当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136171

漏洞标题:奥一网主站可撞库用户(成功账号证明)

相关厂商:广东南都全媒体网络科技有限公司

漏洞作者: 路人甲

提交时间:2015-08-23 11:55

修复时间:2015-08-28 11:56

公开时间:2015-08-28 11:56

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:19

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-23: 细节已通知厂商并且等待厂商处理中
2015-08-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

奥一网主站可撞库用户(成功账号证明)

详细说明:

http://www.oeeee.com奥一网主站登陆框接口,未做登陆验证限制

1.png


用户名和密码全部为明文传输

2.png


设置变量后测试撞库,成功账号证明:

sbams@vip.qq.com	15907676860	2580
camelyx@qq.com	900310	2610
tomole@vip.qq.com	skyyang365	2636
273399418@qq.com	226417866	2643
szguoke@qq.com	790725	2659
377169703@qq.com	565783	2671
12345678@qq.com	123456	2673
727340846@qq.com	19910104	2674
727340846@qq.com	19910104	2678
ftpc@qq.com	atgqlzj	2686
12345678@qq.com	123456	2687
85856595@qq.com	62771227	2693
232872104@qq.com	741236	2704
17814747@qq.com	3336352	2715
385838661@qq.com	385838	2716
395992088@qq.com	ly19860525	2717
544301996@qq.com	13728729112	2723
634063666@qq.com	780802	2725
157582414@qq.com	qm831013	2726
gottatan@qq.com	870519	2729
adanet@qq.com	198546	2730
331371824@qq.com	qaz5989126	2732
29750666@qq.com	123321	2737
9153152@qq.com	1834567	2737
372199250@qq.com	8331895	2738
3717488@qq.com	pig3323	2739
9960463@qq.com	adaqbuxx	2740
123123@qq.com	123123	2742
123123@qq.com	123123	2744
514938004@qq.com	yongming	2744
123123@qq.com	123123	2746
65465@qq.com	123456	2747
527413519@qq.com	527413519	2747
410683781@qq.com	5675585	2749
ringi@vip.qq.com	431131131	2749
253838442@qq.com	121590	2750
344300470@qq.com	3420938	2750
549531256@qq.com	556600	2750
670324178@qq.com	19851515	2753
413535377@qq.com	413535377	2753
50330823@qq.com	shittimad1	2755
123123@qq.com	123123	2756
hzhjn@vip.qq.com	18334488	2757
360058964@qq.com	1834997	2757
320099996@qq.com	6612965	2758
lifigo@qq.com	3819072	2759
274321615@qq.com	night1100	2759
23251715@qq.com	8562792	2760
23423423@qq.com	123456	2761
79056711@qq.com	666666	2762
512080373@qq.com	lanqiu	2763
robin_zou@qq.com	123456	2766
amimoon@qq.com	630417	2770
459319702@qq.com	1q2w3e4r5t	2772
250241922@qq.com	666456	2773
136431180@qq.com	2317016	2780
172117846@qq.com	67810480	2781
115940400@qq.com	47697294	2782
413535377@qq.com	413535377	2783
642995313@qq.com	325603256	2786
wlhh@qq.com	894242	2788
tomyidea@qq.com	321322	2788
11603949@qq.com	820619	2789
478515773@qq.com	19890324	2790
378739221@qq.com	7412118	2792
guocalvin@qq.com	28681888	2793
399905225@qq.com	1989215yjn	2793
360766226@qq.com	821027	2793
262751907@qq.com	881023	2794
103103002@qq.com	6866618	2795
413535377@qq.com	413535377	2797
413535377@qq.com	413535377	2799
whatme321@qq.com	887900	2800
270132685@qq.com	huangxi	2800
83284518@qq.com	wb19880701	2804
985649296@qq.com	133664	2804
huxiaoming@vip.qq.com	1982529	2808
772915728@qq.com	97506409	2809
261630037@qq.com	840917	2809
520520@qq.com	520520	2809
laijin250@qq.com	5513055	2813
462250223@qq.com	1972158	2815
179320320@qq.com	wangba74	2815
15027474@qq.com	210698	2816
szcartoon@qq.com	ccedu029	2816
1234567@qq.com	123456	2818
405533058@qq.com	yuye123	2820
liy12586@qq.com	lisbfyong	2821
1234567@qq.com	123456	2824
103017012@qq.com	123456	2824
1234567@qq.com	123456	2826
1234567@qq.com	123456	2826
348270582@qq.com	664110	2829
1234567@qq.com	123456	2832
331615497@qq.com	280582817	2832
360273293@qq.com	qepwqauige	2833
1234567@qq.com	123456	2836
334237087@qq.com	wuzhiheng	2840
20964712@qq.com	811124	2843
49998859@qq.com	mingming	2844
9771101@qq.com	verbatim	2845
516429946@qq.com	12345678	2863
52227741@qq.com	xkwyzq	2872
408341779@qq.com	13713887699	2879
421065207@qq.com	woaini	2882
103105112@qq.com	2562917	2883
418360910@qq.com	8088282	2895
asdf@qq.com	123456789	2899
305772038@qq.com	19850407	2901
153225650@qq.com	a31610518	2902
812999013@qq.com	5235361225	2903
642848274@qq.com	864563110	2909
229695598@qq.com	hejiangyan1980	2912
80719777@qq.com	fanlei	2920
663092380@qq.com	jiangbao	2945
306997149@qq.com	688496	2951
ailin2099@vip.qq.com	3545768802	2951
75368589@qq.com	5681864	2963
851829818@qq.com	5879576	3006


