点点博客某接口设计不当可撞库（大量博客账号证明）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0112510

漏洞标题：点点博客某接口设计不当可撞库（大量博客账号证明）

漏洞作者：路人甲

提交时间：2015-05-07 10:26

修复时间：2015-05-12 10:28

公开时间：2015-05-12 10:28

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：14

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-05-07：细节已通知厂商并且等待厂商处理中
2015-05-12：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

挖洞最苦逼的事莫过于编辑了半天的漏洞最后发现竟然不存在。。

详细说明：

http://www.diandian.com/login这个接口，也就是点点博客的主站登陆接口，可以看到这个登陆接口是没有任何限制的

然后直接抓包，发现用户名和密码全部明文传输

直接intruder开始撞库，可以看到结果

随便登陆几个看看，发现有很多活跃用户的哦：

博客撞库也不是小事哦~我登陆别人博客拥有别人博客的所有权利，发广告，找隐私，改信息之类的都可以哦，批量的话肯定影响很大。。

漏洞证明：

大量账号证明：

2947479@qq.com	920321	751
214804531@qq.com	ruguo0716	751
331371824@qq.com	qaz5989126	751
865599902@qq.com	1564335	751
thinker1000@qq.com	19871008	751
zxqcw@vip.qq.com	890605	751
85586231@qq.com	3881600	751
278915578@qq.com	zxc123	751
kofcs@qq.com	30122248	751
thomas_0836@qq.com	5201314	751
527505643@qq.com	527505643	751
262665776@qq.com	2814971	751
1380017@qq.com	liaokang	751
438101320@qq.com	111306117	751
6385383@qq.com	870530	751
304823296@qq.com	880815mark	751
lionfoo@qq.com	19840716	751
752257286@qq.com	zhangjiji	751
292988449@qq.com	8901349	751
shangshuobao@qq.com	shangshuo	751
511350076@qq.com	987536	751
316516008@qq.com	nesta13ac	751
249039454@qq.com	249039454	751
750675@qq.com	225227	751
173993210@qq.com	86223223	751
55357230@qq.com	19451314	751
381849780@qq.com	ll40251528	751
805543813@qq.com	lsmhwjcl	751
410968440@qq.com	84981987	751
526949272@qq.com	1234567	751
304472438@qq.com	8596630	751
88108146@qq.com	1988528mn	751
115675550@qq.com	904478	751
478356182@qq.com	999999999	751
souly@qq.com	13676385	751
bee_zz@qq.com	5252420	751
fansong6@qq.com	14091409	751
349284578@qq.com	yhb054790	751
cdblueing@qq.com	yuacce	751
517091110@qq.com	197368425	751
dark_lidan@qq.com	3171768	751
ddd@qq.com	111111	751
236056215@qq.com	2676269	751
123164362@qq.com	8965243	751
402342363@qq.com	199011	751
125945765@qq.com	linwehao	751
421666836@qq.com	5205899	751
125343616@qq.com	houshun	751
546862365@qq.com	5319673	751
373073749@qq.com	566512	751
274039372@qq.com	216422	751
77242964@qq.com	26305873	751
357967561@qq.com	19910829	751
49109890@qq.com	1987429	751
41068094@qq.com	6524861	751
80258648@qq.com	chengrui	751
vliancyz@vip.qq.com	7399390	751
20332733@qq.com	liuting1986	751
153821064@qq.com	7931129	751
xq289499769@qq.com	yjitxxkj	751
252000202@qq.com	8180355	751
tiaoqiang412364544@qq.com	495596323	751
371234151@qq.com	371234151	751
zjunovelty@qq.com	liuxinqi	751
552652814@qq.com	123456	751
iayb@qq.com	jianhu	751
baisuyi@qq.com	fenghen	751
1030445725@qq.com	3951332	751
34252792@qq.com	332503	751
215880635@qq.com	8187520	751
1106692@qq.com	aaron112345	751
43669207@qq.com	7715243	751
470833895@qq.com	123123	751
sl_ak47@qq.com	csllovevicky	751
42369790@qq.com	584121314	751
280602838@qq.com	su00000119	751
276571755@qq.com	198781	751
jiangqiang673690606@qq.com	520520	751
