奥一网主站可撞库用户（成功账号证明）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136171

漏洞标题：奥一网主站可撞库用户（成功账号证明）

漏洞作者：路人甲

提交时间：2015-08-23 11:55

修复时间：2015-08-28 11:56

公开时间：2015-08-28 11:56

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：19

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-23：细节已通知厂商并且等待厂商处理中
2015-08-28：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

奥一网主站可撞库用户（成功账号证明）

详细说明：

http://www.oeeee.com奥一网主站登陆框接口，未做登陆验证限制

用户名和密码全部为明文传输

设置变量后测试撞库,成功账号证明：

[email protected]	15907676860	2580
[email protected]	900310	2610
[email protected]	skyyang365	2636
[email protected]	226417866	2643
[email protected]	790725	2659
[email protected]	565783	2671
[email protected]	123456	2673
[email protected]	19910104	2674
[email protected]	19910104	2678
[email protected]	atgqlzj	2686
[email protected]	123456	2687
[email protected]	62771227	2693
[email protected]	741236	2704
[email protected]	3336352	2715
[email protected]	385838	2716
[email protected]	ly19860525	2717
[email protected]	13728729112	2723
[email protected]	780802	2725
[email protected]	qm831013	2726
[email protected]	870519	2729
[email protected]	198546	2730
[email protected]	qaz5989126	2732
[email protected]	123321	2737
[email protected]	1834567	2737
[email protected]	8331895	2738
[email protected]	pig3323	2739
[email protected]	adaqbuxx	2740
[email protected]	123123	2742
[email protected]	123123	2744
[email protected]	yongming	2744
[email protected]	123123	2746
[email protected]	123456	2747
[email protected]	527413519	2747
[email protected]	5675585	2749
[email protected]	431131131	2749
[email protected]	121590	2750
[email protected]	3420938	2750
[email protected]	556600	2750
[email protected]	19851515	2753
[email protected]	413535377	2753
[email protected]	shittimad1	2755
[email protected]	123123	2756
[email protected]	18334488	2757
[email protected]	1834997	2757
[email protected]	6612965	2758
[email protected]	3819072	2759
[email protected]	night1100	2759
[email protected]	8562792	2760
[email protected]	123456	2761
[email protected]	666666	2762
[email protected]	lanqiu	2763
[email protected]	123456	2766
[email protected]	630417	2770
[email protected]	1q2w3e4r5t	2772
[email protected]	666456	2773
[email protected]	2317016	2780
[email protected]	67810480	2781
[email protected]	47697294	2782
[email protected]	413535377	2783
[email protected]	325603256	2786
[email protected]	894242	2788
[email protected]	321322	2788
[email protected]	820619	2789
[email protected]	19890324	2790
[email protected]	7412118	2792
[email protected]	28681888	2793
[email protected]	1989215yjn	2793
[email protected]	821027	2793
[email protected]	881023	2794
[email protected]	6866618	2795
[email protected]	413535377	2797
[email protected]	413535377	2799
[email protected]	887900	2800
[email protected]	huangxi	2800
[email protected]	wb19880701	2804
[email protected]	133664	2804
[email protected]	1982529	2808
[email protected]	97506409	2809
[email protected]	840917	2809
[email protected]	520520	2809
[email protected]	5513055	2813
[email protected]	1972158	2815
[email protected]	wangba74	2815
[email protected]	210698	2816
[email protected]	ccedu029	2816
[email protected]	123456	2818
[email protected]	yuye123	2820
[email protected]	lisbfyong	2821
[email protected]	123456	2824
[email protected]	123456	2824
[email protected]	123456	2826
[email protected]	123456	2826
[email protected]	664110	2829
[email protected]	123456	2832
[email protected]	280582817	2832
[email protected]	qepwqauige	2833
[email protected]	123456	2836
[email protected]	wuzhiheng	2840
[email protected]	811124	2843
[email protected]	mingming	2844
[email protected]	verbatim	2845
[email protected]	12345678	2863
[email protected]	xkwyzq	2872
[email protected]	13713887699	2879
[email protected]	woaini	2882
[email protected]	2562917	2883
[email protected]	8088282	2895
[email protected]	123456789	2899
[email protected]	19850407	2901
[email protected]	a31610518	2902
[email protected]	5235361225	2903
[email protected]	864563110	2909
[email protected]	hejiangyan1980	2912
[email protected]	fanlei	2920
[email protected]	jiangbao	2945
[email protected]	688496	2951
[email protected]	3545768802	2951
[email protected]	5681864	2963
[email protected]	5879576	3006

