有医疗数据,有贷款数据,这一次是队列中的数据,涉及交警罚款和执达主任执行程序中的债务。
好消息是,这些付款与政府服务的官方网站无关。 坏消息是,有很多数据,而且它们不只是“个人”数据。
: . . , .
4月12日(晚上),发现了不需要身份验证即可连接的Elasticsearch服务器。 我写了一篇有关如何发现开放的Elasticsearch数据库的博客文章。
Elasticsearch索引包含某个信息系统(IP)的日志。 关于此服务器与接受付款以支持各种政府服务的站点之间的连接的假设是: paymentgibdd.rf , paygibdd.ru , gos-oplata.ru , fines.net和oplata-fssp.ru 。
在2019年4月13日上午,我向电子邮件地址发送了警报: support@gos-oplata.ru , support@oplata-fssp.ru , support@paygibdd.ru ,但没有收到回复(经常发生)。 该服务器被悄悄地“发现”,并于公开访问时间04/13/2019大约15:20-15:45(莫斯科时间)消失了。
在服务器关闭之前,Elasticsearch索引如下所示:
现在,让我们继续进行最有趣的操作-直接访问个人数据。 正如我在上面写的,索引包含某种IP的日志。 而且日志经常会变得非常详细,甚至太多。
日志从2019年2月28日开始存储,而不是在IP操作的整个过程中存储。 在某些指数中,数据来自2019年3月17日。
例如,使用gosoplata索引中的日志,可以得到此信息(总计248365,不包括错误日志记录):
{ "_index": "gosoplata", "_type": "log", "@timestamp": "2019-03-02T20:55:02+03:00", "message": " ", "extra": "[\n 'gis_info' => unserialize('O:34:\"app\\\\models\\\\payment\\\\api\\\\PenaltyInfo\":10:{s:10:\"billNumber\";s:20:\"021170025955001\";s:8:\"billDate\";s:10:\"2017-04-03\";s:10:\"validUntil\";s:10:\"2017-06-03\";s:6:\"amount\";s:9:\"146030.26\";s:7:\"addInfo\";s:1424:\" № /17/ - 03.04.2017 . ., ( )///32253021170025955001_0;: ( , / 05501845860);: ( , / 05501845860); : ; : 40302810400001000005;: 5321100670;: 532132002; : 044959001;: 49625000;: 0;idDebtsum:146540.26;ipPaymentAmount:0.00;ipOperationAmount:0.00;dataUnloadDate:2018-12-04T11:26:19.000;dataIdDate:2017-01-27;dataIdNumber:2-53/2017;dataIpRiseDate:2017-04-03;dataIpNumber: /17/-;dataIdDbtrFio: ;dataIdDbtrBorn:-09-03;dataIdDebtText: ( );\";s:7:\"docName\";s:3:\"inn\";s:9:\"docNumber\";s:12:\" 0819584\";s:9:\"payStatus\";s:1:\"0\";s:9:\"quittance\";s:1:\"3\";s:11:\"amountToPay\";s:9:\"146030.26\";}'),\n]", "context": "[\n '_GET' => [],\n '_POST' => [],\n]" } }
我用X评分了所有敏感数据。 实际上,所有内容都以开放形式存储。
从oplata-fssp索引 (总共283958,不包括错误):
{ "_index": "oplata-fssp", "_type": "log", "@timestamp": "2019-02-28T22:17:24+03:00", "extra": "[\n 'request_data' => [\n 'MNT_ID' => '3280',\n 'MNT_TRANSACTION_ID' => ''0795c78337a5a308',\n 'MNT_OPERATION_ID' => '' 3232',\n 'MNT_AMOUNT' => '544.00',\n 'MNT_CURRENCY_CODE' => 'RUB',\n 'MNT_TEST_MODE' => '0',\n 'MNT_SIGNATURE' => '6435224cc10bbc970f6479787',\n 'paymentSystem_unitId' => '1686945',\n 'MNT_CORRACCOUNT' => '303',\n 'MNT_PAY_SYSTEM' => 'payanyway',\n 'MNT_IS_REGULAR' => '',\n 'MNT_FORM_METHOD' => 'POST',\n 'cardnumber' => '639002********7417',\n ],\n 'model_attributes' => [\n 'id' => 482137,\n 'parent_id' => null,\n 'name' => ' ',\n 'ur' => 0,\n 'birthdate' => '-06-06',\n 'doc_type' => null,\n 'doc_value' => null,\n 'hash' => ''795c78337a5a308',\n 'created_at' => '2019-02-28 22:16:10',\n 'form_url' => 'https://service.moneta.ru/assistant.widget? '&MNT_CURRENCY_CODE=RUB&MNT_AMOUNT=544.00&MNT_DESCRIPTION= . N482137 : 32223088190136500007 : /19/-&MNT_TEST_MODE=0&' &MNT_SUCCESS_URL=https://oplata-fssp.ru/payment/success&MNT_FAIL_URL=https://oplata-fssp.ru/payment/fail&MNT_PAY_SYSTEM=payanyway&MNT_IS_REGULAR=&MNT_FORM_METHOD=POST&followup=true',\n 'email' => ''@bk.ru',\n 'payment_system_id' => 'moneta',\n 'transaction_id' => '338533232',\n 'updated_at' => '2019-02-28 22:16:16',\n 'a3_order_hash' => null,\n 'receipt_send' => null,\n 'receipt_status_id' => null,\n 'payment_status_id' => 'callback_received',\n 'lead_source' => 'fssp',\n ],\n]", "context": "[\n '_GET' => [],\n '_POST' => [\n 'MNT_ID' => ''280',\n 'MNT_TRANSACTION_ID' => ''795c78337a5a308',\n 'MNT_OPERATION_ID' => ''3232',\n 'MNT_AMOUNT' => '544.00',\n 'MNT_CURRENCY_CODE' => 'RUB',\n 'MNT_TEST_MODE' => '0',\n 'MNT_SIGNATURE' => '6435224cc'10bbc970f6479787',\n 'paymentSystem_unitId' => ''45',\n 'MNT_CORRACCOUNT' => '303',\n 'MNT_PAY_SYSTEM' => 'payanyway',\n 'MNT_IS_REGULAR' => '',\n 'MNT_FORM_METHOD' => 'POST',\n 'cardnumber' => '639002********7417',\n ],\n]" } }
从这里可以看到( cardnumber的值),由于泄露了完整的信用卡号,他们的所有者仅是由于付款网关(在本例中为moneta.ru )没有以清晰的形式给出此IP地址(仅卡号的前6位和后4位)而保存的)
从日志中还可以看到,FSSP的官方网站为公民提供了通过以下IP进行付款的方式: is.fssprus.ru/pay/?service=gosoplata&pay=XXXXXX/18/XXXXXX- IP。 oplata-fssp.ru网站底部的文字间接确认了什么:
现在,我们来看看交通规则的罚款是多少。 shtrafov-net索引(不包括错误的4528个条目)和paygibdd (不包括错误的140666个条目)显然对此负责:
{ "_index": "shtrafov-net", "_type": "log", "@timestamp": "2019-03-17T17:16:51+03:00", "message": "INSERT INTO customer (doc_type, doc_value, licence_plate, vehicle_model) VALUES ('ctc', '99026', '', ' ')", "context": "[\n '_GET' => [],\n '_POST' => [\n 'postdate' => '10/03/2019',\n 'postnum' => '18810018180002',\n 'postsum' => '1000',\n 'divid' => '1194040',\n 'uin' => '18810018180002',\n 'regnum' => '',\n 'regreg' => '1',\n 'reg' => '34084',\n 'discount' => '1',\n 'discountdate' => '01/04/2019 23:59:59',\n 'allfines' => '[{\"Discount\":\"1\",\"enableDiscount\":false,\"DateDecis\":\"2019-03-10 09:05:00\",\"KoAPcode\":\"12.6\",\"DateDiscount\":\"01/04/2019 23:59:59\",\"VehicleModel\":\" \",\"KoAPtext\":\" , , , , , \",\"NumPost\":\"18810018180002\",\"kbk\":\"18811630020016000140\",\"Summa\":1000,\"Division\":1194040,\"enablePics\":false,\"id\":\"18#FF474785255\",\"SupplierBillID\":\"18810018180002\",\"DatePost\":\"10/03/2019\"},{\"Discount\":\"1\",\"enableDiscount\":false,\"DateDecis\":\"2019-03-08 14:55:00\",\"KoAPcode\":\"12.9.2\",\"DateDiscount\":\"01/04/2019 23:59:59\",\"VehicleModel\":\" \",\"KoAPtext\":\" 20, 40 /\",\"NumPost\":\"18810118190312\",\"kbk\":\"18811630020016000140\",\"Summa\":500,\"Division\":1194010,\"enablePics\":true,\"id\":\"18#18810118190312\",\"SupplierBillID\":\"18810118190312\",\"DatePost\":\"12/03/2019\"}]',\n ],\n]" } { "_index": "paygibdd", "_type": "log", "@timestamp": "2019-02-28T17:30:57+03:00", "message": " ", "extra": "[\n 'request_data' => [\n 'postdate' => '02.10.2017',\n 'postnum' => '188101161710029',\n 'postsum' => '500',\n 'divid' => '1192201',\n 'uin' => '188101161710029',\n 'regnum' => 'XCB',\n 'regreg' => '1',\n 'reg' => '16462',\n 'discount' => '1',\n 'discountdate' => '2017-10-23 23:59:59',\n 'allfines' => '[{\"Discount\":\"0\",\"DateDecis\":\"2016-12-17 02:30:00\",\"KoAPcode\":\"12.26.1\",\"KoAPtext\":\" \",\"NumPost\":\"188104121603000\",\"kbk\":\"18811630020016000140\",\"Summa\":\"30000\",\"Division\":1188030,\"enablePics\":false,\"id\":\"12#FF176064188\",\"SupplierBillID\":\"188104121603000\",\"DatePost\":\"2017-03-06\",\"DateSSP\":null},{\"Discount\":\"1\",\"enableDiscount\":false,\"DateDecis\":\"2017-09-18 14:32:00\",\"KoAPcode\":\"12.9.2\",\"DateDiscount\":\"2017-10-23 23:59:59\",\"KoAPtext\":\" 20, 40 /\",\"NumPost\":\"188101161710029\",\"kbk\":\"18811630020016000140\",\"Summa\":\"500\",\"Division\":1192201,\"enablePics\":true,\"id\":\"16#43522519023478911\",\"SupplierBillID\":\"188101161710029\",\"DatePost\":\"2017-10-02\",\"DateSSP\":null},{\"Discount\":\"1\",\"enableDiscount\":false,\"DateDecis\":\"2017-11-01 04:23:00\",\"KoAPcode\":\"12.9.2\",\"DateDiscount\":\"2017-11-24 23:59:59\",\"KoAPtext\":\" 20, 40 /\",\"NumPost\":\"18810116171104\",\"kbk\":\"18811630020016000140\",\"Summa\":\"500\",\"Division\":1192201,\"enablePics\":true,\"id\":\"16#44211639030358281\",\"SupplierBillID\":\"1881011617110\",\"DatePost\":\"2017-11-04\",\"DateSSP\":null},{\"Discount\":\"1\",\"enableDiscount\":false,\"DateDecis\":\"2017-10-31 12:08:00\",\"KoAPcode\":\"12.9.2\",\"DateDiscount\":\"2017-11-27 23:59:59\",\"KoAPtext\":\" 20, 40 /\",\"NumPost\":\"188101161711056\",\"kbk\":\"18811630020016000140\",\"Summa\":\"500\",\"Division\":1192201,\"enablePics\":true,\"id\":\"16#44236760030609331\",\"SupplierBillID\":\"188101161711056\",\"DatePost\":\"2017-11-05\",\"DateSSP\":null},{\"Discount\":\"1\",\"enableDiscount\":false,\"DateDecis\":\"2018-01-27 23:46:00\",\"KoAPcode\":\"12.37.2\",\"DateDiscount\":\"2018-02-16 23:59:59\",\"KoAPtext\":\" , , \",\"NumPost\":\"188102161820027\",\"kbk\":\"18811630020016000140\",\"Summa\":\"800\",\"Division\":1192200,\"enablePics\":false,\"id\":\"16#4516501003986993\",\"SupplierBillID\":\"188102161820027\",\"DatePost\":\"2018-01-27\",\"DateSSP\":null}]',\n ],\n]",
综上所述,所有付款细节均可免费获得:罚款编号,汽车的国家牌照,为执达主任服务付款时执行的执法程序数量,银行卡的第一位和最后一位数字,通过其付款网关进行付款的方式,全名和地址电子邮件付款人等等。
在所选的某一天(12.04),索引中有(记录):
shtrafov-net 251 paygibdd 3821 gosoplata 20676 oplata-fssp 15277
Shodan搜索引擎于02.24.2019首次在公共领域中发现了此服务器。
有关信息泄漏和内部人员的新闻总能在我的电报频道“ Information Leaks ”中找到。