03 16:35

泄露地址 https://github.com/JohnCny/oa/tree/1b6578d650546b489fd73d5afa577f4dbe9bb123



OA地址 oa.cardpay-sh.com



code 区域
INSERT INTO `oa_user` VALUES ('1', 'admin', 'ad1b4af4e801d0bdb79ec20ca6a57cff', '管理员', '1', '1', '1', '1', '1', null, '1', null), ('2', 'qk_leihy', 'd553d148479a268914cecb77b2b88e6a', '雷海燕', '0', '-', '3', '1', '1', '2014-01-15 21:12:25', '1', '2014-01-15 21:12:25'), ('3', 'qk_tanxy', '96e79218965eb72c92a549dd5a330112', '檀晓阳', '1', '-', '5', '1', '1', '2014-01-15 21:13:22', '1', '2014-01-20 15:19:31'), ('4', 'qk_chenkai', '96e79218965eb72c92a549dd5a330112', '陈凯', '1', '-', '2', '1', '1', '2014-01-15 21:14:14', '1', '2014-01-15 21:14:14'), ('5', 'qk_fuxd', '96e79218965eb72c92a549dd5a330112', '傅晓东', '1', '-', '2', '1', '1', '2014-01-15 21:16:03', '1', '2014-01-15 21:16:03'), ('6', 'qk_gexiang', '46f227e9cf17e2e1e88b14e679047bd9', '葛祥', '1', '-', '3', '1', '1', '2014-01-15 21:17:13', '1', '2014-01-17 15:35:24'), ('7', 'qk_gulq', '96e79218965eb72c92a549dd5a330112', '顾刘庆', '1', '-', '3', '1', '1', '2014-01-15 21:19:01', '1', '2014-01-15 21:19:01'), ('8', 'qk_jijie', '96e79218965eb72c92a549dd5a330112', '嵇杰', '1', '', '3', '1', '1', '2014-01-15 21:19:39', '1', '2014-01-17 15:35:39'), ('9', 'qk_jili', '96e79218965eb72c92a549dd5a330112', '吉力', '1', '-', '2', '1', '1', '2014-01-15 21:20:41', '1', '2014-01-21 10:40:35'), ('10', 'qk_jianghs', '61d018e349f109f66e96594f068085c1', '蒋瀚湜', '1', '-', '3', '1', '1', '2014-01-15 21:21:48', '1', '2014-01-17 15:36:00'), ('11', 'qk_lily', '96e79218965eb72c92a549dd5a330112', '李丽', '0', '-', '2', '1', '1', '2014-01-15 21:22:30', '1', '2014-01-21 10:41:13'), ('12', 'qk_liyz', '80a2d6176c101ab903928a35810175a1', '李依重', '1', '-', '2', '1', '1', '2014-01-15 21:23:10', '1', '2014-01-15 21:23:10'), ('13', 'qk_liuchao', '96e79218965eb72c92a549dd5a330112', '刘超', '1', '-', '3', '1', '1', '2014-01-15 21:23:51', '1', '2014-01-17 15:36:18'), ('14', 'qk_liuwx', '96e79218965eb72c92a549dd5a330112', '刘文新', '1', '-', '3', '1', '1', '2014-01-15 21:24:19', '1', '2014-01-15 21:24:19'), ('15', 'qk_liuxj', '96e79218965eb72c92a549dd5a330112', '刘学军', '1', '-', '2', '1', '1', '2014-01-15 21:24:49', '1', '2014-01-20 15:20:55'), ('16', 'qk_mayh', '96e79218965eb72c92a549dd5a330112', '马颖涵', '0', '-', '2', '1', '1', '2014-01-15 21:25:58', '1', '2014-01-15 21:25:58'), ('17', 'qk_panyh', 'c8837b23ff8aaa8a2dde915473ce0991', '潘跃华', '1', '-', '3', '1', '1', '2014-01-15 21:26:41', '1', '2014-01-17 15:36:38'), ('18', 'qk_tanwh', '96e79218965eb72c92a549dd5a330112', '谭文华', '1', '-', '3', '1', '1', '2014-01-15 21:27:38', '1', '2014-01-17 15:36:50'), ('19', 'qk_wanglj', '670b14728ad9902aecba32e22fa4f6bd', '王丽君', '0', '-', '3', '1', '1', '2014-01-15 21:28:27', '1', '2014-01-15 21:28:27'), ('20', 'qk_wanglu', '96e79218965eb72c92a549dd5a330112', '王路', '1', '-', '2', '1', '1', '2014-01-15 21:29:02', '1', '2014-01-21 10:41:32'), ('21', 'qk_wangxu', '96e79218965eb72c92a549dd5a330112', '王旭', '0', '-', '3', '1', '1', '2014-01-15 21:29:57', '1', '2014-01-17 15:37:04'), ('22', 'qk_zhangjw', '96e79218965eb72c92a549dd5a330112', '张金巍', '1', '-', '3', '1', '1', '2014-01-15 21:30:37', '1', '2014-01-17 15:37:21'), ('23', 'qk_zhangxi', '4010df838807f17c69c01a78a4d769e8', '张熙', '1', '-', '5', '1', '1', '2014-01-15 21:31:21', '1', '2014-01-15 21:34:49'), ('24', 'qk_zhaojy', '96e79218965eb72c92a549dd5a330112', '赵军扬', '1', '-', '2', '1', '1', '2014-01-15 21:31:55', '1', '2014-01-21 10:41:54'), ('25', 'qk_zhoubin', '96e79218965eb72c92a549dd5a330112', '周滨', '1', '-', '2', '1', '1', '2014-01-15 21:32:31', '1', '2014-01-15 21:32:31'), ('27', 'qk_chendan', '96e79218965eb72c92a549dd5a330112', '陈丹', '1', '-', '5', '1', '1', '2014-01-15 21:35:18', '1', '2014-01-15 21:35:18'), ('28', 'qk_caorx', '96e79218965eb72c92a549dd5a330112', '曹如玺', '1', '-', '5', '1', '1', '2014-01-15 21:35:58', '1', '2014-01-15 21:35:58'), ('29', 'qk_weizl', '96e79218965eb72c92a549dd5a330112', '魏子龙', '1', '-', '5', '1', '1', '2014-01-15 21:36:26', '1', '2014-01-15 21:36:26'), ('30', 'qk_wangzl', '96e79218965eb72c92a549dd5a330112', '王质琳', '0', '-', '5', '1', '1', '2014-01-15 21:36:58', '1', '2014-01-15 21:37:48'), ('31', 'qk_xufei', '96e79218965eb72c92a549dd5a330112', '徐飞', '0', '-', '5', '1', '1', '2014-01-15 21:37:29', '1', '2014-01-15 21:37:29'), ('32', 'qk_chenzp', '96e79218965eb72c92a549dd5a330112', '程志鹏', '1', '-', '5', '1', '1', '2014-01-15 21:38:17', '1', '2014-01-15 21:38:17'), ('33', 'qk_shenyf', '96e79218965eb72c92a549dd5a330112', '沈一枫', '1', '-', '3', '1', '1', '2014-01-15 21:38:50', '1', '2014-01-17 15:37:58'), ('34', 'qk_luxiao', '96e79218965eb72c92a549dd5a330112', '卢霄', '1', '-', '2', '1', '1', '2014-01-15 21:39:28', '1', '2014-01-15 21:39:28'), ('35', 'qk_xionglei', '96e79218965eb72c92a549dd5a330112', '熊雷', '1', '-', '2', '1', '1', '2014-01-15 21:39:50', '1', '2014-01-21 10:42:30'), ('36', 'qk_cw', 'd553d148479a268914cecb77b2b88e6a', '财务', '1', '', '2', '1', '1', '2014-01-23 11:49:01', '1', '2014-01-23 11:49:01'), ('37', 'qk_houqin', '96e79218965eb72c92a549dd5a330112', '公司费用报销', '1', '', '2', '1', '1', '2014-02-08 11:13:48', '1', '2014-02-08 11:13:48');

