System design defects of a group of joint-stock companies can be cracked by Credential stuffing (already in the background)

System design defects of a group of joint-stock companies can be cracked by Credential stuffing (already in the background)

Three main grain group corporation OA, mailbox system design defects, login port no verification code restrictions, can be cracked.

Http://oa.zgszl.com.cn/login.aspx three main grain OA collaborative Office Management Platform

 

 

 

Brupsite captured packets and imported the top500 name and password 123456. Several Weak Password accounts were successfully cracked. you can log on to any account, export all employee accounts of the group from the address book, and sort the exported accounts, import the batch test again and find that there are up to 205 weak OA Password accounts. The following is a list of weak OA Password accounts.

hubinsunyuguoxiaogdingyifanhuapanjiewulingxuepeiyupingwangyeguoyiyuxinliumeiguiwuwenjuanweiyanbinchenyanhoufengnijingxiayantanglinwangwenhuichuqianlantianlinglanshenlanzhangpinghutianxihuyuxingliugexinxubichanzhangyancaiyuditundafugerujinhumeiyulishuyiyelinnabainalujianfeidingwenlihujianhuahuaxinkunlizhifangliumeiyanmaguiyingwangzhiguangxuyingjinyanwenqinyinmeizhiyinxiaolezhaoziqinfuyaoweiheshunlekangqiyulihaixialiyutingpanyumeiyeyupingyuweichidongjunweiniuguirongshengliminshijinghuashijuanhuawuqinlicaixinmeifanlihonggehaifanggouchunhuhelianhuihuqinghuahuiliyinglanxiaodilishipingpengkunyusunxianfuwanganjunxujianhuayangliqunyangyumeiyaoweifeizhouyuhuazoujihuanbianzhixianchenxiujuandonglinjuanfengyuejuanhanxiaopinglixiangpingmengfanpingzhanggenmeizhangtianfabaifufulihainabianwenkaichenlipingfanghuaqinliyongninglinxiaomeilinyuanjunpanxiaoyanpengxiafensongshuqindongyunhuadongzechunwangjihongwudonghongxujianfangyingxueqinyuzaishengzengmeizhuzhangyulanzhangliminzhulipoingzhoujianyingzhouxiaopingxiehuanzhongchenweizhouchenxiaoyandongjianlinfangshiyinggechunxiangtangwenjuanwanghaiyingwanggendingxiejinliangzhangxueqinzhengchunyezhengxueyanjinlizhoumeiqingweibinliangbinchenfengjuanchenxiaofengjiangzhijuanluoguangpingterigelexinghuichengzhangjinlingzhangxuelingzhaojinliangzhoujinshengzhuxiangzhensunchunruihuangyuanjingzhaosuningliannalujingmaozhiqingzhaohaichenbangsonglidongshenghexuefengzhanghongguangsunyuehoutianciwenniuzhigaolikunruoxinluobinsunzuobangzhangzhiwanglhliuxiaojingwangyingweiluyumeisunzhiwuyihenghouguanxiwangyuanfazhangyangliyuzhenliyongqiangbaiyanmingliangtuyazhanghongweiwangzhanzhongliulinglinhouwenjianlibingbingwangwenyiliuhuifangyuanfenglizhaolimeiwushaoshuaipanchaowenliuyanfanwanxiangzhangbinwuwenjinzhaolonglongliuwushengtianxuanruiyaoyanminsongqinghuadaijianminyaojingpingzhangwenjiechenjingjunzhouxianglishumingliuyujingtanghaidong

This includes the account of Sun Zhi, Chairman of the Group, which is a high-permission account with permissions such as system management, SMS sending, and announcement.
 

 

Use the same method to test the Mailbox System
 

 

Up to 47 weak mailbox Password accounts are found, and the following is a list of weak mailbox Password accounts.

chenchenchenjingjundingyifanhuahouzhanjunhouwenjianjiangmingcaijiaoxipingjinliliannaliwenjunlixiangpingliyongqianglinxiaomeiliulinglinliuwushengliuxiaojingliuyanliuyujingluxiangyulujianfeilujingpangyuehuapeijiayuanshangshihuisongqinghuasubosunzuobangwangjianjunwanglhwangwenyiwangxiaohuiwangyuanfawuwenjinwushaoshuaixiaogtyanyafeiyaojingpingyeyupingyinxiaoleyuanfenglizhangbinzhangyangzhangzqzhoumeiqingzhouxiang

Including the email address of the Board Secretary Chen
 

 

 

 

 

 

 

Solution:

1. added the verification code function for the OA and email systems.

2. notify relevant employees to change their logon passwords in a timely manner.

3. enhance employees' security awareness.