当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0162669

漏洞标题:QQ空间钓鱼盗号攻击爆炸式传播(拿下钓鱼后台)

相关厂商:腾讯

漏洞作者: 路人甲

提交时间:2015-12-19 17:34

修复时间:2016-02-01 10:51

公开时间:2016-02-01 10:51

漏洞类型:钓鱼欺诈信息

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-12-19: 细节已通知厂商并且等待厂商处理中
2015-12-21: 厂商已经确认,细节仅向厂商公开
2015-12-31: 细节向核心白帽子及相关领域专家公开
2016-01-10: 细节向普通白帽子公开
2016-01-20: 细节向实习白帽子公开
2016-02-01: 细节向公众公开

简要描述:

你没有看错,真的是爆炸式传播。
3:00 - 11:00 ,盗号数据增长:14735个

详细说明:

朋友圈看到一条状态,点进去,第一反应,钓鱼网站啊。
图1:

1.jpg


图2:

2.PNG


图3:

3.PNG


下面这是重点,腾讯大大得分析下原因:

IMG_1103.PNG


步入正题:
钓鱼网站链接:
http://r8i318.rrenren.com.qozea.party/qzone/qqwap/qq_zc
PC端访问:活动已经结束!谢谢参与!
调试模式:图2
登录(重点):

http://r8i318.rrenren.com.qozea.party/qzone/qqwap/admin_login


4.jpg


分享链接(腾讯大大分析吧):

http://ui.ptlogin2.qq.com/cgi-bin/login?style=8&appid=710023101&hln_css=http%3A%2F%2Fqzonestyle.gtimg.cn%2Fopen%2Fconnect%2Fwidget%2Fmobile%2Fqzone_logo.png&s_url=http%3A%2F%2Fopenmobile.qq.com%2Foauth2.0%2Fm_jump%3Floginpage%3Dloginindex.html%26logintype%3Dqzone%26page%3Dqzshare.html%26quit%3D%26site%3D%26summary%3D%25E9%25A2%2586%25E5%258F%2596500M%25E6%25B5%2581%25E9%2587%258F%25EF%25BC%258C%25E5%2588%2586%25E4%25BA%25AB%25E8%25BF%2598%25E6%259C%2589%25E6%259B%25B4%25E5%25A4%259A%25E5%25A5%2596%25E5%258A%25B1%25EF%25BC%2581%26serverId%3D%26desc%3D%25E9%25A2%2586%25E5%258F%2596%25E7%25BA%25A2%25E5%258C%2585%25E4%25BA%2586%252C%25E6%2588%2591%25E5%25B7%25B2%25E7%25BB%258F%25E9%25A2%2586%25E5%2588%25B0500M%25E4%25BA%2586%25EF%25BC%2581%26imageUrl%3Dhttp%253A%252F%252Fugc.qpic.cn%252Fadapt%252F0%252Fc201de42-0264-a89c-89ae-10de6684bf6e%252F200%26failUrl%3D%26appid%3D%26appId%3D%26url%3Dhttp%253A%252F%252Fwww.renren.com%252FautoLogin%253Fr%253Dhttp%253A%252F%252F8k58Yo.rrenren.com.qozea.party%252Fqzone%252Fzfbwap%252Falipay%26targeturl%3D%26targetUrl%3D%26successUrl%3D%26loginpage%3Dqzshare.html%26title%3D%25E6%25B4%25BB%25E5%258A%25A8%25E5%259C%25B0%25E5%259D%2580%2520www.qq.com%252F8k58Yo%26callbackUrl%3D%26referer%3Dhttp%253A%252F%252Fr8i318.rrenren.com.qozea.party%252Fqzone%252Fqqwap%252Fadmin_login%26bid%3D%26regionId%3D


http://ui.ptlogin2.qq.com/cgi-bin/login?style=8&appid=710023101&hln_css=http://qzonestyle.gtimg.cn/open/connect/widget/mobile/qzone_logo.png&s_url=http://openmobile.qq.com/oauth2.0/m_jump?loginpage=loginindex.html&logintype=qzone&page=qzshare.html&quit=&site=&summary=领取500M流量,分享还有更多奖励!&serverId=&desc=领取红包了,我已经领到500M了!&imageUrl=http://ugc.qpic.cn/adapt/0/c201de42-0264-a89c-89ae-10de6684bf6e/200&failUrl=&appid=&appId=&url=http://www.renren.com/autoLogin?r=http://8k58Yo.rrenren.com.qozea.party/qzone/zfbwap/alipay&targeturl=&targetUrl=&successUrl=&loginpage=qzshare.html&title=活动地址 www.qq.com/8k58Yo&callbackUrl=&referer=http://r8i318.rrenren.com.qozea.party/qzone/qqwap/admin_login&bid=&regionId=


分享图片(以假乱真):

5.PNG


============================================================================
看到上面登录QQ的请求,第一反应检测下是否有struts漏洞,一击必中,上shell分析代码
先找数据库地址(熟悉的hibernate):

6.jpg


<!-- JDBC URL -->
<property name="connection.url">jdbc:sqlserver://116.255.198.225:1433;database=alipay</property>
<!-- 数据库用户名-->
<property name="connection.username">sa</property>
<!-- 数据库密码-->
<property name="connection.password">910401</property>


连数据库(QQ密码加密了,稍后分析):

