慧聪网某接口设计缺陷可撞库用户，严重泄漏用户敏感信息

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154563

漏洞标题：慧聪网某接口设计缺陷可撞库用户，严重泄漏用户敏感信息

漏洞作者：路人甲

提交时间：2015-11-21 16:34

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：设计缺陷/逻辑错误

危害等级：低

自评Rank：3

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-21：细节已通知厂商并且等待厂商处理中
2015-11-23：厂商已经确认，细节仅向厂商公开
2015-12-03：细节向核心白帽子及相关领域专家公开
2015-12-13：细节向普通白帽子公开
2015-12-23：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

慧聪网某接口设计缺陷可撞库用户，严重泄漏用户敏感信息

详细说明：

http://sso.hc360.com/ssologin?ReturnURL=http%3A%2F%2Fhr.hc360.com%2Fhr%2Fturbine%2Ftemplate%2Fresume%2Cmanage_center.html&renew=true这个接口本来有个https的，但是此处的https就没了，抓包发现用户名密码明文传输的：

这里直接贴出部分撞库成功帐号证明：

3661612	88479362@qq.com	1556
15818616233	28193020@qq.com	1566
258015158	258015158@qq.com	1566
6746788	349523239@qq.com	1566
810727	327778919@qq.com	1566
860201	66929297@qq.com	1566
1989716	81318475@qq.com	1566
810727	327778919@qq.com	1566
520188	6664576@qq.com	1566
891006	416469606@qq.com	1566
457226881	457226881@qq.com	1566
2693792	332813290@qq.com	1566
53541288	768057470@qq.com	1566
773269448	773269448@qq.com	1566
60938557	721530880@qq.com	1566
1234568	178474@qq.com	1566
4892701	huan369@qq.com	1566
841209	83480407@qq.com	1566
77589916	80109283@qq.com	1566
6839683632	383865801@qq.com	1566
520941	383937694@qq.com	1566
zhoufan	356050904@qq.com	1566
88908890	wsk8890@qq.com	1566
736501	8241156@qq.com	1566
409804	108326520@qq.com	1566
100200	21376369@qq.com	1566
19901126	694998297@qq.com	1566
5683880	79436407@qq.com	1566
xiao00ai11	331818571@qq.com	1566
zhangjian	287436822@qq.com	1566
5770649123	283567455@qq.com	1566
14291563	807492@qq.com	1566
daohao98	xd808@qq.com	1566
52730672	52730672@qq.com	1566
12688993510	610722769@qq.com	1566
kaikai1	only71@qq.com	1566
fimergo	47414266@qq.com	1566
dongjie	272415706@qq.com	1566
062314han	735513820@qq.com	1566
ly19861130	526667048@qq.com	1566
1230123	350930850@qq.com	1566
5201314	5877161@qq.com	1566
6812903	2688032@qq.com	1566
511532	3051534@qq.com	1566
5801207	453645089@qq.com	1566
8164272	663978026@qq.com	1566
asdasd	877647502@qq.com	1566
yu6931359	214955262@qq.com	1566
6973951	285624921@qq.com	1566
5521564	414912496@qq.com	1566
1514401	3997912@qq.com	1566
caocao	313769123@qq.com	1566
200101	489022202@qq.com	1566
19831104	78056043@qq.com	1566
88908890	wsk8890@qq.com	1566
6012878	8425170@qq.com	1566
3262021	87200279@qq.com	1566
38110606	reed@vip.qq.com	1566
y26787159	309055018@qq.com	1566
775600	tsxx157@qq.com	1566
717273	qz11111@vip.qq.com	1566
6858154	344532@qq.com	1566
1672900	87734702@qq.com	1566
liu6480832	microsoft168@qq.com	1566
qwerty	www.452561400@qq.com	1566
jiuzi123654	zjiuzi@qq.com	1566
5211314a	534000670@qq.com	1566
5735155	weikangtiancai@qq.com	1566
19870916	331888190@qq.com	1566
linboyu	107594@qq.com	1566
2283617	63313575@qq.com	1566
810109	443629426@qq.com	1566
19881021	763568574@qq.com	1566
900717	13392155@qq.com	1566
shinjishinji	380136015@qq.com	1566
wscjl8166	529900929@qq.com	1566
111222	332470969@qq.com	1566
10203040	180057015@qq.com	1566
3216263	340309889@qq.com	1566
550550	545819008@qq.com	1566
86305710	100630571@qq.com	1566
202017	406186646@qq.com	1566
qwerty	www.452561400@qq.com	1566
123212321	lflanxuan@qq.com	1566
asdfasdf	ygxfx2@qq.com	1566
981600165	314771704@qq.com	1566
19860906	278755496@qq.com	1566
850117	yayayapei@qq.com	1566