登陆测试证明:

3.png


4.png


5.png

漏洞证明:

http://www.oeeee.com奥一网主站登陆框接口,未做登陆验证限制

1.png


用户名和密码全部为明文传输

2.png


设置变量后测试撞库,成功账号证明:

sbams@vip.qq.com	15907676860	2580
camelyx@qq.com	900310	2610
tomole@vip.qq.com	skyyang365	2636
273399418@qq.com	226417866	2643
szguoke@qq.com	790725	2659
377169703@qq.com	565783	2671
12345678@qq.com	123456	2673
727340846@qq.com	19910104	2674
727340846@qq.com	19910104	2678
ftpc@qq.com	atgqlzj	2686
12345678@qq.com	123456	2687
85856595@qq.com	62771227	2693
232872104@qq.com	741236	2704
17814747@qq.com	3336352	2715
385838661@qq.com	385838	2716
395992088@qq.com	ly19860525	2717
544301996@qq.com	13728729112	2723
634063666@qq.com	780802	2725
157582414@qq.com	qm831013	2726
gottatan@qq.com	870519	2729
adanet@qq.com	198546	2730
331371824@qq.com	qaz5989126	2732
29750666@qq.com	123321	2737
9153152@qq.com	1834567	2737
372199250@qq.com	8331895	2738
3717488@qq.com	pig3323	2739
9960463@qq.com	adaqbuxx	2740
123123@qq.com	123123	2742
123123@qq.com	123123	2744
514938004@qq.com	yongming	2744
123123@qq.com	123123	2746
65465@qq.com	123456	2747
527413519@qq.com	527413519	2747
410683781@qq.com	5675585	2749
ringi@vip.qq.com	431131131	2749
253838442@qq.com	121590	2750
344300470@qq.com	3420938	2750
549531256@qq.com	556600	2750
670324178@qq.com	19851515	2753
413535377@qq.com	413535377	2753
50330823@qq.com	shittimad1	2755
123123@qq.com	123123	2756
hzhjn@vip.qq.com	18334488	2757
360058964@qq.com	1834997	2757
320099996@qq.com	6612965	2758
lifigo@qq.com	3819072	2759
274321615@qq.com	night1100	2759
23251715@qq.com	8562792	2760
23423423@qq.com	123456	2761
79056711@qq.com	666666	2762
512080373@qq.com	lanqiu	2763
robin_zou@qq.com	123456	2766
amimoon@qq.com	630417	2770
459319702@qq.com	1q2w3e4r5t	2772
250241922@qq.com	666456	2773
136431180@qq.com	2317016	2780
172117846@qq.com	67810480	2781
115940400@qq.com	47697294	2782
413535377@qq.com	413535377	2783
642995313@qq.com	325603256	2786
wlhh@qq.com	894242	2788
tomyidea@qq.com	321322	2788
11603949@qq.com	820619	2789
478515773@qq.com	19890324	2790
378739221@qq.com	7412118	2792
guocalvin@qq.com	28681888	2793
399905225@qq.com	1989215yjn	2793
360766226@qq.com	821027	2793
262751907@qq.com	881023	2794
103103002@qq.com	6866618	2795
413535377@qq.com	413535377	2797
413535377@qq.com	413535377	2799
whatme321@qq.com	887900	2800
270132685@qq.com	huangxi	2800
83284518@qq.com	wb19880701	2804
985649296@qq.com	133664	2804
huxiaoming@vip.qq.com	1982529	2808
772915728@qq.com	97506409	2809
261630037@qq.com	840917	2809
520520@qq.com	520520	2809
laijin250@qq.com	5513055	2813
462250223@qq.com	1972158	2815
179320320@qq.com	wangba74	2815
15027474@qq.com	210698	2816
szcartoon@qq.com	ccedu029	2816
1234567@qq.com	123456	2818
405533058@qq.com	yuye123	2820
liy12586@qq.com	lisbfyong	2821
1234567@qq.com	123456	2824
103017012@qq.com	123456	2824
1234567@qq.com	123456	2826
1234567@qq.com	123456	2826
348270582@qq.com	664110	2829
1234567@qq.com	123456	2832
331615497@qq.com	280582817	2832
360273293@qq.com	qepwqauige	2833
1234567@qq.com	123456	2836
334237087@qq.com	wuzhiheng	2840
20964712@qq.com	811124	2843
49998859@qq.com	mingming	2844
9771101@qq.com	verbatim	2845
516429946@qq.com	12345678	2863
52227741@qq.com	xkwyzq	2872
408341779@qq.com	13713887699	2879
421065207@qq.com	woaini	2882
103105112@qq.com	2562917	2883
418360910@qq.com	8088282	2895
asdf@qq.com	123456789	2899
305772038@qq.com	19850407	2901
153225650@qq.com	a31610518	2902
812999013@qq.com	5235361225	2903
642848274@qq.com	864563110	2909
229695598@qq.com	hejiangyan1980	2912
80719777@qq.com	fanlei	2920
663092380@qq.com	jiangbao	2945
306997149@qq.com	688496	2951
ailin2099@vip.qq.com	3545768802	2951
75368589@qq.com	5681864	2963
851829818@qq.com	5879576	3006


登陆测试证明:

3.png


4.png


5.png

修复方案:

发放19rank又不会怀孕

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-08-28 11:56

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无

漏洞评价:

评论