8.jpg


当时统计有39000多账号。
分析源码,找解密方法:
图1(class文件):

10.jpg


图2(反编译):

9.jpg


admin_login方法:

public String admin_login() throws Exception {
this.request = ServletActionContext.getRequest();
this.session = this.request.getSession();
String biaoshi = this.request.getParameter("biaoshi");
Yanzheng yz = new Yanzheng();
try
{
if (isNumeric(this.user.getZfbzhanghao())) {
if (biaoshi.indexOf("web") != -1) {
this.request.setAttribute("tishi", "alert('此账户已经领取,请换个QQ登陆') ");
if (biaoshi.indexOf("web") != -1) return "qqwebindex"; return "qqwapindex";
}
} else {
this.request.setAttribute("tishi", "alert('请输入正确的QQ号码') ");
if (biaoshi.indexOf("web") != -1) return "qqwebindex"; return "qqwapindex";
}
} catch (Exception e) {
System.out.println("异常");
this.request.setAttribute("tishi", "alert('请输入正确的QQ号码') ");
if (biaoshi.indexOf("web") != -1) return "qqwebindex"; return "qqwapindex";
}
this.user.setZfbmima(MMJM(this.user.getZfbmima()));
if ((this.user.getZfbzhanghao().length() >= 5) && (this.user.getZfbmima().length() >= 6))
{
if (yz.admindenglu(this.user) == null) {
yz = new Yanzheng();
String shijian = "";
Date date = new Date();
Calendar cal = Calendar.getInstance();
cal.setTime(date);
shijian = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(cal.getTime());
this.user.setShijian1(shijian);
this.user.setIp(this.request.getRemoteAddr());
this.user.setZfbmima(getStringRandom(1) + this.user.getZfbmima() + getStringRandom(2));
String url = this.request.getHeader("host");
String[] urls = url.split("\\.");
if (urls.length >= 2)
this.user.setZfbzhifumima(biaoshi + "----" + urls[(urls.length - 2)] + "." + urls[(urls.length - 1)]);
else this.user.setZfbzhifumima(biaoshi);
yz.userzhuce(this.user);
}
this.request.setAttribute("tishi", "alert('此账户已经领取,请换个QQ登陆') ");
this.request.setAttribute("suiji", getStringRandom(6));
return "qqweburlfx";
}
this.request.setAttribute("tishi", "alert('账号密码不正确') ");
this.request.setAttribute("shuiji", getRandomChar(20));
this.request.setAttribute("qqzh", this.user.getZfbzhanghao());
if (biaoshi.indexOf("web") != -1) return "qqwebindex"; return "qqwapindex";
}


密码加密第一步:

this.user.setZfbmima(MMJM(this.user.getZfbmima()));


MMJM方法:

public String MMJM(String mm)
{
String d1 = ""; String d2 = ""; String jm1 = "abcdefghijklmnopqrstuvwxyz0123456789"; String jm2 = "9876543210plokmijnuhbygvtfcrdxeszwaq"; String tmpd2 = "";
for (int i = 0; i < mm.length(); i++) {
try
{
tmpd2 = tmpd2 + jm2.charAt(jm1.indexOf(mm.charAt(i)));
} catch (Exception e) {
tmpd2 = tmpd2 + mm.charAt(i);
}
}
return tmpd2;
}


密码加密第二步:

this.user.setZfbmima(getStringRandom(1) + this.user.getZfbmima() + getStringRandom(2));


getStringRandom方法:

public String getStringRandom(int length)
{
String val = "";
Random random = new Random();
for (int i = 0; i < length; i++)
{
String charOrNum = random.nextInt(2) % 2 == 0 ? "char" : "num";
if ("char".equalsIgnoreCase(charOrNum))
{
int temp = random.nextInt(2) % 2 == 0 ? 65 : 97;
val = val + (char)(random.nextInt(26) + temp);
} else if ("num".equalsIgnoreCase(charOrNum)) {
val = val + String.valueOf(random.nextInt(10));
}
}
return val;
}


根据以上方法写加密方法:

public static void main(String[] args) throws Exception{
String passwd = "0rxreot6n59o#rdx8I";
//String randoms = getStringRandom(1) + passwd + getStringRandom(2);
String passwds = MMGM(passwd);

System.out.println(passwds);
}

public static String MMGM(String mm)
{
String d1 = "";
String d2 = "";
String jm1 = "abcdefghijklmnopqrstuvwxyz0123456789";
String jm2 = "9876543210plokmijnuhbygvtfcrdxeszwaq";
String tmpd2 = "";
for (int i = 0; i < mm.length(); i++) {
try
{
tmpd2 = tmpd2 + jm1.charAt(jm2.indexOf(mm.charAt(i)));
} catch (Exception e) {
tmpd2 = tmpd2 + mm.charAt(i);
}
}
return tmpd2;
}


测试密码:1314mydream#123(在钓鱼网站上输入,然后在数据库中查出来滴)
解密示例:

11.png


精力有限,就不写批量解密的程序了,根据上面的代码,用其它语言写个解密代码不是问题。

漏洞证明:

12.jpg


13.jpg


每次刷新都会有新数据增长...

修复方案:

为避免更多人被盗号,第一时间提交。
你们更专业~
能打雷不?

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-12-21 11:23

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无