COMMIT





邮箱泄露

code 区域
_DBUSER = "root"  # 数据库用户名

_DBPASS = "root" # 数据库用户名密码

_DBHOST = "localhost" # 服务器

_DBPORT = '3306' #服务器端口

_DBNAME = "new_oa" # 数据库名称



PER_PAGE = 10 # 每页数量

UPLOAD_FOLDER_REL = '/static/upload' #上传目录(相对路径)

UPLOAD_FOLDER_ABS = os.path.join(_HERE,'static/upload') #上传目录(绝对路径)



# EMAIL_SERVER = "http://192.168.0.105:8888"

EMAIL_SERVER = "http://oa.cardpay-sh.com"



EMAIL_SEND = "[email protected] "



Approval_type_ORG = 1#部门

Approval_type_PRJ = 2#项目

Approval_type_CAIWU = 3#财务



class Config(object):

SECRET_KEY = '\xb5\xc8\xfb\x18\xba\xc7*\x03\xbe\x91{\xfd\xe0L\x9f\xe3\\\xb3\xb1P\xac\xab\x061'

DEBUG = False

TESTING = False

SQLALCHEMY_DATABASE_URI = 'sqlite:///%s' % _DB_SQLITE_PATH

BABEL_DEFAULT_TIMEZONE = 'Asia/Chongqing'



# 当前用的数据库配置 重写"SQLALCHEMY_DATABASE_URI"为mysql

class ProConfig(Config):

# 微贷系统数据库配置

SQLALCHEMY_DATABASE_URI = 'mysql://%s:%s@%s:%s/%s' % (_DBUSER, _DBPASS, _DBHOST, _DBPORT, _DBNAME)

#SQLALCHEMY_DATABASE_URI = 'ibm_db_sa://%s:%s@%s:%s/%s' % (_DBUSER, _DBPASS, _DBHOST, _DBPORT, _DBNAME)

DEBUG = True

app.config.update(dict(

DEBUG = True,

MAIL_SERVER = 'smtp.163.com',

MAIL_PORT = 25,

MAIL_USE_SSL = False,

MAIL_USE_TSL = False,

MAIL_USERNAME = "[email protected] ",

MAIL_PASSWORD = "qkjradmin45"))

漏洞证明:

2.jpg

1.jpg



修复方案:

加强安全意识

知识来源: www.wooyun.org/bugs/wooyun-2015-0135274

阅读:383068 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“国内著名金融服务公司OA系统及邮箱泄露”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云