当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0113751

漏洞标题:安居客某接口设计不当可绕过验证码继续撞库用户(泄露大量房产用户信息)

相关厂商:安居客

漏洞作者: 路人甲

提交时间:2015-05-13 11:12

修复时间:2015-06-27 11:34

公开时间:2015-06-27 11:34

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-13: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经确认,细节仅向厂商公开
2015-05-23: 细节向核心白帽子及相关领域专家公开
2015-06-02: 细节向普通白帽子公开
2015-06-12: 细节向实习白帽子公开
2015-06-27: 细节向公众公开

简要描述:

挖洞最苦逼的事莫过于编辑了半天的漏洞最后竟然没通过审核。。

详细说明:

唉,最近审核大大好严格,都不让刷洞了。。之前的rank全降了,亏了120多wb(瞬间哭瞎在厕所)
小厂商的撞库洞不给过无奈只能大规模撞库大厂商了,安居客是有名的房产大网站,用户量之类的就不多说了,撞库危害不小:
http://user.anjuke.com/my/login?history=aHR0cDovL3VzZXIuYW5qdWtlLmNvbS9tZW1iZXIvbW9kaWZ5L3VzZXJpbmZvLw==主站的登陆接口没有任何登陆限制

0.png


登陆错误几次之后验证码就出来了,一开始以为绕不过的,结果还是输入正确一次之后一直正确,没想到这么大的网站会有这么低级的错误。。

1.png


抓包发现用户名和密码全部都是明文传输的:

2.png


然后撞库用户:

3.png


随便选一个登陆后查看可以看到用户发布的房源,用户的手机号,对于房产网站来说,这些都还是很重要的

4.png

漏洞证明:

部分安居客房产账号证明:

