当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157571

漏洞标题:爆米花网某游戏登录接口设计缺陷可撞库用户

相关厂商:爆米花网

漏洞作者: 路人甲

提交时间:2015-12-02 14:31

修复时间:2016-01-16 14:46

公开时间:2016-01-16 14:46

漏洞类型:设计缺陷/逻辑错误

危害等级:低

自评Rank:3

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-02: 细节已通知厂商并且等待厂商处理中
2015-12-02: 厂商已经确认,细节仅向厂商公开
2015-12-12: 细节向核心白帽子及相关领域专家公开
2015-12-22: 细节向普通白帽子公开
2016-01-01: 细节向实习白帽子公开
2016-01-16: 细节向公众公开

简要描述:

爆米花网某游戏登录接口设计缺陷可撞库用户

详细说明:

http://sq.baomihua.com/special/sq/SqRegistrar/sqlogin.aspx这里,登录位置没有验证码限制

01.png


用户名密码明文传输的

02.png


测试撞库网站用户贴出部分成功帐号证明:

oldtom	jillian	1842
152169	123456	1842
79021995	5201314	1854
253065265	111111	1855
476531330	5889282	1855
15415151	123456	1858
514500	514500	1861
312781856	2131099	1863
jyjzqz	3124058	1866
703848090	211314	1868
263854319	asdasd	1868
117119197	117119197	1871
363856496	363856496	1872
jinweize	jinweize	1878
44256303	3421814	1878
china45	123456	1879
358056651	19850711	1880
534467355	8389055597	1884
11889955	123456	1888
4750082	6896020	1892
123457	123457	1894
ztchhh	ztc1976	1894
honor521	honorren521	1909
46228306	840920	1913
123456q	123456	1913
159487	159487	1914
w123456	123456	1915
111333	111333	1918
262626	123456	1922
441739543	888520	1925
287432220	891109	1929
asdasdasd	asdasdasd	1929
6063696	111111	1930
12345698	123456	1933
554971135	554971135	1934
706002842	334671697	1941
398112885	7758521	1941
1112323	111111	1942
chrisswy	920215	1944
282882758	13882559253	1945
512493320	6885872	1946
newgyward	19890917	1946
248142470	12935625	1946
75092136	lifuchao	1950
540511540	xuheyang	1951
1212121212	123456	1954
132156	123456	1957
44403434	62092833	1958
530911735	530911735	1958
57576732	37890503	1960
529246870	200771	1960
6567767	111111	1961
280854807	280854807	1962
nedved16	123456	1962
342343	123456	1965
654612	123456	1965
zhumama	123456	1965
1315633	123456	1969
516046088	123456	1970
717624132	15899382951	1970
38221413	38221413	1973
psufool	psugmfv	1973
254808812	216087	1974
taishanrou	routaishan	1974
20734743	20734743	1974
20734743	20734743	1974
584695367	247351063	1976
496896189	19901219	1980
542636	123456	1981
3698574	123456	1982
sfsefsf	123456	1985
zhaoechu	51751286000	1985
26152824	841113	1993
17916512	t17916512	1997
mowen123	mowen123	1998
vkbshfm	43674213	2004
1222445	8911604130	2004
4917363	4917363	2010
290885396	290885396	2012
156986264	32784341	2017
982454619	517661889	2018
131111111	111111	2022
378291322	wanwan	2024
t82870650	28199310	2024
654556195	5874623	2026
455602351	455602351	2030
597734332	13511728339	2030
224747191	6663145	2037
zhaoqiang1109001	z731109z	2037
408669721	2910983	2040
121727684	121727684	2042
632340936	1314520	2046
lichengyi7260	lichengyi	2065
331828797	7788521	2115
136320579	306634833	2160

漏洞证明:

http://sq.baomihua.com/special/sq/SqRegistrar/sqlogin.aspx这里,登录位置没有验证码限制

01.png


用户名密码明文传输的

02.png


测试撞库网站用户贴出部分成功帐号证明:

oldtom	jillian	1842
152169	123456	1842
79021995	5201314	1854
253065265	111111	1855
476531330	5889282	1855
15415151	123456	1858
514500	514500	1861
312781856	2131099	1863
jyjzqz	3124058	1866
703848090	211314	1868
263854319	asdasd	1868
117119197	117119197	1871
363856496	363856496	1872
jinweize	jinweize	1878
44256303	3421814	1878
china45	123456	1879
358056651	19850711	1880
534467355	8389055597	1884
11889955	123456	1888
4750082	6896020	1892
123457	123457	1894
ztchhh	ztc1976	1894
honor521	honorren521	1909
46228306	840920	1913
123456q	123456	1913
159487	159487	1914
w123456	123456	1915
111333	111333	1918
262626	123456	1922
441739543	888520	1925
287432220	891109	1929
asdasdasd	asdasdasd	1929
6063696	111111	1930
12345698	123456	1933
554971135	554971135	1934
706002842	334671697	1941
398112885	7758521	1941
1112323	111111	1942
chrisswy	920215	1944
282882758	13882559253	1945
512493320	6885872	1946
newgyward	19890917	1946
248142470	12935625	1946
75092136	lifuchao	1950
540511540	xuheyang	1951
1212121212	123456	1954
132156	123456	1957
44403434	62092833	1958
530911735	530911735	1958
57576732	37890503	1960
529246870	200771	1960
6567767	111111	1961
280854807	280854807	1962
nedved16	123456	1962
342343	123456	1965
654612	123456	1965
zhumama	123456	1965
1315633	123456	1969
516046088	123456	1970
717624132	15899382951	1970
38221413	38221413	1973
psufool	psugmfv	1973
254808812	216087	1974
taishanrou	routaishan	1974
20734743	20734743	1974
20734743	20734743	1974
584695367	247351063	1976
496896189	19901219	1980
542636	123456	1981
3698574	123456	1982
sfsefsf	123456	1985
zhaoechu	51751286000	1985
26152824	841113	1993
17916512	t17916512	1997
mowen123	mowen123	1998
vkbshfm	43674213	2004
1222445	8911604130	2004
4917363	4917363	2010
290885396	290885396	2012
156986264	32784341	2017
982454619	517661889	2018
131111111	111111	2022
378291322	wanwan	2024
t82870650	28199310	2024
654556195	5874623	2026
455602351	455602351	2030
597734332	13511728339	2030
224747191	6663145	2037
zhaoqiang1109001	z731109z	2037
408669721	2910983	2040
121727684	121727684	2042
632340936	1314520	2046
lichengyi7260	lichengyi	2065
331828797	7788521	2115
136320579	306634833	2160

修复方案:

加密

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-12-02 14:44

厂商回复:

已经确认在修复中!

最新状态:

暂无