登陆测试证明：

漏洞证明：

http://www.oeeee.com奥一网主站登陆框接口，未做登陆验证限制

用户名和密码全部为明文传输

设置变量后测试撞库,成功账号证明：

[email protected]	15907676860	2580
[email protected]	900310	2610
[email protected]	skyyang365	2636
[email protected]	226417866	2643
[email protected]	790725	2659
[email protected]	565783	2671
[email protected]	123456	2673
[email protected]	19910104	2674
[email protected]	19910104	2678
[email protected]	atgqlzj	2686
[email protected]	123456	2687
[email protected]	62771227	2693
[email protected]	741236	2704
[email protected]	3336352	2715
[email protected]	385838	2716
[email protected]	ly19860525	2717
[email protected]	13728729112	2723
[email protected]	780802	2725
[email protected]	qm831013	2726
[email protected]	870519	2729
[email protected]	198546	2730
[email protected]	qaz5989126	2732
[email protected]	123321	2737
[email protected]	1834567	2737
[email protected]	8331895	2738
[email protected]	pig3323	2739
[email protected]	adaqbuxx	2740
[email protected]	123123	2742
[email protected]	123123	2744
[email protected]	yongming	2744
[email protected]	123123	2746
[email protected]	123456	2747
[email protected]	527413519	2747
[email protected]	5675585	2749
[email protected]	431131131	2749
[email protected]	121590	2750
[email protected]	3420938	2750
[email protected]	556600	2750
[email protected]	19851515	2753
[email protected]	413535377	2753
[email protected]	shittimad1	2755
[email protected]	123123	2756
[email protected]	18334488	2757
[email protected]	1834997	2757
[email protected]	6612965	2758
[email protected]	3819072	2759
[email protected]	night1100	2759
[email protected]	8562792	2760
[email protected]	123456	2761
[email protected]	666666	2762
[email protected]	lanqiu	2763
[email protected]	123456	2766
[email protected]	630417	2770
[email protected]	1q2w3e4r5t	2772
[email protected]	666456	2773
[email protected]	2317016	2780
[email protected]	67810480	2781
[email protected]	47697294	2782
[email protected]	413535377	2783
[email protected]	325603256	2786
[email protected]	894242	2788
[email protected]	321322	2788
[email protected]	820619	2789
[email protected]	19890324	2790
[email protected]	7412118	2792
[email protected]	28681888	2793
[email protected]	1989215yjn	2793
[email protected]	821027	2793
[email protected]	881023	2794
[email protected]	6866618	2795
[email protected]	413535377	2797
[email protected]	413535377	2799
[email protected]	887900	2800
[email protected]	huangxi	2800
[email protected]	wb19880701	2804
[email protected]	133664	2804
[email protected]	1982529	2808
[email protected]	97506409	2809
[email protected]	840917	2809
[email protected]	520520	2809
[email protected]	5513055	2813
[email protected]	1972158	2815
[email protected]	wangba74	2815
[email protected]	210698	2816
[email protected]	ccedu029	2816
[email protected]	123456	2818
[email protected]	yuye123	2820
[email protected]	lisbfyong	2821
[email protected]	123456	2824
[email protected]	123456	2824
[email protected]	123456	2826
[email protected]	123456	2826
[email protected]	664110	2829
[email protected]	123456	2832
[email protected]	280582817	2832
[email protected]	qepwqauige	2833
[email protected]	123456	2836
[email protected]	wuzhiheng	2840
[email protected]	811124	2843
[email protected]	mingming	2844
[email protected]	verbatim	2845
[email protected]	12345678	2863
[email protected]	xkwyzq	2872
[email protected]	13713887699	2879
[email protected]	woaini	2882
[email protected]	2562917	2883
[email protected]	8088282	2895
[email protected]	123456789	2899
[email protected]	19850407	2901
[email protected]	a31610518	2902
[email protected]	5235361225	2903
[email protected]	864563110	2909
[email protected]	hejiangyan1980	2912
[email protected]	fanlei	2920
[email protected]	jiangbao	2945
[email protected]	688496	2951
[email protected]	3545768802	2951
[email protected]	5681864	2963
[email protected]	5879576	3006

登陆测试证明：

修复方案：

发放19rank又不会怀孕

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-08-28 11:56

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136171

漏洞标题：奥一网主站可撞库用户（成功账号证明）

相关厂商：广东南都全媒体网络科技有限公司

漏洞作者：路人甲

提交时间：2015-08-23 11:55

修复时间：2015-08-28 11:56

公开时间：2015-08-28 11:56

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：19

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0136171

漏洞标题：奥一网主站可撞库用户（成功账号证明）

相关厂商：广东南都全媒体网络科技有限公司

漏洞作者： 路人甲

提交时间：2015-08-23 11:55

修复时间：2015-08-28 11:56

公开时间：2015-08-28 11:56

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：19

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0136171"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云