chao584520@qq.com	584520	2601
zm2355@qq.com	111111	2606
413525012@qq.com	860528	2607
awkj@qq.com	xiaomeng	2608
weiguang521999@qq.com	3227399	2608
zod1221@qq.com	8530157	2609
258551769@qq.com	210215	2609
39569498@qq.com	13608112339	2610
87504451@qq.com	asdasd	2610
bristal@qq.com	55169997	2610
125550382@qq.com	5211314	2612
61697468@qq.com	shedjukb	2612
xoeva@qq.com	5683896	2612
157064708@qq.com	123456	2613
6093046@qq.com	zer626	2613
446485327@qq.com	828410	2613
av-zsb@qq.com	342625	2614
40797156@qq.com	jj798676	2614
4654646@qq.com	123456	2614
18739662@qq.com	11223344a	2614
sibiao@qq.com	sibiao	2614
746199609@qq.com	80894230	2615
490898620@qq.com	585100	2615
ant1df@qq.com	3559018	2615
65120719@qq.com	hzqq517	2615
185587277@qq.com	861116	2615
clauclau@qq.com	kimpese	2615
739624367@qq.com	raytong	2616
ttlxxj@qq.com	19830918	2616
253625070@qq.com	5055128	2616
125598988@qq.com	3212281	2616
norly@qq.com	woosular	2617
181773823@qq.com	648898jr	2617
181651081@qq.com	880117	2617
41857068@qq.com	861017	2617
168328641@qq.com	55881798	2617
393019652@qq.com	760802	2617
150988949@qq.com	810311	2617
451645452@qq.com	13610061244	2618
334139919@qq.com	334139919	2618
58509095@qq.com	669951	2618
wg8211@qq.com	57836157	2618
369822727@qq.com	6581369	2618
496558942@qq.com	5211whf	2619
319328876@qq.com	710628	2619
498170364@qq.com	25257758	2619
68051713@qq.com	2326135	2619
773269448@qq.com	773269448	2620
da@qq.com	123456	2620
450195545@qq.com	594145	2620
yjdnuu@qq.com	Iloveyou	2620
ltd284461714@qq.com	123456a	2621
102350551@qq.com	11259375	2621
zb6688@qq.com	63356243	2621
320099996@qq.com	6612965	2621
woozj@qq.com	456852	2621
251713466@qq.com	917000wl	2621
191419660@qq.com	mengfan	2621
87150778@qq.com	smqjames0912	2622
417608219@qq.com	hbj19880913	2622
383400721@qq.com	huawei	2622
416930828@qq.com	qqqqqq	2622
wywjf@vip.qq.com	wjfzly608	2622
525313427@qq.com	gg731025	2622
254883992@qq.com	QQQQQQ	2623
hxd168@vip.qq.com	336471888	2623
371767294@qq.com	202040536	2623
79299101@qq.com	18150174	2623
117138966@qq.com	wsndxlg	2623
21988833@qq.com	594007	2623
84710290@qq.com	456852	2624
270160353@qq.com	shi369lei	2624
29886716@qq.com	342626	2624
87051508@qq.com	182514871	2624
yiyu0297@qq.com	yiyu0297	2624
301101595@qq.com	liujia123456	2624
715213319@qq.com	qjb7716698	2624
535181861@qq.com	qtds521	2624
610227418@qq.com	as6836258	2624
366147517@qq.com	5215757	2624
316902368@qq.com	xy880814	2624
43328365@qq.com	2628185	2624
haphine@qq.com	157953	2625
602854553@qq.com	19893176	2625
9960463@qq.com	adaqbuxx	2625
402491604@qq.com	19840622	2625
179898366@qq.com	152426	2625
844163955@qq.com	198874	2625
12338000@qq.com	2360038lj	2625
761881129@qq.com	loer123p	2625
605809103@qq.com	827820	2625
506873303@qq.com	870501	2625
120580131@qq.com	6307069	2625
9605776@qq.com	11251107	2625
314232570@qq.com	826826	2625
amimoon@qq.com	630417	2625
popsavage@qq.com	orochi	2626
1022@qq.com	123456	2626
21006412@qq.com	350026	2626
306057600@qq.com	111111	2627
305303146@qq.com	fastshow	2627
lhk1981@qq.com	810916	2627
710166828@qq.com	100200	2627
53491481@qq.com	121756896	2627
41068094@qq.com	6524861	2627
410991902@qq.com	159357	2627
125253185@qq.com	125253185	2627
118095223@qq.com	aidejiushini	2627
283229207@qq.com	6944695	2627
2276199@qq.com	880710	2627
170392504@qq.com	69522516	2627
dayu8735@vip.qq.com	94098808	2627
21620341@qq.com	3303153	2627
276064799@qq.com	20074241050	2628
