当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112837

漏洞标题:豆丁网某接口设计不当可撞库用户(可消耗用户积分下载文档)

相关厂商:豆丁网

漏洞作者: 路人甲

提交时间:2015-05-08 16:05

修复时间:2015-05-13 16:06

公开时间:2015-05-13 16:06

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-08: 细节已通知厂商并且等待厂商处理中
2015-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

挖洞最苦逼的事莫过于编辑了半天的漏洞最后发现竟然不存在。。

详细说明:

http://www.docin.com/jsp_cn/login/docincon.jsp这个接口可以看到接口没有任何限制的

1.png


然后想直接抓包的,怕是js本地登陆框抓不到包,没想到竟然可以抓到,而且用户名和密码全部是明文传输的

2.png


接下来开始撞库,成功

3.png


随便登陆几个用户,如果用户有积分可以用用户的积分下载收费文档

5.png


4.png

漏洞证明:

rs,部分账号证明:

1686549@qq.com	1686549	525
asllg@qq.com	Bin880930	525
xtning@qq.com	nakata008	526
68475888@qq.com	kiss520	526
506136400@qq.com	zhangyu	527
395000235@qq.com	135792468	527
573922232@qq.com	101765	527
342278166@qq.com	8218968	527
543513874@qq.com	myqboo	527
9288258@qq.com	791105228	527
496105751@qq.com	198808109	527
229004586@qq.com	3303855	527
262348060@qq.com	19880123	527
297020523@qq.com	963258963	527
295649779@qq.com	129511	527
524260531@qq.com	13145200	527
476744301@qq.com	easyma	527
287780501@qq.com	s19881126	527
362323242@qq.com	362323242	527
768060009@qq.com	5631402	527
385096455@qq.com	3024908	527
247266324@qq.com	200115	527
598906066@qq.com	6543221	527
303638514@qq.com	tanfuzhen	527
807213327@qq.com	88518081	527
313686104@qq.com	chenbing	527
89738081@qq.com	66227491	528
66289464@qq.com	33340505	528
fhzx5168@qq.com	fhzx5168	528
55811783@qq.com	zhjh1123	528
41469005@qq.com	12227933	528
378608484@qq.com	5663287	529
271237386@qq.com	950204	529
931038580@qq.com	56184728	529
389651510@qq.com	37809265	529
610879626@qq.com	ggggflfl	529
775010738@qq.com	87350049	529
jingsiwei@qq.com	jingsiwei	529
651218360@qq.com	xixihaha.	529
851829818@qq.com	5879576	529
584213633@qq.com	hanxiao	529
260208598@qq.com	yan520510	529
342613824@qq.com	198718	529
466098921@qq.com	19881223	529
6385383@qq.com	870530	529
695432643@qq.com	123321	529
342252017@qq.com	5553996	529
122245953@qq.com	yy262201	529
133141421@qq.com	8036989	529
451254850@qq.com	sunyanzi	529
297356776@qq.com	198957	529
308625821@qq.com	binbin123	529
6954672@qq.com	1478520	529
379279794@qq.com	8617865	529
526544928@qq.com	z0671896	529
123845010@qq.com	fantasy	529
971535223@qq.com	q123456	529
393552359@qq.com	393552359	529
6822783@qq.com	111111	529
22702119@qq.com	41580265	530
26547925@qq.com	5601573	530
70615562@qq.com	zcwhyf	530
14308010@qq.com	851206	530
huan_f22@qq.com	262400	530
29487334@qq.com	xingren	530
40279691@qq.com	6160945	530
18018459@qq.com	828500	530
14754761@qq.com	14754761	530
445491302@qq.com	7782414	531
318006344@qq.com	318006344	531
704587191@qq.com	ilike44	531
309804902@qq.com	52117140	531
9960463@qq.com	adaqbuxx	531
840255646@qq.com	558558	531
kang11_08@qq.com	2820166	531
307687074@qq.com	890214	531
812735152@qq.com	2922666	531
511656499@qq.com	b147852	531
498292476@qq.com	199367	531
408138787@qq.com	qwe123	531
610073869@qq.com	aaa111	531
385597157@qq.com	a19901208	531
276561942@qq.com	62920196	531
ppcc_9372@qq.com	19870310	531
357426026@qq.com	dir5421t	531
5237784@qq.com	123456	531
843994812@qq.com	524712	531
81537763@qq.com	fnhmft	532
20567029@qq.com	20567029	532
21620341@qq.com	3303153	532
334582276@qq.com	sxqtc1991	533
229529221@qq.com	1988712	533
swq81046839@qq.com	87953747	533
826544881@qq.com	2320518	533
379699202@qq.com	2805503	533
329398591@qq.com	880608	533
289766006@qq.com	123456	533
228762287@qq.com	fhqihmqb	533
329837640@qq.com	63228665	533
297239784@qq.com	2664620	533
santarelli@qq.com	860628qw	534
11882743@qq.com	408547	534
feng2019@qq.com	410q321	534
261767195@qq.com	871100	535
389351782@qq.com	389351782	535
251638670@qq.com	8631220	535
303028980@qq.com	86906006	535
460061335@qq.com	hx31820	535
394315931@qq.com	7418695	535
394354609@qq.com	4426185	535
272611726@qq.com	123456	535
329428242@qq.com	19890322	535
lover13@vip.qq.com	19900312	537
179490484@qq.com	19890803	537
151232429@qq.com	234156	537
66666654@qq.com	123456	538
405924262@qq.com	8084910	539
tanmimi1224@vip.qq.com	yh5201224	539
115800298@qq.com	123123	539
490119263@qq.com	19871234yy	545
810650761@qq.com	2007041137	545
542068218@qq.com	891015zhang	545
394023192@qq.com	1982818235	547
378012951@qq.com	jz01192513	547
153344106@qq.com	4020095601	547
252112895@qq.com	1153320521	547
575094761@qq.com	3118108034	547
1024406390@qq.com	1397417421	548
402949267@qq.com	woaijiaoer	549
376510004@qq.com	shihanxi10	549
100220094@qq.com	wyh9115241	549
287459602@qq.com	chouxiaozi	549
346350878@qq.com	15809915995	549
463298639@qq.com	5101500618	549
809428173@qq.com	8008208820abc	549
41227948@qq.com	jiaomei132	550
75277584@qq.com	baobei1027	550
1044106919@qq.com	marcia19880504	550
420489384@qq.com	13720906065	551
362550680@qq.com	wanghanren	551
546173916@qq.com	1357924680	551
411656676@qq.com	woshixiaoyu	551
814535112@qq.com	1357924680	551
247469654@qq.com	9113113227	551
59156293@qq.com	13885389797	552
417608219@qq.com	hbj19880913	555
www.386312566@qq.com	13031788688	555
zhangyangdd@qq.com	19901213636	563

修复方案:

发放20rank获取完美修复方案

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-05-13 16:06

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论