当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120947

漏洞标题:蚂蚁短租设计缺陷(泄露大量用户信息)

相关厂商:赶集网

漏洞作者: 路人甲

提交时间:2015-06-17 10:15

修复时间:2015-08-01 10:24

公开时间:2015-08-01 10:24

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述:

详细说明:

1、主站登陆,选择蚂蚁账号登陆。无验证码,登陆抓包

1.png


2、密码MD5加密,用burp把payload加密

3.png


3、证明用户

4.png


5.png


6.png


4、下面的限制登陆吧

330148606@qq.com	315eb115d98fcbad39ffc5edebd669c9  qweasdzxc
272708088@qq.com	4e64c3b29f1f0a067fdb06641ce3d792  87758811
356859686@qq.com	913314999a9da9be33f4a90cbdf945db  2213126
329524253@qq.com	335ce894688d8c7ad3dc0a7ef8927a8b
719029776@qq.com	cabbdac9a12f62ce32123537768e46da
331490618@qq.com	6e083944f1bd8faee68a57024ca3deee
12601802@qq.com	f38670dcfe258af1d3d7fddd9be17dcf
549759555@qq.com	e066ceca42920adc4e2904a950827ee5
7036267@qq.com	110f9ad670124287438517f4c76eb792
178364214@qq.com	73be252ca82217b1458a25e6b4e99f15
851829818@qq.com	b6f39a7d7a814f885625a7a8119a0a38
378816014@qq.com	4badaee57fed5610012a296273158f5f
280288628@qq.com	dc780ea28e619809e6d9b3773882d7bd
124422812@qq.com	05e9663ff1b462d4621b4f33b9ab5e02
zhangwei009@vip.qq.com	46beb3bd2fc54e5e573f7865f87dca5a
1012741718@qq.com	ec7b61ad3a002c9cabd9f980dddf1f50
339669590@qq.com	cadca7fb14677d42a62a6450e1156911
172622163@qq.com	08ab59358efbb47868a93bd0d617ae5c
799523611@qq.com	13f77642f572ea1315e2dfa2936631cb
116611906@qq.com	73b2b1212d710b17464e93f2fd9a2c41
464933544@qq.com	4f383ada363cda38781542d02c98a3af
394247169@qq.com	8f8fc396e4a9bd04e447633fac219aa1
441097396@qq.com	516dbeae4f404fd975b5e835c37bc597
zzzno11@qq.com	30044b7009f0998c3d841cf68dc33a9d
759493293@qq.com	252bbfdad8fbc36577974e902863d12a
514068768@qq.com	97594ea9b817147f5814b3995f5b1dcc
lzw5@vip.qq.com	e5764d27afa02d9d0237f38927626e67
alibaba1969@qq.com	67c1f8d0d6b64646ec44a4a14accf83d
43375755@qq.com	642a70b3be39ba2dc0eebfbec88d0204
fred_fu@qq.com	7052376edfff9998aa335e75ce507730
anheiguinu@vip.qq.com	fb2efa42271ac56887da0dafb2c59c81
379707585@qq.com	da2fe0565cdf1bb45f4d421d021cd413
824214702@qq.com	f0c37d2c9e74df9ce2c44f5f4c851e31
393905750@qq.com	d82a4cbbfae2b0bffb8fd90d7a4f2784
9234452@qq.com	85e475c40d56fc145b2dfaffe315ea42
369510415@qq.com	dbf5de98f00301f7c6e15623c9709e50
104657145@qq.com	c45ddfdc629686747452b0b86cb2610b
375380372@qq.com	f6dd41c705c23cce72fcb0a084729e69
27282386@qq.com	1e48396f761aa3661d8ea50ce48e5870
490000327@qq.com	6ca0d058f209b111596738ca7944096a
249746871@qq.com	cf3ed161b6f740c2e8097362d6449ea5
53272829@qq.com	504329a1d6f77b73bb558defe3b57b6b
474184636@qq.com	6e5f4773c8b44597a54f5564d6c8fd51