329034188@qq.com	1982822	2628
247838111@qq.com	5863586	2628
457668465@qq.com	7530103	2628
290152195@qq.com	lq5201230	2628
569249960@qq.com	3211887	2628
9029928@qq.com	jiejiebie	2628
568753292@qq.com	19910617	2629
630805081@qq.com	556385	2629
516294195@qq.com	771222	2629
278863627@qq.com	121369	2629
33351239@qq.com	linsmke	2629
327515586@qq.com	272714	2629
363372208@qq.com	88945790	2629
wshj95011@qq.com	198096	2629
331094629@qq.com	aa1987	2629
wlj_lucky@qq.com	55571537	2629
adamlam@qq.com	32722063	2629
460073817@qq.com	67846130	2629
749021742@qq.com	19880820	2629
56091378@qq.com	135615	2629
26606582@qq.com	1989822	2629
54625734@qq.com	12345asdf	2629
604905686@qq.com	123456	2629
394910153@qq.com	85884937	2629
88953526@qq.com	2091101	2629
345354226@qq.com	47225802	2629
58985372@qq.com	6655888	2629
93767355@qq.com	518519	2629
ninja911@qq.com	123456123	2629
lionfoo@qq.com	19840716	2629
327392732@qq.com	tom881812	2630
654562052@qq.com	12zchxh12	2630
hcl14410060@vip.qq.com	557255	2630
byjd@qq.com	ytsm36	2630
309383973@qq.com	meili54	2630
423594656@qq.com	423594656	2630
281137416@qq.com	5178074	2630
724828489@qq.com	3232568	2630
99385424@qq.com	23505825	2630
304392000@qq.com	wangfei	2630
308272514@qq.com	1989422	2630
caokangli@qq.com	841127	2631
392644593@qq.com	19924749	2631
190726906@qq.com	861221	2631
462502804@qq.com	89289266	2631
120195212@qq.com	83377961	2631
274247631@qq.com	111111	2631
150199716@qq.com	caomin	2631
657895521@qq.com	259695	2631
lyhf2001@qq.com	1983515	2631
351529126@qq.com	186016	2632
435874548@qq.com	64114978	2632
385838661@qq.com	385838	2632
79210706@qq.com	50311359	2632
xiwang1235@qq.com	664560222	2632
wood2@qq.com	19830825	2632
parcolin@qq.com	4342043420	2632
znpaladin@qq.com	4369297	2632
123996065@qq.com	wocaonima	2632
32156749@qq.com	19841127	2632
410777850@qq.com	1904467	2632
150511403@qq.com	iverson3	2632
501371099@qq.com	119313	2632
445725667@qq.com	445725667	2632
303953106@qq.com	nicaibudao	2632
199676909@qq.com	lanhua1221	2632
sunny3366866@vip.qq.com	19840314	2633
402218245@qq.com	5305816	2633
597741294@qq.com	278821	2633
404709954@qq.com	liuqiangmima	2633
asdfg0663@qq.com	11651829	2633
jiangzhaonian@qq.com	123456	2633
451664212@qq.com	wohufeisan	2633
240469552@qq.com	as188546	2633
543970146@qq.com	yangbogao	2633
282228907@qq.com	86576585	2633
pirlo1234@qq.com	83113622	2633
425680014@qq.com	556677	2633
beibei027@qq.com	228788	2633
454806277@qq.com	58112872	2634
liu-feiaini@qq.com	wokyaiwom	2634
jazzyest@qq.com	84621515	2634
173678990@qq.com	354543512	2634
103022951@qq.com	103022951	2634
398134168@qq.com	880113	2634
372194359@qq.com	zyp201014	2634
359316323@qq.com	891019	2635
312202069@qq.com	payuandian	2635
keycn@qq.com	120994537	2635
601598414@qq.com	4728174	2635
403773760@qq.com	133325	2636
363125203@qq.com	31007548	2636
360609990@qq.com	19861203	2636
334182205@qq.com	861218	2636
609706734@qq.com	yeming8312	2636
305401539@qq.com	37753443	2636
88108146@qq.com	1988528mn	2636
78408684@qq.com	5481767	2636
skcxz@qq.com	60598240	2636
liuliming@vip.qq.com	861105	2637
629108000@qq.com	9719589	2637
95297760@qq.com	5237569	2637
623294373@qq.com	6193600128	2637
1234555@qq.com	123456	2637
282231262@qq.com	feifei19871217	2637
387712037@qq.com	174030	2638
yaosijiaysj@qq.com	ysjysj	2638
82882749@qq.com	1986421	2638
373758486@qq.com	sd123456	2638
277102567@qq.com	870228	2638
382610335@qq.com	13153316716	2638
76395236@qq.com	5200520	2638
