百度某二级域名弱口令可shell(字典技巧) - 中国红客帝国官网-Honker EmPire For China - Powered by H.E.C
网络爱好者的栖息之地,让我们的网络技术更上一层楼!!!

百度某二级域名弱口令可shell(字典技巧)

admin 漏洞预警

漏洞详情

披露状态:

2015-01-06: 细节已通知厂商并且等待厂商处理中
2015-01-07: 厂商已经确认,细节仅向厂商公开
2015-01-17: 细节向核心白帽子及相关领域专家公开
2015-01-27: 细节向普通白帽子公开
2015-02-06: 细节向实习白帽子公开
2015-02-20: 细节向公众公开

简要描述:

感冒好了以后,会多穿一件衣服,接下来就脱都不敢脱,严重缺乏安全感

详细说明:

加入了新的密码生成规则,所有Unicode中文的拼音表,所有中文居然只有404个拼音

code 区域
A, Ai, An, Ang, Ao, Ba, Bai, Ban, Bang, Bao, Bei, Ben, Beng, Bi, Bian, Biao, Bie, Bin, Bing, Bo, Bu, Ca, Cai, Can, Cang, Cao, Ce, Cen, Ceng, Cha, Chai, Chan, Chang, Chao, Che, Chen, Cheng, Chi, Chong, Chou, Chu, Chuai, Chuan, Chuang, Chui, Chun, Chuo, Ci, Cong, Cou, Cu, Cuan, Cui, Cun, Cuo, Da, Dai, Dan, Dang, Dao, De, Den, Deng, Di, Dia, Dian, Diao, Die, Ding, Diu, Dong, Dou, Du, Duan, Dui, Dun, Duo, E, En, Eng, Er, Fa, Fan, Fang, Fei, Fen, Feng, Fiao, Fo, Fou, Fu, Ga, Gai, Gan, Gang, Gao, Ge, Gei, Gen, Geng, Gong, Gou, Gu, Gua, Guai, Guan, Guang, Gui, Gun, Guo, Ha, Hai, Han, Hang, Hao, He, Hei, Hen, Heng, Ho, Hong, Hou, Hu, Hua, Huai, Huan, Huang, Hui, Hun, Huo, Ji, Jia, Jian, Jiang, Jiao, Jie, Jin, Jing, Jiong, Jiu, Ju, Juan, Jue, Jun, Ka, Kai, Kan, Kang, Kao, Ke, Ken, Keng, Kong, Kou, Ku, Kua, Kuai, Kuan, Kuang, Kui, Kun, Kuo, La, Lai, Lan, Lang, Lao, Le, Lei, Leng, Li, Lia, Lian, Liang, Liao, Lie, Lin, Ling, Liu, Lo, Long, Lou, Lu, Luan, Lun, Luo, Lv, Lve, M, Ma, Mai, Man, Mang, Mao, Me, Mei, Men, Meng, Mi, Mian, Miao, Mie, Min, Ming, Miu, Mo, Mou, Mu, N, Na, Nai, Nan, Nang, Nao, Ne, Nei, Nen, Ni, Nian, Niang, Niao, Nie, Nin, Ning, Niu, Nong, Nou, Nu, Nuan, Nuo, Nv, Nve, Ou, Pa, Pai, Pan, Pang, Pao, Pei, Pen, Peng, Pi, Pian, Piao, Pie, Pin, Ping, Po, Pou, Pu, Qi, Qia, Qian, Qiang, Qiao, Qie, Qin, Qing, Qiong, Qiu, Qu, Quan, Que, Qun, Ra, Ran, Rang, Rao, Re, Ren, Reng, Ri, Rong, Rou, Ru, Ruan, Rui, Run, Ruo, Sa, Sai, San, Sang, Sao, Se, Sha, Shai, Shan, Shang, Shao, She, Shen, Sheng, Shi, Shou, Shu, Shua, Shuai, Shuan, Shuang, Shui, Shuo, Si, Song, Sou, Su, Suan, Sui, Sun, Suo, Ta, Tai, Tan, Tang, Tao, Te, Teng, Ti, Tian, Tiao, Tie, Ting, Tong, Tou, Tu, Tuan, Tui, Tun, Tuo, Wa, Wai, Wan, Wang, Wei, Wen, Weng, Wo, Wu, Xi, Xia, Xian, Xiang, Xiao, Xie, Xin, Xing, Xiong, Xiu, Xu, Xuan, Xue, Xun, Ya, Yan, Yang, Yao, Ye, Yen, Yi, Yin, Ying, Yo, Yong, You, Yu, Yuan, Yue, Yun, Za, Zai, Zan, Zang, Zao, Ze, Zei, Zen, Zeng, Zha, Zhai, Zhan, Zhang, Zhao, Zhe, Zhen, Zheng, Zhi, Zhong, Zhou, Zhu, Zhua, Zhuai, Zhuan, Zhuang, Zhui, Zhun, Zhuo, Zi, Zong, Zou, Zu, Zuan, Zui, Zun, Zuo



code 区域
python wpcheck.py http://mux.baidu.com

* gogogo

100多个用户,出来一堆用户密码,自动登录判断jerry可以访问模板编辑

{'u':'jerry','p':'jerryyang****'}


漏洞证明:

shell.jpg


shell1.jpg

修复方案:

管理后台不能对外了


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-01-07 13:43

厂商回复:

感谢提交,已通知业务部门处理

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

标签: 弱口令可shell

免责声明:

本站提供的资源,都来自网络,版权争议与本站无关,所有内容及软件的文章仅限用于学习和研究目的。不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负,我们不保证内容的长久可用性,通过使用本站内容随之而来的风险与本站无关,您必须在下载后的24个小时之内,从您的电脑/手机中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。侵删请致信E-mail:22365412@qq.com

同类推荐
评论列表