当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112024

漏洞标题:网易某重要接口撞库泄露用户登录凭据(有批量账号证明)

相关厂商:网易

漏洞作者: 路人甲

提交时间:2015-05-04 19:30

修复时间:2015-05-05 10:56

公开时间:2015-05-05 10:56

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:18

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-04: 细节已通知厂商并且等待厂商处理中
2015-05-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

撞库扫号攻击已经是Top 10 Security Risks for 2014之一.撞库以大量的用户数据为基础,利用用户相同的注册习惯(相同的用户名和密码),尝试登陆其它的网站。2011年,互联网泄密事件引爆了整个信息安全界,导致传统的用户+密码认证的方式已无法满足现有安全需求。泄露数据包括:天涯:31,758,468条,CSDN:6,428,559条,微博:4,442,915条,人人网:4,445,047条,猫扑:2,644,726条,178:9,072,819条,嘟嘟牛:13,891,418条,7K7K:18,282,404条,共1.2亿条。不管你的网站密码保护的多好,但是面对已经泄露的账号密码,撞库扫号防御还是一个相当重要的环节。

详细说明:

主站登录接口没有防御撞库。对登录接口的调用没有进行限制。经过测试发现,使用某泄露数据库可以碰撞获得大量有效的登录账号。 登录接口抓包如下:
由于网易账号是一站式的。所以,所有可以或得各种关联系统的权限,包括微博,博客,邮箱。等等能。

POST /logins.jsp HTTP/1.1
Host: reg.163.com
Connection: close
Content-Length: 230
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.163.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.163.com/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: usertrack=c+5+hVVAxQLBxR9jBeWgAg==; _ntes_nnid=4fc0b7199a1c9834e05c0d696f1cb9ea,1430308107352; SID=a8ff61f3-e067-46cd-9c83-0b8f7d314f9a; _ntes_nuid=4fc0b7199a1c9834e05c0d696f1cb9ea; Province=0571; City=0571; vjuids=eb751fe52.14d05bd1d69.0.e1a6c9db; JSESSIONID=dacaeQeXDF-5IbyK9xi0u; T_INFO=CE1F7243882AAA0FEBB261E71A3B9FA41F903565B4C9497BE810CD4E3FDFD8878098BA0EB3F9DE7E303573B8C0BB5B31EF33BC42C912FF0C2D77EE9BB51D0928; ui_tip_cookie=xzou@21cn.com%261%261%260%7Cshmilyclytze@yeah.net%261%261%260%7C; URS_Analyze=1; ne_analysis_trace_id=1430728079918; pver_n_f_l_n3=a; n_ht_s=1; P_INFO=shmilyclytze@yeah.net|1430721918|2|urs|10&15|not_found&1430721790&163#zhj&330100#0#0#0|151519&0|163&urs|shmilyclytze@yeah.net; vjlast=1430320389.1430728080.13; vinfo_n_f_l_n3=efd1f43a14527912.1.0.1430320389504.0.1430728196488; s_n_f_l_n3=efd1f43a145279121430320389505
RA-Ver: 2.10.0
RA-Sid: 7B9DD012-20150303-080129-82895f-fb68a9
AlexaToolbar-ALX_NS_PH: AlexaToolbar/alxg-3.3
username=570138905@qq%2ecom&password=wxl5927101&type=1&product=163&savelogin=0&url=http%3A%2F%2Fwww.163.com%2Fspecial%2F0077450P%2Flogin_frame.html&url2=http%3A%2F%2Fwww.163.com%2Fspecial%2F0077450P%2Flogin_frame.html&noRedirect=1

漏洞证明:

经过测试发现,使用某泄露数据库可以碰撞获得大量有效的登录账号.