348867902@qq.com	xuchao	2638
165480225@qq.com	123123	2638
79787861@qq.com	13587355362	2638
102781398@qq.com	102781398	2639
hwhcola@qq.com	709394	2639
196460581@qq.com	sukei0504	2639
huxiaoming@vip.qq.com	1982529	2639
379864409@qq.com	7758521	2639
469351169@qq.com	cj1988713	2639
550803994@qq.com	251314	2639
42702093@qq.com	tobetobe	2639
119119819@qq.com	987654321	2639
46228306@qq.com	840920	2639
313659729@qq.com	313659729	2639
120781269@qq.com	120781269	2639
402884050@qq.com	980513	2640
382610335@qq.com	13153316716	2640
madzz@qq.com	mrbeyond	2640
120815903@qq.com	16899199	2640
112473328@qq.com	198791	2640
44809730@qq.com	100200	2640
373758486@qq.com	sd123456	2640
493309553@qq.com	76807661	2640
116464706@qq.com	89723359	2640
21063983@qq.com	21063983	2640
448054350@qq.com	87156941	2640
346084917@qq.com	1989032357	2640
405225101@qq.com	woaishaohan1	2640
765624672@qq.com	198617	2640
200512756@qq.com	831207	2640
358690600@qq.com	xsw1987918	2640
258537347@qq.com	l04260029	2641
ameng_2450@qq.com	sz198384	2641
49724837@qq.com	132132	2641
89759837@qq.com	198839	2641
jy02546162@qq.com	88990551	2641
81307640@qq.com	19831208	2641
512188068@qq.com	3282698	2641
171463726@qq.com	519549100	2641
50893554@qq.com	sadman	2641
316683716@qq.com	123456789	2641
937660003@qq.com	19871030	2642
503931811@qq.com	19891228	2642
363889590@qq.com	2002320409	2642
261002010@qq.com	198785	2642
87514610@qq.com	123456789	2642
375802068@qq.com	samsung1	2642
376960272@qq.com	150430	2642
345862015@qq.com	81993663	2642
261908062@qq.com	19880815	2642
57860761@qq.com	241154265	2642
312908074@qq.com	86540426	2642
764332566@qq.com	mytazz	2642
327355136@qq.com	4026366	2642
104694794@qq.com	19871206	2642
941032670@qq.com	7846428	2643
867240056@qq.com	abc1333105	2643
499210305@qq.com	499210305	2643
sadsandson@qq.com	1qazwsx	2643
314671814@qq.com	13659313595	2643
25073324@qq.com	tt19820927	2643
417551413@qq.com	417551413	2643
305836062@qq.com	19831228	2644
hb673099663@qq.com	huangbo000	2644
449563516@qq.com	8625186256	2644
200512756@qq.com	831207	2644
462845951@qq.com	8109198992	2644
39477903@qq.com	7758520	2644
155267298@qq.com	820429	2644
573738953@qq.com	123see	2644
zhengji723@qq.com	57368826	2644
178207275@qq.com	19880601	2644
21474856@qq.com	870316yzw	2644
421547656@qq.com	10120808	2644
329428242@qq.com	19890322	2644
554526395@qq.com	yu3044605	2645
jingygr@qq.com	jingygr	2645
zhang_zhengping@qq.com	mylove	2645
748522730@qq.com	wb1987617	2645
56398037@qq.com	28142816	2645
947128908@qq.com	5360751	2645
402928627@qq.com	19881206	2646
csk85386696@qq.com	csk5386696	2646
309995524@qq.com	jiangzhao1	2646
454564@qq.com	123456	2646
593584127@qq.com	3994486	2646
107999428@qq.com	19900802	2646
103382700@qq.com	3566276955	2646
833661@qq.com	kevinzhang	2646
363710650@qq.com	24682486	2647
673200741@qq.com	123321	2647
idwsljq@qq.com	ssugesad	2647
jianghongxiang88@qq.com	123456	2648
397987013@qq.com	1942943217	2648
621373@qq.com	19870415	2648
99839022@qq.com	891030	2648
254880598@qq.com	5688317	2648
381849780@qq.com	ll40251528	2648
969859640@qq.com	221630	2649
397554095@qq.com	123456	2649
453609201@qq.com	423520110	2649
125336312@qq.com	68839649	2650
287395@qq.com	yh843100	2650
38516864@qq.com	20020211	2650
261748288@qq.com	261748288	2650
350853522@qq.com	5629800	2650
779659523@qq.com	54794142	2651
115552333@qq.com	100200	2651
290052132@qq.com	19860405	2651
88381114@qq.com	5592130	2651
