金融圈某处账户泄露涉及内部敏感数据

编号215516
Urlhttp://www.wooyun.org/bug.php?action=view&id=215516
漏洞状态厂商已经修复
漏洞标题金融圈某处账户泄露涉及内部敏感数据
漏洞类型系统/服务补丁不及时
厂商jrq.com
白帽子火云邪神
提交日期2016-06-03 10:10:00
公开日期2016-06-03 20:45:00
修复时间2016-06-03 20:45:00
确认时间2016-06-03 00:00:00
Confirm Spend0
漏洞标签信息泄露
关注数0
收藏数0
白帽评级
白帽自评rank10
厂商评级
厂商评rank10
漏洞简介
RT.
漏洞细节

https://github.com/Vonwey/oa.com/blob/69e8e9a7ee0c5e60097dc568d00f9a92b41c4355/app/config/development/mail.yaml

POC

s.png


4.png


QQ图片20160602160559.png


看来还是有一定安全意识的,试了有几个邮箱账户是OK的,幸好有动态密码防御~

3.png


1.png


51.png


51.png


54.png


77.png


c1.png


c2.png


用户信息:

c3.png


c4.png


c5.png


可直接篡改模板(诱导客户):

c6.png


还有很多东西,就不列出了。
这些试了都不行,应该是做了限制,不过安全起见,这些还是处理下吧,还有一些源码。

https://github.com/Vonwey/oa.com/blob/69e8e9a7ee0c5e60097dc568d00f9a92b41c4355/app/config/production/databases.php


<?php
/**
* @see http://docs.phalconphp.com/zh/latest/reference/db.html
* @see http://docs.phalconphp.com/zh/latest/api/Phalcon_Db_Adapter_Pdo_Mysql.html
*/
return array(
'db' => array(
'adapter' => 'Mysql',
'host' => 'localhost',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_oa',
'prefix' => null,
// @link http://www.php.net/manual/zh/pdo.setattribute.php
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8';",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
PDO::ATTR_ORACLE_NULLS => PDO::NULL_TO_STRING, // 所有 null 转换为 string
),
),
'dbFormaxJrq' => array(
'adapter' => 'Mysql',
'host' => '127.0.0.1',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_jrq',
// @link http://www.php.net/manual/zh/pdo.setattribute.php
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
PDO::ATTR_ORACLE_NULLS => PDO::NULL_TO_STRING, // 所有 null 转换为 string
),
),
'dbSCopy' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'scopy_info',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbCollect' => array(
'adapter' => 'Mysql',
'host' => 'T0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'collect_invest_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
PDO::ATTR_ORACLE_NULLS => PDO::NULL_TO_STRING, // 所有 null 转换为 string
),
),
'dbUserPayInfo' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'user_pay_info_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbApp' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.105',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'app_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbForbag' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.104',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'forbag',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbStock' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.104',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'forbag_stock_allocation',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbEmail' => array(
'adapter' => 'Mysql',
'host' => '180.153.115.104',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'forbag_email_list',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFuyi231' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.231',
'username' => 'jinshagu',
'password' => 'jinshaguWeb',
'dbname' => 'report',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFuyi232' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.232',
'username' => 'jinshagu',
'password' => 'jinshaguWeb',
'dbname' => 'fuyi_tradeweb',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFuyiShanghai' => array(
'adapter' => 'Mysql',
'host' => 'T0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'fuyi_tradeweb',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'utf8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbE4max' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'e4max_user_info',
// @link http://www.php.net/manual/zh/pdo.setattribute.php
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
),
),
'dbCredit' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'credit',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_CASE => PDO::CASE_LOWER,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
),
),
'dbCreditCloud' => array(
'adapter' => 'Mysql',
'host' => 'fmax.creditcloud.com',
'port' => 4040,
'username' => 'root',
'password' => '[email protected]$^',
'dbname' => 'Biz',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // 默认以数组方式提取数据
),
),
'dbCmatch' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'credit_match_db',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'latin1'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFormaxUser' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_group_user_info_real',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbJihelicai' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'jihelicai',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbEquity' => array(
'adapter' => 'Mysql',
'host' => 't0207.eformax.com',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'collect_statistic',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
'dbFund' => array(
'adapter' => 'Mysql',
'host' => '10.1.1.119',
'username' => 'root',
'password' => 'jsg-9898w',
'dbname' => 'formax_fund',
'options' => array(
PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'",
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
),
),
);

修复方案

1.修改邮箱密码
2.删除github敏感数据
3.加强员工安全意识。

状态信息 2016-06-03: 细节已通知厂商并且等待厂商处理中
2016-06-03: 厂商已经确认,细节仅向厂商公开
2016-06-03: 厂商已经修复漏洞并主动公开,细节向公众公开
厂商回复感谢洞主汇报该问题,本次确实泄露了一些信息,还好对外端口已做限制,个人邮件也使用动态验证,所以未造成进一步危害。
最后再次感谢洞主对我司安全工作的支持,后续会有小礼物表示感谢。请提供一下联系方式
回应信息危害等级:中漏洞Rank:10 确认时间:2016-06-03 20:42