当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114408

漏洞标题:安居客某系统可爆破

相关厂商:安居客

漏洞作者: 鸟云厂商

提交时间:2015-05-18 10:08

修复时间:2015-07-02 10:34

公开时间:2015-07-02 10:34

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-18: 细节已通知厂商并且等待厂商处理中
2015-05-18: 厂商已经确认,细节仅向厂商公开
2015-05-28: 细节向核心白帽子及相关领域专家公开
2015-06-07: 细节向普通白帽子公开
2015-06-17: 细节向实习白帽子公开
2015-07-02: 细节向公众公开

简要描述:

安居客某系统可爆破

详细说明:

其实相当于主站登录接口可爆破了= =
中国网络经纪人平台登录
http://my.anjuke.com/login
POST http://my.anjuke.com/usercenter/login
DATA loginpost=1&formhash=&sid=anjukemy&url=******&systemtime=1431703368&frombroker=1&act=login&username=******&password=123456&history=
没有验证和限制,拿一部分user测试出几百个弱口令(123456)

屏幕快照 2015-05-15 下午11.32.57.png


请审核帮忙把code区mask一下,多谢!

zhouyuanyuan
jiangwencong
wanggaoxiang
chenmingyang
wangshangyou
zhangxueyuan
liufengjuan
wanglongjun
zhangpengfei
chenrongwei
wanghaining
huangsiyuan
zhangzhiyong
jiangyuanyuan
liuxinliang
chenxiuying
jiangxuejiao
zhoujinlong
linjianbin
zhaozhihui
guyingying
zhanghaiyan
wanqingyun
changxiang
chunchunli
zhangxianli
wangwenjia
zhanghuijun
zhouxiangyu
wangyuying
zhangjianguo
liqingfang
lizhuqing
liuyunlong
wangliuhui
lihuadong
zhangxinye
zhangwei1
zhouyaqin
wangguilin
xuxiaojing
zhangweimin
zhuxiaofei
anitading
vikizhong
yangxiaoli
koudeming
quanzhong
zhaoguowei
liuyuanyuan
fanweiguo
zhangailing
chennannan
wangguirong
lixiaohong
tuhaiyan
yangming1
zhanglei2
kailazhao
zhoucheng
liyuanyuan
liuzhenyu
jessiejia
wentaolu
jerrycai
liqiuhong
lizhigang
zhuanghui
lichunhui
wangyumei
chenqiang
wanglijuan
wangdandan
huangshi
liuweiwei
zhangxiao
linqiong
gongguan
tangyang
zhangsan
zhangrq
zhangchao
hujialing
wangzheng
geshijie
zhouquan
huichen
suhuiliu
rockywu
madandan
ronglei
lianmeng
huangwb
li_gang
weiyuan
zhoushuo
yuanzhen
wangpeng
zhangling
zhanghao
hongkong
test12345
dlcheng
chenghao
chenyao
dongjing
jiangwei
lijunmei
qinxuan
wangchao
wangnan
zhoujing
gaojian
lijunli
chenhf
chengq
zhuqiang
hongbh
tiankun
shiyong
zhuanyi
zhangjl
zhangts
chenlan
lihaijun
fuzheng
tanjing
lilyhao
yancywu
huiwang
zhoujian
zhangkai
fangyan
huangxh
huangyl
shaohm
wangjue
songty
yangby
zhangcf
baofeng
appledu
wangfang
wanglili
ivanhe
test1234
tianmiao
zyzhang
wcheng
dengli
luocong
wanglu
wenyun
yaojia
chenpu
fapiao
hanyt
liuchq
shenhe
wangtf
xiekun
zhujin
ziliao
lmfang
yangfei
guosha
maojh
majing
qiluo
weilin
suyong
shiqu
dinglei
li_wei
fanglu
huangying
chenym
yangliu
chenfei
chenhui
wanghx
yangxue
caopei
lcheng
daiwen
shiwei
xunan
wangfei
yutian
liting
liuyj
xuxw
wangli
gaoyang
zhuyun
baiyu
nangua
sunwei
leader
all1
liuyg
liujun
wangyan
cuikai
hujun
macl
liukun
xurui
liuxin
wangxy
liujie
yangch
atc
hejin
silina
malin
nali
zhxw
baidu
cailei
mayy
zshy
liyu
humin
felix
ddc
liuj
wulu
xulei
lilin
sunbo
hr1
liudy
sale
liuna
pli
cheng
lwy
itil
wangbo
xxm
jzz
dan
zhang
hls
libo
cjf
dev
wym
zxh
zjs
ghd
zhb
wyt
zqd
cai
hyf
aec
lihua
cxy
aixi
bxy
xj
kj
blog
bi
mj
ty
jr
cc
test
love

漏洞证明:

这些账号和主站账号通用

屏幕快照 2015-05-15 下午11.28.36.png


屏幕快照 2015-05-15 下午11.29.02.png


屏幕快照 2015-05-15 下午11.29.22.png


修复方案:

版权声明:转载请注明来源 鸟云厂商@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-05-18 10:33

厂商回复:

感谢对安居客的支持!

最新状态:

暂无