当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112837

漏洞标题:豆丁网某接口设计不当可撞库用户(可消耗用户积分下载文档)

相关厂商:豆丁网

漏洞作者: 路人甲

提交时间:2015-05-08 16:05

修复时间:2015-05-13 16:06

公开时间:2015-05-13 16:06

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

挖洞最苦逼的事莫过于编辑了半天的漏洞最后发现竟然不存在。。

详细说明:

http://www.docin.com/jsp_cn/login/docincon.jsp这个接口可以看到接口没有任何限制的

1.png


然后想直接抓包的,怕是js本地登陆框抓不到包,没想到竟然可以抓到,而且用户名和密码全部是明文传输的

2.png


接下来开始撞库,成功

3.png


随便登陆几个用户,如果用户有积分可以用用户的积分下载收费文档

5.png


4.png

漏洞证明:

rs,部分账号证明:

1686549@qq.com	1686549	525
asllg@qq.com Bin880930 525
xtning@qq.com nakata008 526
68475888@qq.com kiss520 526
506136400@qq.com zhangyu 527
395000235@qq.com 135792468 527
573922232@qq.com 101765 527
342278166@qq.com 8218968 527
543513874@qq.com myqboo 527
9288258@qq.com 791105228 527
496105751@qq.com 198808109 527
229004586@qq.com 3303855 527
262348060@qq.com 19880123 527
297020523@qq.com 963258963 527
295649779@qq.com 129511 527
524260531@qq.com 13145200 527
476744301@qq.com easyma 527
287780501@qq.com s19881126 527
362323242@qq.com 362323242 527
768060009@qq.com 5631402 527
385096455@qq.com 3024908 527
247266324@qq.com 200115 527
598906066@qq.com 6543221 527
303638514@qq.com tanfuzhen 527
807213327@qq.com 88518081 527
313686104@qq.com chenbing 527
89738081@qq.com 66227491 528
66289464@qq.com 33340505 528
fhzx5168@qq.com fhzx5168 528
55811783@qq.com zhjh1123 528
41469005@qq.com 12227933 528
378608484@qq.com 5663287 529
271237386@qq.com 950204 529
931038580@qq.com 56184728 529
389651510@qq.com 37809265 529
610879626@qq.com ggggflfl 529
775010738@qq.com 87350049 529
jingsiwei@qq.com jingsiwei 529
651218360@qq.com xixihaha. 529
851829818@qq.com 5879576 529
584213633@qq.com hanxiao 529
260208598@qq.com yan520510 529
342613824@qq.com 198718 529
466098921@qq.com 19881223 529
6385383@qq.com 870530 529
695432643@qq.com 123321 529
342252017@qq.com 5553996 529
122245953@qq.com yy262201 529
133141421@qq.com 8036989 529
451254850@qq.com sunyanzi 529
297356776@qq.com 198957 529
308625821@qq.com binbin123 529
6954672@qq.com 1478520 529
379279794@qq.com 8617865 529
526544928@qq.com z0671896 529
123845010@qq.com fantasy 529
971535223@qq.com q123456 529
393552359@qq.com 393552359 529
6822783@qq.com 111111 529
22702119@qq.com 41580265 530
26547925@qq.com 5601573 530
70615562@qq.com zcwhyf 530
14308010@qq.com 851206 530
huan_f22@qq.com 262400 530
29487334@qq.com xingren 530
40279691@qq.com 6160945 530
18018459@qq.com 828500 530
14754761@qq.com 14754761 530
445491302@qq.com 7782414 531
318006344@qq.com 318006344 531
704587191@qq.com ilike44 531
309804902@qq.com 52117140 531
9960463@qq.com adaqbuxx 531
840255646@qq.com 558558 531
kang11_08@qq.com 2820166 531
307687074@qq.com 890214 531
812735152@qq.com 2922666 531
511656499@qq.com b147852 531
498292476@qq.com 199367 531
408138787@qq.com qwe123 531
610073869@qq.com aaa111 531
385597157@qq.com a19901208 531
276561942@qq.com 62920196 531
ppcc_9372@qq.com 19870310 531
357426026@qq.com dir5421t 531
5237784@qq.com 123456 531
843994812@qq.com 524712 531
81537763@qq.com fnhmft 532
20567029@qq.com 20567029 532
21620341@qq.com 3303153 532
334582276@qq.com sxqtc1991 533
229529221@qq.com 1988712 533
swq81046839@qq.com 87953747 533
826544881@qq.com 2320518 533
379699202@qq.com 2805503 533
329398591@qq.com 880608 533
289766006@qq.com 123456 533
228762287@qq.com fhqihmqb 533
329837640@qq.com 63228665 533
297239784@qq.com 2664620 533
santarelli@qq.com 860628qw 534
11882743@qq.com 408547 534
feng2019@qq.com 410q321 534
261767195@qq.com 871100 535
389351782@qq.com 389351782 535
251638670@qq.com 8631220 535
303028980@qq.com 86906006 535
460061335@qq.com hx31820 535
394315931@qq.com 7418695 535
394354609@qq.com 4426185 535
272611726@qq.com 123456 535
329428242@qq.com 19890322 535
lover13@vip.qq.com 19900312 537
179490484@qq.com 19890803 537
151232429@qq.com 234156 537
66666654@qq.com 123456 538
405924262@qq.com 8084910 539
tanmimi1224@vip.qq.com yh5201224 539
115800298@qq.com 123123 539
490119263@qq.com 19871234yy 545
810650761@qq.com 2007041137 545
542068218@qq.com 891015zhang 545
394023192@qq.com 1982818235 547
378012951@qq.com jz01192513 547
153344106@qq.com 4020095601 547
252112895@qq.com 1153320521 547
575094761@qq.com 3118108034 547
1024406390@qq.com 1397417421 548
402949267@qq.com woaijiaoer 549
376510004@qq.com shihanxi10 549
100220094@qq.com wyh9115241 549
287459602@qq.com chouxiaozi 549
346350878@qq.com 15809915995 549
463298639@qq.com 5101500618 549
809428173@qq.com 8008208820abc 549
41227948@qq.com jiaomei132 550
75277584@qq.com baobei1027 550
1044106919@qq.com marcia19880504 550
420489384@qq.com 13720906065 551
362550680@qq.com wanghanren 551
546173916@qq.com 1357924680 551
411656676@qq.com woshixiaoyu 551
814535112@qq.com 1357924680 551
247469654@qq.com 9113113227 551
59156293@qq.com 13885389797 552
417608219@qq.com hbj19880913 555
www.386312566@qq.com 13031788688 555
zhangyangdd@qq.com 19901213636 563

修复方案:

发放20rank获取完美修复方案

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-13 16:06

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无