当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120947

漏洞标题:蚂蚁短租设计缺陷(泄露大量用户信息)

相关厂商:赶集网

漏洞作者: 路人甲

提交时间:2015-06-17 10:15

修复时间:2015-08-01 10:24

公开时间:2015-08-01 10:24

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-27: 细节向核心白帽子及相关领域专家公开
2015-07-07: 细节向普通白帽子公开
2015-07-17: 细节向实习白帽子公开
2015-08-01: 细节向公众公开

简要描述:

详细说明:

1、主站登陆,选择蚂蚁账号登陆。无验证码,登陆抓包

1.png


2、密码MD5加密,用burp把payload加密

3.png


3、证明用户

4.png


5.png


6.png


4、下面的限制登陆吧

[email protected]	315eb115d98fcbad39ffc5edebd669c9  qweasdzxc
[email protected]	4e64c3b29f1f0a067fdb06641ce3d792  87758811
[email protected]	913314999a9da9be33f4a90cbdf945db  2213126
[email protected]	335ce894688d8c7ad3dc0a7ef8927a8b
[email protected]	cabbdac9a12f62ce32123537768e46da
[email protected]	6e083944f1bd8faee68a57024ca3deee
[email protected]	f38670dcfe258af1d3d7fddd9be17dcf
[email protected]	e066ceca42920adc4e2904a950827ee5
[email protected]	110f9ad670124287438517f4c76eb792
[email protected]	73be252ca82217b1458a25e6b4e99f15
[email protected]	b6f39a7d7a814f885625a7a8119a0a38
[email protected]	4badaee57fed5610012a296273158f5f
[email protected]	dc780ea28e619809e6d9b3773882d7bd
[email protected]	05e9663ff1b462d4621b4f33b9ab5e02
[email protected]	46beb3bd2fc54e5e573f7865f87dca5a
[email protected]	ec7b61ad3a002c9cabd9f980dddf1f50
[email protected]	cadca7fb14677d42a62a6450e1156911
[email protected]	08ab59358efbb47868a93bd0d617ae5c
[email protected]	13f77642f572ea1315e2dfa2936631cb
[email protected]	73b2b1212d710b17464e93f2fd9a2c41
[email protected]	4f383ada363cda38781542d02c98a3af
[email protected]	8f8fc396e4a9bd04e447633fac219aa1
[email protected]	516dbeae4f404fd975b5e835c37bc597
[email protected]	30044b7009f0998c3d841cf68dc33a9d
[email protected]	252bbfdad8fbc36577974e902863d12a
[email protected]	97594ea9b817147f5814b3995f5b1dcc
[email protected]	e5764d27afa02d9d0237f38927626e67
[email protected]	67c1f8d0d6b64646ec44a4a14accf83d
[email protected]	642a70b3be39ba2dc0eebfbec88d0204
[email protected]	7052376edfff9998aa335e75ce507730
[email protected]	fb2efa42271ac56887da0dafb2c59c81
[email protected]	da2fe0565cdf1bb45f4d421d021cd413
[email protected]	f0c37d2c9e74df9ce2c44f5f4c851e31
[email protected]	d82a4cbbfae2b0bffb8fd90d7a4f2784
[email protected]	85e475c40d56fc145b2dfaffe315ea42
[email protected]	dbf5de98f00301f7c6e15623c9709e50
[email protected]	c45ddfdc629686747452b0b86cb2610b
[email protected]	f6dd41c705c23cce72fcb0a084729e69
[email protected]	1e48396f761aa3661d8ea50ce48e5870
[email protected]	6ca0d058f209b111596738ca7944096a
[email protected]	cf3ed161b6f740c2e8097362d6449ea5
[email protected]	504329a1d6f77b73bb558defe3b57b6b
[email protected]	6e5f4773c8b44597a54f5564d6c8fd51
[email protected]	753c631128415365e64feb6fc5523785
[email protected]	0b134fc4a370e2571cfe9027300fbd3e
[email protected]	3770907d476f97aa25e064684c135a05
[email protected]	1118183746a8bd200e0b29f2151db14f
[email protected]	6c08b913c6567a7e6c70ed03f1070175
[email protected]	3770907d476f97aa25e064684c135a05
[email protected]	43b7a73046389362b955fd038d0d0be8
[email protected]	9e7ab32bdd9bc868ae565bbc25b18663
[email protected]	42c17f96e37fe9699432c73749b0f7f9
[email protected]	d29032e94ec454dab93cefac0a2eebe8
[email protected]	687438c557a717d4a796e4258d73193d
[email protected]	520ed462721d5f77ecd259c7bdc56744
[email protected]	dbb8187384b0503f0b18041f6fd6ede5
[email protected]	b69bade8b195eaf8ddc4df6989f8d663
[email protected]	7abff04f947ac7b456cd5146c850fa67
[email protected]	6a514ac434a4494e29e1d81d2713a659
[email protected]	35b95d18f31292734166b18b6fc6c8b0
[email protected]	a3df1c917596c14bf484b89c13a3f91a
[email protected]	af86433c950bbe243dad88818188a03e
[email protected]	198735b9e3b22690ca15f16c3b5b0154
[email protected]	5bd32ba1662c9472c7b768a46ccd351f
[email protected]	3b7eb2a224a084e329725e8580676ef6
[email protected]	ead976fbe55c1e3271b2bb38c5cd0374
[email protected]	17b29bba2021265c70b7d25bfd338625
[email protected]	5bd32ba1662c9472c7b768a46ccd351f
[email protected]	01d13031540623c7cc5af7976dd8db96
[email protected]	5fc2d383813bb4fe9f2e9465c2df8dd3
[email protected]	5b11df41dce8938c463248b0c767623c
[email protected]	369c3a31e0a60de58982142eed4bd412
[email protected]	36eb4c1cf7542a51287c0ec084027025
[email protected]	a31b9f0a4d573b2ee69509a6c95d6b8d
[email protected]	5d212d6672f55048e530b26bf4c3a9f1
[email protected]	d13dfc402701d5d20af4e8fe78c87916
[email protected]	8c46e407d5e72b94cba8c6148acecaf4
[email protected]	8c2248e7674e5e7e4d9a15b9cf64590c
[email protected]	9cb6018dc30da9703bd16fcd6ad50a18
[email protected]	d589b48fb5e049198df80cb1c18cd368
[email protected]	bfa97bc4bcc57e0cab6d91096ca5d1f8
[email protected]	b48af14fa7d2f3dd3ee3977d0f6cb451
[email protected]	b48fb2e5c58e52d5e5c6b5d2301dd3ba
[email protected]	0340f9a286104be5af63128d70179025
[email protected]	fd61be4f0e87a9b0324a6f66be211a13
[email protected]	8657e1264956f9ff3b6536614a63d939
[email protected]	8a63782cdbbafa3918326935b729c4fa
[email protected]	9b4223f4ffa4103eae035d97098a772d
[email protected]	193c055d8151c98caf4533cef3c52516
[email protected]	d58da3e1ca1187fad79697aef72791b8

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-06-17 10:22

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对我们业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无