890426	417203618@qq.com	1566
851217	445252735@qq.com	1566
8218023li	271720410@qq.com	1566
ale159261	aleders@qq.com	1566
4868893	469561911@qq.com	1566
3344253q	87998061@qq.com	1566
123654	282466955@qq.com	1566
hhb9635	123837487@qq.com	1566
7719923	1139467@qq.com	1566
356789	zhanggogo@qq.com	1566
794613	420816820@qq.com	1566
154330	21141176@qq.com	1566
12369037	531342822@qq.com	1566
831014	30653998@qq.com	1566
850824	120799465@qq.com	1566
7417020	shuaikaixinkuaile@qq.com	1566
wszly57	645913364@qq.com	1566
68547501	yu87514@qq.com	1566
850960	283434910@qq.com	1566
715201314	379657992@qq.com	1566
860201	66929297@qq.com	1566
2925138	281827110@qq.com	1566
wohaiaima	wbnjun@vip.qq.com	1566
5182279	938767914@qq.com	1566
550550	545819008@qq.com	1566
365275	51458307@qq.com	1566
100200	21376369@qq.com	1566
nannan	222585@qq.com	1566
zhuodejian	zhuodj@qq.com	1566
6964563	xukejiangdan@qq.com	1566
7252713	61075032@qq.com	1566
tian0109	443677930@qq.com	1566
66025098	48744363@qq.com	1566
19870622	381939239@qq.com	1566
6690751	38368019@qq.com	1566
657421	735704928@qq.com	1566
4221098	389059288@qq.com	1566
778032	6087698@qq.com	1566
za12580	444987324@qq.com	1566
2210000	379131753@qq.com	1566
a6166038	531745590@qq.com	1566
555ckxckx	136898611@qq.com	1566
850203	275706455@qq.com	1566
aaaass	241008223@qq.com	1566
5551406	cdheshuai@qq.com	1566
7594230	191910116@qq.com	1566
su36z02b	120013210@qq.com	1566
366474818	87673536@qq.com	1566
881259051	634503917@qq.com	1566
7830891	376464789@qq.com	1566
chc1987	364270689@qq.com	1566
8562139	344809620@qq.com	1566
mjhmjh	619592806@qq.com	1566
5121054	75565870@qq.com	1566
5660206	378451849@qq.com	1566
1988427	502310225@qq.com	1566
28145936	cdzc@vip.qq.com	1566
kenxin	jyy623@qq.com	1566
wojiaoama	amawudi@qq.com	1566
6831872	35221984@qq.com	1566
collin	shdwxh1988@qq.com	1566
147852369	540652073@qq.com	1566
879987	549944@qq.com	1566
13170158999	9453451@qq.com	1566
2109138	123544970@qq.com	1566
112988	516395972@qq.com	1566
8807822	30885489@qq.com	1566
chenhao	9064690@qq.com	1566
850203	275706455@qq.com	1566
yashiros	365801808@qq.com	1566
1535421619	76493075@qq.com	1566
13141314a	274306417@qq.com	1566
qq123456789	939816661@qq.com	1566
tj5201314	461633163@qq.com	1566
212418251	297332358@qq.com	1566
8585270	5587872@qq.com	1566
6686252123	190545991@qq.com	1566
621000lhy	317778533@qq.com	1566
19880504	250561677@qq.com	1566
85852556	732738879@qq.com	1566
82531052	625861838@qq.com	1566
a5w521521	278400200@qq.com	1566
qq099971	377101322@qq.com	1566
840718	278647200@qq.com	1566
19840823	283413464@qq.com	1566
62031756	352818647@qq.com	1566
shmily	195201147@qq.com	1566
112358soar	327027053@qq.com	1566
21614144	3590083@qq.com	1566
198732826	372756012@qq.com	1566
881122	270351042@qq.com	1566
332671	332671@qq.com	1566
*love1714	285399964@qq.com	1566
365200	71105915@qq.com	1566
520hejia	bb66@vip.qq.com	1566
808909	xuchgui@qq.com	1566
1983415	xiao_yyy@qq.com	1566
222961	164936476@qq.com	1566
xiao520	43666868@qq.com	1566
2513693	weiruibin@qq.com	1566
guizi1984	289996941@qq.com	1566
1989812	982142762@qq.com	1566
245224674	245224674@qq.com	1566
82824845	48088780@qq.com	1566
62534346	1141380@qq.com	1566
5529591	517230@qq.com	1566
960731	jcxie21@qq.com	1566
zxcvb1	344861254@qq.com	1566
pdp198638	pdp777@qq.com	1566
5835664	316199681@qq.com	1566
jqzxlg128	530856687@qq.com	1566