366337575@qq.com	366337575	751
576699127@qq.com	myshow1993216	751
794673027@qq.com	yecjun123	751
564748382@qq.com	789632145	751
445736451@qq.com	chy199494	751
168328641@qq.com	55881798	751
525517211@qq.com	880502	751
25696630@qq.com	891225	751
zhengjinjiang168@vip.qq.com	17671581	751
aa261315@qq.com	261315	751
490938345@qq.com	6868535	751
247103400@qq.com	444444	751
276042182@qq.com	870129	751
540902439@qq.com	3991654	751
17101962@qq.com	sun923	751
519673933@qq.com	66860062110	751
545013421@qq.com	smile88	751
253940898@qq.com	134679	751
51427557@qq.com	1988712	751
623052006@qq.com	1995824	751
272412979@qq.com	2550326	751
798229725@qq.com	456852	751
10375035@qq.com	1370958	751
312901237@qq.com	wangpeng	751
183503759@qq.com	mjj1114	751
yuzki@vip.qq.com	zcy163f	751
916639359@qq.com	w42278hw	751
380871803@qq.com	wzl1988	751
cwisme@qq.com	cwisme	751
417238288@qq.com	417238288	751
vvxue@qq.com	w2e3r4t5	751
470957882@qq.com	2855736	751
123584595@qq.com	qjwskln	751
wjl440@qq.com	5312900	751
76468642@qq.com	ck2426	751
330680486@qq.com	fog056	751
123@qq.com	123321	751
120732165@qq.com	remix1786	751
275484359@qq.com	6200174	751
umyba@qq.com	2585990	751
175411889@qq.com	1313xw	751
349486708@qq.com	61367230	751
511586093@qq.com	caojun	751
ltyashl@qq.com	13478134615	751
264216270@qq.com	gujiazhi	751
397356536@qq.com	wangkeke	751
331094629@qq.com	aa1987	751
296580574@qq.com	235813	751
527022396@qq.com	522522	751
805355030@qq.com	20080426	751
529546476@qq.com	taxili888	751
staridea@qq.com	liuqing	751
345613885@qq.com	22301991	751
240845773@qq.com	880103	751
77009833@qq.com	xiaoxin	751
jagut@qq.com	780329	751
393811743@qq.com	6716576	751
459264295@qq.com	lichen2006	751
370622014@qq.com	jiayu520	751
272110110@qq.com	87756445	751
123648262@qq.com	123456	751
58070459@qq.com	zengling	751
qianqian418520@qq.com	418520	751
1234555@qq.com	123456	751
taotaoainiyy@vip.qq.com	woainiyy	751
minajoy521@qq.com	chenhao521	751
383400721@qq.com	huawei	751
flora8050@qq.com	flora0506	751
279554913@qq.com	87765143	751
397347212@qq.com	9119105	751
205917@qq.com	3712562	751
182259266@qq.com	lovingltt	751
adanet@qq.com	198546	751
391505875@qq.com	13972704549	751
738570071@qq.com	jw19871028	751
814774820@qq.com	19881123	751
badboy444@qq.com	haibing	751
364157255@qq.com	666666	751
8041995@qq.com	8041995	751
826544881@qq.com	2320518	751
mykw@qq.com	dogoodjod	751
119452968@qq.com	860722	751
chilitao@qq.com	814117	751
516003198@qq.com	jikenku1991	751
529357325@qq.com	19900223	751
195840263@qq.com	9871242426	751
251982598@qq.com	951973441	751
275931281@qq.com	panjiaqi	751
229571999@qq.com	520520	751
382763625@qq.com	13149726	751
499210305@qq.com	499210305	751
phoenixof405@qq.com	370784	751
409045541@qq.com	zz5344140	751
75750388@qq.com	boy123	751
695477087@qq.com	kuaileshenghuo	751
123902663@qq.com	7491635	751
234453043@qq.com	5623690	751
339161908@qq.com	4269833353	751
012345@qq.com	123456	751
3330022@qq.com	7758521	751
