乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-16: 细节已通知厂商并且等待厂商处理中 2015-06-16: 厂商已经确认,细节仅向厂商公开 2015-06-16: 厂商已经修复漏洞并主动公开,细节向公众公开
第一次提交几天没有审核,最后给个未通过,好无语还以为是重复提交呢,结果原因是过程不详细,感觉挺详细的啊,那就再来一遍吧,看在写两次的份上给高分rank吧(过程很详细)!!!
先用一个用户走一遍正确的流程,提取正确响应码。
HTTP/1.1 200 OKServer: CITSDate: Mon, 15 Jun 2015 17:39:39 GMTContent-Type: text/html; charset=UTF-8Connection: keep-aliveVary: Accept-EncodingContent-Language: zh-CNX-Powered-By: Servlet/2.5 JSP/2.1Content-Length: 4947<!DOCTYPE HTML><html lang="en-US"><head><meta charset="UTF-8"><title>éç½®å¯ç </title><meta name="description" content="ä¼åä¸å¿_éç½®å¯ç "><meta name="keywords" content="ä¼åä¸å¿_éç½®å¯ç "><link href="http://file.cits.cn/online/images/cits_logo.ico" rel="icon" type="image/x-icon"/><link href="http://file1.cits.cn/online/images/cits_logo.ico" rel="shortcut icon" type="image/x-icon"/><link href="http://file1.cits.cn/css/b2c/common/??layout.css?v=1.0.1" rel="stylesheet" type="text/css" /><script type="text/javascript" src="http://file.cits.cn/js/b2c/jquery/??jquery-1.11.2.min.js,jquery.SuperSlide.2.1.js,jquery.jqtransform.js,jquery.DOMWindow.js,jquery.cookie.js,jquery.autocomplete.js,jquery.artDialog.js,jquery.lazyload.min.js?v=1.0.1"></script><meta name="location" content="province=æ²³å;city=ç³å®¶åº;coord=114.518502,38.052292"><script>var _hmt =_hmt ||[];(function() {var hm =document.createElement("script");hm.src ="//hm.baidu.com/hm.js?e7bdd9d92a22943295c3a60a605361b3";var s =document.getElementsByTagName("script")[0];s.parentNode.insertBefore(hm,s);})();</script></head><body><div class="row m-t-0 bg_gray_1 top_style" id="headerTop" style="display: none;"><div class="cav_1200"><div class="atxt" id="memberStatus"></div></div></div><input type="hidden" id="loginID" value=""><div class="headout"><div class="headtop"><a href="http://sjz.cits.cn"> <img src="http://file1.cits.cn/images/b2c/logo_1.png" alt="å½æ å¨çº¿" width="86" height="72"/></a> <a href="http://sjz.cits.cn"> <img src="http://file1.cits.cn/images/b2c/logo_2.png" alt="å½æ å¨çº¿" width="135" height="69" /></a></div></div><script type="text/javascript">$.post("/member/status.html",function(data) {if (data.indexOf("ç»å½") < 0) {$('#headerTop').show();$("#memberStatus").html(data);}});</script><form id="form1" method="post"><div class="login_con" align="center"><div class="popoutUserS"><h2 align="left">éç½®å¯ç </h2><div class="popboxUserS"><table class="tablebd"><tr><td align="right">æ°å¯ç </td><td align="left"><input type="password" name="password" id="password1" class="input_text" autocomplete="off" onblur="passwordCheck1()" onfocus="$('#password1Message').text('');" /></td><td width="40%"><font color="red" id="password1Message"></font></td></tr><tr><td align="right">确认å¯ç </td><td align="left"><input type="password" name="password2" id="password2" class="input_text" onfocus="$('#password2Message').text('');" onblur="passwordCheck2()" /></td><td width="30%"><font color="red" id="password2Message"></font></td></tr><tr><td colspan="3" align="center"><input type="button" onclick="doSubmitForPswReset()" class="inpt_search" value="ç¡®å®" /></td></tr></table></div></div></div><input type="hidden" id="password1Check" /><input type="hidden" id="password2Check" /><input type="hidden" name="submitType" id="submitType" /></form><div class="footbox"><div class="foottop">èç³»æ们ï¼<a href="javascript:void(0)">[email protected]</a> | å¨è¯¢ç线ï¼<span>400-600-8888</span></div><div class="footbot">Copyright © 2007-2014 ä¸å½å½é æ è¡ç¤¾æ»ç¤¾æéå ¬å¸<br />京ICPè¯020312å· | äº¬å ¬ç½å®å¤11010102000810å·</div></div><script type="text/javascript" src="http://file.cits.cn/js/b2c/common/??js.js,tabs.js,addMyFavorite.js,behaviorTrack.js,biaodan.js,common.js,device.min.js,iframeTools.js,headerNew.js?v=1.0.2"></script><script type="text/javascript" src="http://file1.cits.cn/js/b2c/json/keywords.js"></script><script type="text/javascript">try {addBehaviorTrack("","MEMBER","","","","","10f664c54232491fa6e2ca53fab7225f");} catch (err) {}</script><div style="DISPLAY: none"><script type="text/javascript">var cnzz_protocol =(("https:" ==document.location.protocol) ?" https://" :" http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1254452230'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol+ "s4.cnzz.com/z_stat.php%3Fid%3D1254452230' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>(function() {var s =document.createElement('script');s.type ='text/javascript';s.async =true;s.src =(location.protocol =='https:' ?'https://ssl.' :'http://static.')+ 'gridsumdissector.com/js/Clients/GWD-002591-0C1D54/gs.js';var firstScript =document.getElementsByTagName('script')[0];firstScript.parentNode.insertBefore(s,firstScript);})();</script></div><script type='text/javascript'>window.BWEUM||(BWEUM={});BWEUM.info ={"stand":true,"agentType":"browser","agent":"tpm.oneapm.com/static/js/bw-send-411.4.1.js","beaconUrl":"tpm.oneapm.com/beacon","licenseKey":"AQ~aJeUVvRnYZe3J","applicationID":7526};</script><script type="text/javascript" src="//tpm.oneapm.com/static/js/bw-loader-411.4.1.js"></script><script type="text/javascript" src="http://file.cits.cn/js/b2c/channel/member.js"></script><input type="hidden" id="pageName" value="memberResetPassword" /></body></html>
到了修改密码的页面,code里的可以看到没有token,因此任意用户修改为正确的响应码就能修改任意用户密码。
用另一用户测试修改密码。
输入的验证码肯定是错误(除非走了狗屎运),把false修改成true。
放行后会看到返回的响应包系统异常,把code里正确的响应包替换掉放行,就能修改密码。
最后一步登录验证!
添加token验证,完善服务端验证,看在两天次的份上给高rank吧,深夜挖洞不易啊。
危害等级:高
漏洞Rank:15
确认时间:2015-06-16 13:48
非常感谢您的报告,问题已处理,十分感谢您对中国国旅的支持。
2015-06-16:已修复