sunjie29@qq.com	believeME	2651
oyc158890400@qq.com	qwe123	2651
383864160@qq.com	qijian	2651
905337889@qq.com	226501	2651
516939496@qq.com	19870401	2651
zht242092789@qq.com	tian83555258	2651
413828388@qq.com	7685210	2652
317013976@qq.com	woaiwenjing	2652
707667@qq.com	53187456	2652
374593813@qq.com	5203344	2652
629765725@qq.com	629765725	2652
1111@qq.com	111111	2653
379493564@qq.com	730328	2653
874507004@qq.com	213621	2653
402644213@qq.com	19901204	2653
6151001@qq.com	67583980	2654
441540015@qq.com	1989116	2654
438944295@qq.com	780305482	2654
438944295@qq.com	780305482	2654
156457740@qq.com	156457740	2654
709453739@qq.com	chenqi384457	2654
398378429@qq.com	120392690	2654
258446029@qq.com	258446029	2656
793612141@qq.com	123123123	2656
448259796@qq.com	230016499	2656
260250424@qq.com	shangxian	2656
328002574@qq.com	56100813	2656
394746278@qq.com	19911020zwj	2656
138884848@qq.com	9439110	2657
372532666@qq.com	992323	2658
ezjoys@vip.qq.com	321458	2658
51193890@qq.com	00000ppppp	2658
261026249@qq.com	8778781	2659
105592239@qq.com	1219716708	2659
50057862@qq.com	1984601	2660
333254@qq.com	woluailu	2661
81018087@qq.com	860101	2661
542175015@qq.com	4432730	2663
012345@qq.com	123456	2664
27883659@qq.com	yimingpan	2664
541141222@qq.com	781107	2664
332302378@qq.com	15833118280	2665
252152880@qq.com	68105526	2665
285788647@qq.com	110112	2665
289388438@qq.com	292526	2666
258831346@qq.com	515800	2667
851829818@qq.com	5879576	2668
234557188@qq.com	144887	2669
340056653@qq.com	75250552	2669
593223913@qq.com	z198982476	2669
25471015@qq.com	19841013	2670
115522817@qq.com	43420024420	2670
663214851@qq.com	13546315579	2670
233969857@qq.com	wei22616266	2671
359099337@qq.com	woainijie	2672
359099337@qq.com	woainijie	2674
www.532821866@qq.com	198781	2675
zjsd@qq.com	9987316	2676
sopo123456@qq.com	solo123456	2677
497731439@qq.com	rabbitwufang	2678
781182156@qq.com	3702829	2681
279036814@qq.com	pl198523	2682
258171141@qq.com	5686248	2684
liulian2266@qq.com	68734693	2686
cscwq@qq.com	chinaren	2686
673777561@qq.com	woaini1314	2686
352968680@qq.com	278379	2686
99193736@qq.com	820105	2686
zbq27@qq.com	jiguang26	2687
352968680@qq.com	278379	2688
420132690@qq.com	123456	2688
634619544@qq.com	834183	2689
66666654@qq.com	123456	2689
598119412@qq.com	123456789	2689
120446346@qq.com	8828217	2689
429839719@qq.com	198400	2690
573432156@qq.com	no507744	2690
787744525@qq.com	19980827	2690
246103194@qq.com	85127559	2690
497715335@qq.com	900820	2691
542102898@qq.com	915718	2692
494812733@qq.com	385332	2692
19871230@qq.com	yangyuxin	2692
365713666@qq.com	f800922	2693
620011150@qq.com	2616706	2693
15470847@qq.com	15470847	2695
446879795@qq.com	58425703	2699
330189875@qq.com	376595480	2699
898357694@qq.com	898357694	2699
214437325@qq.com	sky428675	2700
366030553@qq.com	860331	2701
409868986@qq.com	Shirley0806	2707
kingsonyang@vip.qq.com	123456	2709
308716521@qq.com	999616	2711
373345630@qq.com	sc3563909	2712
911306149@qq.com	19840223	2713
408901693@qq.com	841216	2717
122419246@qq.com	hanjing118	2719
www.596608057@qq.com	24363351	2719
522052105@qq.com	63476369	2721
blackcat0@qq.com	shanish	2734
410940093@qq.com	3823238	2736
82687967@qq.com	194010520	2737
493127136@qq.com	sbdskf	2737
234235@qq.com	123456	2753
517334118@qq.com	999288	2760

修复方案:

审核大大好严格,挖个洞不容易,撞库好久才出来的用户,还不来个20rank?

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-05-13 11:32

厂商回复:

感谢对安居客的支持!

最新状态:

暂无