twitchington@qq.com	830620	751
846532950@qq.com	321083	751
490461118@qq.com	3631304	751
87514471@qq.com	xuxiao1989	751
111111@qq.com	111111	751
398134168@qq.com	880113	751
568927023@qq.com	515286	751
1287568@qq.com	123456	751
514281185@qq.com	desare	751
xx1987620@qq.com	123456q	751
573274487@qq.com	yiyao1992	751
806728754@qq.com	123123	751
765058024@qq.com	dingzeyu1990	751
545089372@qq.com	545089372	751
10815892@qq.com	11507624	751
ds@qq.com	123456	751
413189056@qq.com	4064060	751
283167351@qq.com	shmily8884	751
115127390@qq.com	wy2311545	751
6460770@qq.com	6460770	751
112233@qq.com	123456	751
450400962@qq.com	8219525	751
28956087@qq.com	435513	751
441460300@qq.com	668899	751
477623879@qq.com	477623879	751
xiaojie123@vip.qq.com	dsws5921	751
357904175@qq.com	790512	751
114997797@qq.com	269266	751
350863406@qq.com	zhangcheng	751
236990674@qq.com	zst19881014	751
329013484@qq.com	110120	751
neewinc@vip.qq.com	311217	751
342332902@qq.com	520ljx1219	751
173488417@qq.com	691106	751
ricetall@qq.com	791382465	751
313697597@qq.com	198991820	751
26455941@qq.com	681805	751
13000064@qq.com	831124	751
497671069@qq.com	6902252s	751
381131358@qq.com	87502088	751
593584127@qq.com	3994486	751
253453271@qq.com	1485702155	751
salh_zll@qq.com	hongbing	751
ezjoys@vip.qq.com	321458	751
753514071@qq.com	zz000000	751
459966169@qq.com	dcq19910812	751
283916999@qq.com	3690217666	751
kuhan007@qq.com	lixuehan	751
xxl710@qq.com	alxsislove	751
wlhh@qq.com	894242	751
314276449@qq.com	wchenchen	751
184228344@qq.com	hjh93127	751
786829990@qq.com	fir110	751
772734412@qq.com	qinchao581321	751
694736824@qq.com	871231	751
397511898@qq.com	zhouxudong	751
361623175@qq.com	1989111	751
mouldlee@qq.com	fujian43	751
269694431@qq.com	223311	751
xiafanxiaf@qq.com	12090477	751
tomoe_baba@qq.com	aptx4869	751
2204226@qq.com	820120	751
229566316@qq.com	xt1986415	751
291126509@qq.com	yuanjuan	751
64746896@qq.com	84207952	751
lingxingwei@vip.qq.com	wfnh001	751
412312332@qq.com	wangtaotz1	751
403783659@qq.com	855854	751
251959440@qq.com	mazeqing123	751
329246476@qq.com	0709wjy	751
454452293@qq.com	95736484	751
159900718@qq.com	900718	751
zhangyuae86@qq.com	zhangyu	751
listn@vip.qq.com	47725812	751
3261543@qq.com	112290	751
348755787@qq.com	Sevenup4	751
460760604@qq.com	8841166	751
15084487@qq.com	58607506	751
lesn_333@qq.com	ykqykq	751
420400705@qq.com	420400705	751
379837076@qq.com	87588413	751
344054212@qq.com	19870627y	751
120902460@qq.com	wangjie	751
826544881@qq.com	2320518	751
83538718@qq.com	alonealone	751
450884144@qq.com	19877679	751
306476765@qq.com	7454119	751
8655809@qq.com	635241	751
631989702@qq.com	fy2wjh1314	751
447014741@qq.com	35689zn	751
123321@qq.com	123321	751
36076818@qq.com	19830315	751
86163558@qq.com	wearethebest	751
285761046@qq.com	7353279	751
liux7813@qq.com	37077813	751
1052746935@qq.com	1412kid	751
117138966@qq.com	wsndxlg	751
785140248@qq.com	123456	751
wu198979@qq.com	wu198979	751
675888958@qq.com	142422868	751