登录网站证明，严重泄漏用户敏感信息，可以查看或者修改：

漏洞证明：

这里直接贴出部分撞库成功帐号证明：

3661612	88479362@qq.com	1556
15818616233	28193020@qq.com	1566
258015158	258015158@qq.com	1566
6746788	349523239@qq.com	1566
810727	327778919@qq.com	1566
860201	66929297@qq.com	1566
1989716	81318475@qq.com	1566
810727	327778919@qq.com	1566
520188	6664576@qq.com	1566
891006	416469606@qq.com	1566
457226881	457226881@qq.com	1566
2693792	332813290@qq.com	1566
53541288	768057470@qq.com	1566
773269448	773269448@qq.com	1566
60938557	721530880@qq.com	1566
1234568	178474@qq.com	1566
4892701	huan369@qq.com	1566
841209	83480407@qq.com	1566
77589916	80109283@qq.com	1566
6839683632	383865801@qq.com	1566
520941	383937694@qq.com	1566
zhoufan	356050904@qq.com	1566
88908890	wsk8890@qq.com	1566
736501	8241156@qq.com	1566
409804	108326520@qq.com	1566
100200	21376369@qq.com	1566
19901126	694998297@qq.com	1566
5683880	79436407@qq.com	1566
xiao00ai11	331818571@qq.com	1566
zhangjian	287436822@qq.com	1566
5770649123	283567455@qq.com	1566
14291563	807492@qq.com	1566
daohao98	xd808@qq.com	1566
52730672	52730672@qq.com	1566
12688993510	610722769@qq.com	1566
kaikai1	only71@qq.com	1566
fimergo	47414266@qq.com	1566
dongjie	272415706@qq.com	1566
062314han	735513820@qq.com	1566
ly19861130	526667048@qq.com	1566
1230123	350930850@qq.com	1566
5201314	5877161@qq.com	1566
6812903	2688032@qq.com	1566
511532	3051534@qq.com	1566
5801207	453645089@qq.com	1566
8164272	663978026@qq.com	1566
asdasd	877647502@qq.com	1566
yu6931359	214955262@qq.com	1566
6973951	285624921@qq.com	1566
5521564	414912496@qq.com	1566
1514401	3997912@qq.com	1566
caocao	313769123@qq.com	1566
200101	489022202@qq.com	1566
19831104	78056043@qq.com	1566
88908890	wsk8890@qq.com	1566
6012878	8425170@qq.com	1566
3262021	87200279@qq.com	1566
38110606	reed@vip.qq.com	1566
y26787159	309055018@qq.com	1566
775600	tsxx157@qq.com	1566
717273	qz11111@vip.qq.com	1566
6858154	344532@qq.com	1566
1672900	87734702@qq.com	1566
liu6480832	microsoft168@qq.com	1566
qwerty	www.452561400@qq.com	1566
jiuzi123654	zjiuzi@qq.com	1566
5211314a	534000670@qq.com	1566
5735155	weikangtiancai@qq.com	1566
19870916	331888190@qq.com	1566
linboyu	107594@qq.com	1566
2283617	63313575@qq.com	1566
810109	443629426@qq.com	1566
19881021	763568574@qq.com	1566
900717	13392155@qq.com	1566
shinjishinji	380136015@qq.com	1566
wscjl8166	529900929@qq.com	1566
111222	332470969@qq.com	1566
10203040	180057015@qq.com	1566
3216263	340309889@qq.com	1566
550550	545819008@qq.com	1566
86305710	100630571@qq.com	1566
202017	406186646@qq.com	1566
qwerty	www.452561400@qq.com	1566
123212321	lflanxuan@qq.com	1566
asdfasdf	ygxfx2@qq.com	1566
981600165	314771704@qq.com	1566
19860906	278755496@qq.com	1566
850117	yayayapei@qq.com	1566
890426	417203618@qq.com	1566
851217	445252735@qq.com	1566
8218023li	271720410@qq.com	1566
ale159261	aleders@qq.com	1566
4868893	469561911@qq.com	1566
3344253q	87998061@qq.com	1566
123654	282466955@qq.com	1566
hhb9635	123837487@qq.com	1566
7719923	1139467@qq.com	1566
356789	zhanggogo@qq.com	1566
794613	420816820@qq.com	1566
154330	21141176@qq.com	1566
12369037	531342822@qq.com	1566
831014	30653998@qq.com	1566
850824	120799465@qq.com	1566
7417020	shuaikaixinkuaile@qq.com	1566
wszly57	645913364@qq.com	1566
68547501	yu87514@qq.com	1566
850960	283434910@qq.com	1566
715201314	379657992@qq.com	1566
860201	66929297@qq.com	1566
2925138	281827110@qq.com	1566
