记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

某集团股份公司系统设计缺陷可撞库爆破(已进后台)

2015-10-10 06:00

三主粮集团股份公司OA、邮箱系统设计缺陷,登陆口无验证码限制,可爆破。


http://oa.zgszl.com.cn/login.aspx 三主粮OA协同办公管理平台


 

OA1.jpg


 

burp_OA.jpg


 

txl.jpg



brupsite抓包,导入top500姓名,密码123456,成功破解出几个弱口令账号,任意登录一个账户,从通讯录可以导出该集团所有员工账号,将导出的账号整理,再次导入批量测试,发现OA弱口令账户多达205个,以下为OA弱口令账户列表。


hubin
sunyu
guoxiaog
dingyi
fanhua
panjie
wuling
xuepei
yuping
wangye
guoyi
yuxin
liumeigui
wuwenjuan
weiyanbin
chenyan
houfeng
nijing
xiayan
tanglin
wangwenhui
chuqian
lantian
linglan
shenlan
zhangping
hutianxi
huyuxing
liugexin
xubichan
zhangyan
caiyudi
tundafu
gerujin
humeiyu
lishuyi
yelinna
baina
lujianfei
dingwenli
hujianhua
huaxinkun
lizhifang
liumeiyan
maguiying
wangzhiguang
xuyingjin
yanwenqin
yinmeizhi
yinxiaole
zhaoziqin
fuyaowei
heshunle
kangqiyu
lihaixia
liyuting
panyumei
yeyuping
yuweichi
dongjunwei
niuguirong
shenglimin
shijinghua
shijuanhua
wuqinli
caixinmei
fanlihong
gehaifang
gouchunhu
helianhui
huqinghua
huiliying
lanxiaodi
lishiping
pengkunyu
sunxianfu
wanganjun
xujianhua
yangliqun
yangyumei
yaoweifei
zhouyuhua
zoujihuan
bianzhixian
chenxiujuan
donglinjuan
fengyuejuan
hanxiaoping
lixiangping
mengfanping
zhanggenmei
zhangtianfa
baifufu
lihaina
bianwenkai
chenliping
fanghuaqin
liyongning
linxiaomei
linyuanjun
panxiaoyan
pengxiafen
songshuqin
dongyunhua
dongzechun
wangjihong
wudonghong
xujianfang
yingxueqin
yuzaisheng
zengmeizhu
zhangyulan
zhanglimin
zhulipoing
zhoujianying
zhouxiaoping
xiehuanzhong
chenweizhou
chenxiaoyan
dongjianlin
fangshiying
gechunxiang
tangwenjuan
wanghaiying
wanggending
xiejinliang
zhangxueqin
zhengchunye
zhengxueyan
jinli
zhoumeiqing
weibin
liangbin
chenfengjuan
chenxiaofeng
jiangzhijuan
luoguangping
terigele
xinghuicheng
zhangjinling
zhangxueling
zhaojinliang
zhoujinsheng
zhuxiangzhen
sunchunrui
huangyuanjing
zhaosuning
lianna
lujing
maozhiqing
zhaohai
chenbangsong
lidongsheng
hexuefeng
zhanghongguang
sunyuehou
tianciwen
niuzhigao
likun
ruoxin
luobin
sunzuobang
zhangzhi
wanglh
liuxiaojing
wangyingwei
luyumei
sunzhi
wuyiheng
houguanxi
wangyuanfa
zhangyang
liyuzhen
liyongqiang
baiyanming
liangtuya
zhanghongwei
wangzhanzhong
liulinglin
houwenjian
libingbing
wangwenyi
liuhuifang
yuanfengli
zhaolimei
wushaoshuai
panchaowen
liuyan
fanwanxiang
zhangbin
wuwenjin
zhaolonglong
liuwusheng
tianxuanrui
yaoyanmin
songqinghua
daijianmin
yaojingping
zhangwenjie
chenjingjun
zhouxiang
lishuming
liuyujing
tanghaidong



包括该集团董事长孙治的账号,该账号为高权限账户,拥有、系统管理、短信群发、公告发布等权限。
 

OA.jpg


 

sunzhi.jpg





使用同样的方法测试邮箱系统
 

mail1.jpg


 

brup_mail.jpg



发现邮箱弱口令账户多达47个,以下为邮箱弱口令账户列表。


chenchen
chenjingjun
dingyi
fanhua
houzhanjun
houwenjian
jiangmingcai
jiaoxiping
jinli
lianna
liwenjun
lixiangping
liyongqiang
linxiaomei
liulinglin
liuwusheng
liuxiaojing
liuyan
liuyujing
luxiangyu
lujianfei
lujing
pangyuehua
peijiayuan
shangshihui
songqinghua
subo
sunzuobang
wangjianjun
wanglh
wangwenyi
wangxiaohui
wangyuanfa
wuwenjin
wushaoshuai
xiaogt
yanyafei
yaojingping
yeyuping
yinxiaole
yuanfengli
zhangbin
zhangyang
zhangzq
zhoumeiqing
zhouxiang



包括董事会秘书陈晨的邮箱
 

mail.jpg

 

 

OA1.jpg


 

burp_OA.jpg


 

txl.jpg


 

mail.jpg


 

解决方案:

1、为OA、邮箱系统增加验证码功能。

2、通知有关员工及时修改登录密码。

3、加强员工安全意识。

知识来源: www.2cto.com/Article/201510/444959.html

阅读:177019 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“某集团股份公司系统设计缺陷可撞库爆破(已进后台)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云