314671814@qq.com	753c631128415365e64feb6fc5523785
447431725@qq.com	0b134fc4a370e2571cfe9027300fbd3e
514870456@qq.com	3770907d476f97aa25e064684c135a05
175733075@qq.com	1118183746a8bd200e0b29f2151db14f
398612843@qq.com	6c08b913c6567a7e6c70ed03f1070175
514870456@qq.com	3770907d476f97aa25e064684c135a05
515167483@qq.com	43b7a73046389362b955fd038d0d0be8
539770507@qq.com	9e7ab32bdd9bc868ae565bbc25b18663
550588108@qq.com	42c17f96e37fe9699432c73749b0f7f9
252555201@qq.com	d29032e94ec454dab93cefac0a2eebe8
407893692@qq.com	687438c557a717d4a796e4258d73193d
21006412@qq.com	520ed462721d5f77ecd259c7bdc56744
awplp@qq.com	dbb8187384b0503f0b18041f6fd6ede5
405412153@qq.com	b69bade8b195eaf8ddc4df6989f8d663
122295703@qq.com	7abff04f947ac7b456cd5146c850fa67
52825546@qq.com	6a514ac434a4494e29e1d81d2713a659
380015624@qq.com	35b95d18f31292734166b18b6fc6c8b0
yang83524@qq.com	a3df1c917596c14bf484b89c13a3f91a
449784380@qq.com	af86433c950bbe243dad88818188a03e
573490412@qq.com	198735b9e3b22690ca15f16c3b5b0154
364625369@qq.com	5bd32ba1662c9472c7b768a46ccd351f
137881872@qq.com	3b7eb2a224a084e329725e8580676ef6
56911365@qq.com	ead976fbe55c1e3271b2bb38c5cd0374
zrmobile@qq.com	17b29bba2021265c70b7d25bfd338625
364625369@qq.com	5bd32ba1662c9472c7b768a46ccd351f
332440956@qq.com	01d13031540623c7cc5af7976dd8db96
wangdong_3550@qq.com	5fc2d383813bb4fe9f2e9465c2df8dd3
lsm5212@qq.com	5b11df41dce8938c463248b0c767623c
623981153@qq.com	369c3a31e0a60de58982142eed4bd412
65718981@qq.com	36eb4c1cf7542a51287c0ec084027025
512323153@qq.com	a31b9f0a4d573b2ee69509a6c95d6b8d
nathiry@qq.com	5d212d6672f55048e530b26bf4c3a9f1
zykiwi@qq.com	d13dfc402701d5d20af4e8fe78c87916
258504658@qq.com	8c46e407d5e72b94cba8c6148acecaf4
ok_ljj@qq.com	8c2248e7674e5e7e4d9a15b9cf64590c
240469552@qq.com	9cb6018dc30da9703bd16fcd6ad50a18
409160642@qq.com	d589b48fb5e049198df80cb1c18cd368
ql.young@qq.com	bfa97bc4bcc57e0cab6d91096ca5d1f8
brickfa@vip.qq.com	b48af14fa7d2f3dd3ee3977d0f6cb451
aaapop@qq.com	b48fb2e5c58e52d5e5c6b5d2301dd3ba
chinawzh@vip.qq.com	0340f9a286104be5af63128d70179025
wlp828@qq.com	fd61be4f0e87a9b0324a6f66be211a13
Mattus@vip.qq.com	8657e1264956f9ff3b6536614a63d939
zc358@qq.com	8a63782cdbbafa3918326935b729c4fa
351460702@qq.com	9b4223f4ffa4103eae035d97098a772d
42223942@qq.com	193c055d8151c98caf4533cef3c52516
276548118@qq.com	d58da3e1ca1187fad79697aef72791b8

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-17 10:22

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对我们业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无