ahbbliuhm@163.com	lhm32411111
jiangjuncool2008@sina.com	jun13788578250
njyc_zhuhancheng@126.com	njzhu045
justdoityzh@yeah.net	jjzj334553086
weinastory29@126.com	wn1000015218
jimmyzeng1004@126.com	d3y47tjimmyzeng
shmilyclytze@yeah.net	hewotiaowuba
keepinwithmyself@126.com	4034lj
menghuanqiuyue@126.com	13990844111
570138905@qq.com	wxl5927101
ufo0112@sina.com	Allen0112
bruce0com0cn@hotmail.com	11556688
linken1989@126.com	n19880308n
huangtengqing@163.com	53286566
lzbsky2580@126.com	lzb3227521
yanzhongsheng@126.com	198552200
agnes.lee@yeah.net	159357qtoetu
634645765@qq.com	XRKSHI11
jay2006easonl@126.com	jay998849888
xujiqian_5956@qq.com	xujiqiang
sunyonghai559@gmail.com	ilovewen99@
lijie_0316@126.COM	qqq3394724
weiyong123.good@163.com	ailing123
mail.liuli@gmail.com	19811103
sunrunbang@gmail.com	hy1976109
37113519@qq.com	19870925
heliangri2009@126.com	08327656314
tz_wang@yeah.net	zl191215
weichong666@163.com	w270811c
redandelion@126.com	04151403
lele009wangxiang@163.com	13309492097
tengjianquanliuxia@163.com	tjq19880219
lvhaixin@hotmail.com	fox165910
oyzoyzoyz@yahoo.com.cn	85282465
wenhao7716@gmail.com	zy840614
chenxiaofeng520@163.com	19900419
wangzhiguo_image@163.com	19780917
yanghailong5201@163.com	123456789
kero990@gmail.com	19831210
chenjinmyin@qq.com	cheng911
yiyuxing_29@126.com	123yiyaa
judymaxiao@126.com	200853275214
1066578831@QQ.COM	zzp19900919
kgi_hhy@yahoo.com.cn	hjjzsf
jingke777771234@163.com	jingjing
my_last_love@163.com	881129sjj
foyemeizhe@sina.com	2119861020
ssvod110@126.com	2007198817
916613618@qq.com	513148977
ilovexiaozhuzai@163.com	xiaozhu1117
334897465@qq.com	5731381431
langhaitao.2008@163.com	lang__1984
luoluo320@163.com	36991019s
thinboy@21cn.com	shallin
kent1234562007@163.com	kent123456
394646235@qq.com	wdqq19870618
chifanlaha@yahoo.cn	woaimama
610824453@qq.com	55036081
ni-aiwoma@126.com	niaiwoma
475391161@QQ.COM	88995234
675262590@qq.com	Jay261012
zhulaosi001@163.com	24248423
304016779@qq.com	hj8229651
513072290@qq.com	z19891110
maplekurt@163.com	feng_1321
774727705@qq.com	wxy3844989
183059067@qq.com	becky362329
293448308@qq.com	LWZL139791
603029359@qq.com	85651051
369756826@qq.com	6967446sky
309711878@qq.com	laure9797
450616144@qq.com	a34416912
lxs2liweilxs@163.com	lw198718
w2212886@163.com	y2212886
854905374@qq.com	pa87722857
523489309@qq.com	kaaiqkwmmo
58664201@QQ.com	68728883
kevinke_82@yahoo.cn	!qazxsw@
461564869@qq.com	46731007
jjdyl2@126.com	19761102
378493553@qq.com	QJJ0325521140
qwezxc3020@sina.com	79532448
zx466427048@163.com	466427048
shlijun@126.com	671223
lanlan120190@163.com	fengyu0515
13036718@qq.com	aiwind1314
314225220@qq.com	19880623
lubony@sina.com	82250755
xyzlxw@21cn.com	microlab
475712408@qq.com	1325747445
jianlin4.1@163.com	q514082801
407604960@qq.com	icc1234567
wh5355@gmail.com	wanghao110
huangdexin83@163.com	813813813
734718161@qq.com	1030238333
yangyibo999@163.com	124592203
372490596@qq.com	a3142895
774043804@qq.com	ma2312251
ahzylok@163.com	passwordkm
czzmj@126.com	30214401
304532576@qq.com	26362511
940659881@qq.com	zw8112151
183889716@qq.com	123456as
canxue945@163.com	13580617139
15898858587@163.com	sha543DAN521
n305185564n@163.com	305185564
qq378296678@163.com	llg679865
12668975@qq.com	chuanqicn
zcy4123@163.com	greed4123
82000752@qq.com	senaiqian
315769601@qq.com	63506729
blue1000100@163.com	woainimabi
772409791@qq.com	19870424
348544218@qq.com	liuxiao1991
912520555@qq.com	nibiaoma
563378747@qq.com	820834502
gaol622@gmail.com	gaoli123
598010251@qq.com	kele0628
taofada1@163.com	74185288
404391922@qq.com	hsb123569
529885364@qq.com	73366227
342557373@QQ.com	520bafndx
hyqclcls@163.com	huayinqiu13579
4494454xqb@163.com	19850821
wgstudio@163.com	king2000
scz210@163.com	ossjzlzl
daweed.zhu@163.com	zzw034012
shixianglx@163.com	4615182520
45647849@qq.com	woaidudu
lht747@126.com	lht237lht
liyangslam@163.com	1989527918911
165032704@qq.com	58929176
dtlyzx@126.com	0515-8106236
deet1@163.com	07307635920
408736638@163.com	123327854
425120438@qq.com	fanchiqiang
huyin_ok@163.com	huyin2915610
XMYXZ@126.COM	XMYXZ197807
xc19820719@163.com	820719123
tangy799@163.com	t123a456y
4171757197@163.com	1695174717
shxluog@163.com	luo198706
leiman-1@163.com	19820425
cwho@21cn.com	65580321
zdf_aaa@163.com	7258725899
wjsth@qq.com	sth198557
ego002@126.com	thughero
babygirlhl@163.com	senling52
btmguan@163.com	830814guan
jkjkjk09@163.com	jkjkjk2009
lq_lxj@126.com	19840110
33553@163.com	y90139529
hcc1989@163.com	arsenal0577
xzou@21cn.com	lordwolf
jy02192915@163.com	ly86710467
a673634110@163.com	919293729
qslsist@163.com	qushuliang0426
zhankay@163.com	kaizhang
sd122__8@163.com	07178682
en8023em@163.com	gaoermao
lawd@163.com	yzhao888
abc_7768@163.com	sy12345678
gbefg@163.com	1363916038
3461263@163.COM	13432438925


屏幕快照 2015-05-04 下午2.46.08.png


屏幕快照 2015-05-04 下午2.43.04.png


屏幕快照 2015-05-04 下午2.40.21.png


修复方案:

撞库防御参考资料:http://stayliv3.github.io/2015/04/15/%E6%92%9E%E5%BA%93%E6%94%BB%E5%87%BB%E9%98%B2%E5%BE%A1%E6%96%B9%E6%A1%88/

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-05 10:56

厂商回复:

感谢您对网易的关注!

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-05 15:14 | prolog ( 普通白帽子 | Rank:544 漏洞数:107 | 低调求发展)

    忽略,233

  2. 2015-05-06 09:51 | D&G ( 普通白帽子 | Rank:523 漏洞数:103 | going)

    @疯狗 说好的自动补rank机制么~

  3. 2015-05-07 18:06 | 无力落地の白 ( 实习白帽子 | Rank:48 漏洞数:19 | 新人)

    ...真叼 这都不管···