275872804@qq.com	5392711	751
540253195@qq.com	19871215	751
21350133@qq.com	393977	751
314232583@qq.com	314232583	751
68359973@qq.com	cityboy	751
adidas.liuguang@qq.com	summermomo520	751
aitvxqsr@vip.qq.com	1122344	751
289791211@qq.com	woaitc	751
531527790@qq.com	19891018	751
780429826@qq.com	8561231179	751
327612301@qq.com	880410	751
385358511@qq.com	asd411611	751
851829818@qq.com	5879576	751
inze@qq.com	3649589	751
xishun@vip.qq.com	xishun	751
153821064@qq.com	7931129	751
huxiaoming@vip.qq.com	1982529	751
394146042@qq.com	19890601	751
501971532@qq.com	199556	751
1222445@qq.com	8911604130	751
815726562@qq.com	815726562	751
597741294@qq.com	278821	751
394746278@qq.com	19911020zwj	751
394502786@qq.com	7236492	751
111111@qq.com	111111	751
caso@vip.qq.com	15074720	751
252847469@qq.com	12301230	751
364129531@qq.com	4497999	751
liubin39@qq.com	19860309	751
ted-12345@qq.com	ted12345	751
447641785@qq.com	68483557	751
75016929@qq.com	100200	751
200709510@qq.com	xmzxmz890804	751
22358007@qq.com	841224	751
544747416@qq.com	15973632160	751
123@qq.com	123321	751
344300470@qq.com	3420938	751
543970146@qq.com	yangbogao	751
670324178@qq.com	19851515	751
184533312@qq.com	123456	751
274713812@qq.com	3465865	751
36195831@qq.com	131421	751
173675197@qq.com	756888	751
378281594@qq.com	woainiya	751
10766963@qq.com	791016	751
306128599@qq.com	qq195510	751
taishanrou@qq.com	routaishan	751
121930565@qq.com	wq3013783	751
349184068@qq.com	king9458	751
270423712@qq.com	515200	751
229209383@qq.com	530031	751
79081289@qq.com	123456	751
111111@qq.com	111111	751
651962232@qq.com	2008211043	751
172336510@qq.com	ting111	751
kbb111@qq.com	123456	751
dark_lidan@qq.com	3171768	751
673651668@qq.com	lijian513	751
395823741@qq.com	2155099	751
mzr97531@qq.com	475378948	751
710483729@qq.com	5352096	751
380871803@qq.com	wzl1988	751
lxt_34674568@qq.com	19890525	751
421114999@qq.com	sumingqin	751
651195946@qq.com	12345678	751
yang@qq.com	123456789	751
87130655@qq.com	3573754	751
shijiaxin13@qq.com	3401582	751
157589438@qq.com	9689192	751
241216243@qq.com	58545256	751
105333196@qq.com	f271228	751
111111@qq.com	111111	751
wea382179759@qq.com	23367230	751
wuyuyinfeng@qq.com	9110056	751
313226629@qq.com	hao142753	751
gjianbo@qq.com	1983424	751
111111@qq.com	111111	751

修复方案：

加验证码+给高rank=完美修复策略

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-05-12 10:28

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0112510

漏洞标题：点点博客某接口设计不当可撞库（大量博客账号证明）

相关厂商：点点网

漏洞作者：路人甲

提交时间：2015-05-07 10:26

修复时间：2015-05-12 10:28

公开时间：2015-05-12 10:28

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：14

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0112510

漏洞标题：点点博客某接口设计不当可撞库（大量博客账号证明）

相关厂商：点点网

漏洞作者： 路人甲

提交时间：2015-05-07 10:26

修复时间：2015-05-12 10:28

公开时间：2015-05-12 10:28

漏洞类型：设计缺陷/逻辑错误

危害等级：高

自评Rank：14

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0112510"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云