wohaiaima	wbnjun@vip.qq.com	1566
5182279	938767914@qq.com	1566
550550	545819008@qq.com	1566
365275	51458307@qq.com	1566
100200	21376369@qq.com	1566
nannan	222585@qq.com	1566
zhuodejian	zhuodj@qq.com	1566
6964563	xukejiangdan@qq.com	1566
7252713	61075032@qq.com	1566
tian0109	443677930@qq.com	1566
66025098	48744363@qq.com	1566
19870622	381939239@qq.com	1566
6690751	38368019@qq.com	1566
657421	735704928@qq.com	1566
4221098	389059288@qq.com	1566
778032	6087698@qq.com	1566
za12580	444987324@qq.com	1566
2210000	379131753@qq.com	1566
a6166038	531745590@qq.com	1566
555ckxckx	136898611@qq.com	1566
850203	275706455@qq.com	1566
aaaass	241008223@qq.com	1566
5551406	cdheshuai@qq.com	1566
7594230	191910116@qq.com	1566
su36z02b	120013210@qq.com	1566
366474818	87673536@qq.com	1566
881259051	634503917@qq.com	1566
7830891	376464789@qq.com	1566
chc1987	364270689@qq.com	1566
8562139	344809620@qq.com	1566
mjhmjh	619592806@qq.com	1566
5121054	75565870@qq.com	1566
5660206	378451849@qq.com	1566
1988427	502310225@qq.com	1566
28145936	cdzc@vip.qq.com	1566
kenxin	jyy623@qq.com	1566
wojiaoama	amawudi@qq.com	1566
6831872	35221984@qq.com	1566
collin	shdwxh1988@qq.com	1566
147852369	540652073@qq.com	1566
879987	549944@qq.com	1566
13170158999	9453451@qq.com	1566
2109138	123544970@qq.com	1566
112988	516395972@qq.com	1566
8807822	30885489@qq.com	1566
chenhao	9064690@qq.com	1566
850203	275706455@qq.com	1566
yashiros	365801808@qq.com	1566
1535421619	76493075@qq.com	1566
13141314a	274306417@qq.com	1566
qq123456789	939816661@qq.com	1566
tj5201314	461633163@qq.com	1566
212418251	297332358@qq.com	1566
8585270	5587872@qq.com	1566
6686252123	190545991@qq.com	1566
621000lhy	317778533@qq.com	1566
19880504	250561677@qq.com	1566
85852556	732738879@qq.com	1566
82531052	625861838@qq.com	1566
a5w521521	278400200@qq.com	1566
qq099971	377101322@qq.com	1566
840718	278647200@qq.com	1566
19840823	283413464@qq.com	1566
62031756	352818647@qq.com	1566
shmily	195201147@qq.com	1566
112358soar	327027053@qq.com	1566
21614144	3590083@qq.com	1566
198732826	372756012@qq.com	1566
881122	270351042@qq.com	1566
332671	332671@qq.com	1566
*love1714	285399964@qq.com	1566
365200	71105915@qq.com	1566
520hejia	bb66@vip.qq.com	1566
808909	xuchgui@qq.com	1566
1983415	xiao_yyy@qq.com	1566
222961	164936476@qq.com	1566
xiao520	43666868@qq.com	1566
2513693	weiruibin@qq.com	1566
guizi1984	289996941@qq.com	1566
1989812	982142762@qq.com	1566
245224674	245224674@qq.com	1566
82824845	48088780@qq.com	1566
62534346	1141380@qq.com	1566
5529591	517230@qq.com	1566
960731	jcxie21@qq.com	1566
zxcvb1	344861254@qq.com	1566
pdp198638	pdp777@qq.com	1566
5835664	316199681@qq.com	1566
jqzxlg128	530856687@qq.com	1566

登录网站证明，严重泄漏用户敏感信息，可以查看或者修改：

修复方案：

加密

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：中

漏洞Rank：8

确认时间：2015-11-23 13:58

厂商回复：

谢谢您。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154563

漏洞标题：慧聪网某接口设计缺陷可撞库用户，严重泄漏用户敏感信息

相关厂商：慧聪网

漏洞作者：路人甲

提交时间：2015-11-21 16:34

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：设计缺陷/逻辑错误

危害等级：低

自评Rank：3

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154563

漏洞标题：慧聪网某接口设计缺陷可撞库用户，严重泄漏用户敏感信息

相关厂商：慧聪网

漏洞作者： 路人甲

提交时间：2015-11-21 16:34

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：设计缺陷/逻辑错误

危害等级：低

自评Rank：3

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154563"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云