乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-19: 细节已通知厂商并且等待厂商处理中 2015-06-23: 厂商已经确认,细节仅向厂商公开 2015-07-03: 细节向核心白帽子及相关领域专家公开 2015-07-13: 细节向普通白帽子公开 2015-07-23: 细节向实习白帽子公开 2015-08-07: 细节向公众公开
p2p金融安全之财智魔方可重置任意用户密码(非爆破真实账号演示)呵呵,浩天大牛,我又来了,上次首页吧!!!
看到这个洞 WooYun: 财智魔方某逻辑漏洞漏洞礼包(影响用户资金安全) 第6感告诉我:重置密码还有问题,于是尝试了一把,结果就成功了1、进行一次完整重置密码流程,记录校验短信码成功的响应,如下:
HTTP/1.1 200 OKServer: Apache-Coyote/1.1Content-Type: text/html;charset=utf-8Vary: Accept-EncodingDate: Fri, 19 Jun 2015 05:57:08 GMTContent-Length: 11024<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>财智魔方</title><meta content="text/html; charset=utf-8" http-equiv="Content-Type" /><meta name="keywords" content="财智魔方,互联网金融平台,河南网上贷款,互联网理财,网络理财平台,网络投融资,p2p投资理财,p2p借贷,p2p网贷平台,网络贷款,小额投资理财,最新理财方法,互联网理财产品"><meta name="description" content="财智魔方--中国领先的互联网金融服务平台 提供网络投融资、理财,p2p小额借贷,互联网最新理财方法、技巧、产品为一体的综合性网络投资、理财平台。拥有严格风控体系,100%本息担保,保障资金安全。"><meta name="author" content="财智魔方(北京)金融服务外包有限公司"></head><body><script type="text/javascript">var base = "";</script><link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /><link rel="stylesheet" type="text/css" href="/template/caizhimofang/css/new_main.css"></link><link rel="stylesheet" type="text/css" href="/template/caizhimofang/css/new.css"></link><link rel="stylesheet" type="text/css" href="/template/caizhimofang/css/bootstrap.css"></link><link rel="stylesheet" type="text/css" href="/template/caizhimofang/css/bootstrap.min.css"></link><script type="text/javascript" src="/common/js/jquery-1.8.2.min.js"></script><script type="text/javascript" src="/template/caizhimofang/js/common.js"></script><link id="artDialog-skin" href="/common/artDialog4.1.7/skins/blue.css" rel="stylesheet" /><script src="/common/artDialog4.1.7/artDialog.js"></script><script type="text/javascript">var message = "" ;var errorCode = "0";var timeSecond = 5;var timeClose = timeSecond * 1000;function showDialogMessage(){ var dlgIcon = "succeed"; var dlgTitle = "提示"; if (errorCode == "1") dlgIcon = "error"; var dlgContent = message + "<br><br>" + "本消息将在 " + timeSecond + " 秒钟后自动关闭,请稍候!"; if (message != ""){ artDialog( { title:dlgTitle, content:dlgContent, icon:dlgIcon, lock:true, time:timeSecond } ); }}window.onload=function(){ if(message!="该证件号码已存在!"){ showDialogMessage(); }};</script><div class="box border-bottom"> <div class="header wide_box"> <ul class="header_contact"> <li class="c_1"> <a class="ico_head_weixin" id="wx"></a> <div class="ceng" id="weixin_xlgz"> <div class="cnr"> <img src="/images/www/c/config_3730.png"> </div> <b class="ar_up ar_top"></b> <b class="ar_up_in ar_top_in"></b> </div> </li> <li class="c_2"><a href="http://crm2.qq.com/page/portalpage/wpa.php?uin=4009981001&aty=0&a=0&curl=&ty=1" target="_blank" title="官方QQ" alt="官方QQ"><b class="ico_head_QQ"></b></a></li> <li class="c_4"><a href="http://weibo.com/u/5187199188" target="_blank" title="新浪微博" alt="新浪微博"><b class="ico_head_sina"></b></a></li> <li class="czmf_mouse c_3"> <b class="ico_head_phone"></b> <span class="czmf_tb">下载手机客户端</span> <div class="c_3_po"> <p class="c_3_po_title">扫码下载财智魔方手机客户端</p> <p class="c_3_po_left"> <img src="/template/caizhimofang/images/ph_eweim.png" alt=""/> </p> <p class="c_3_po_right"> <a class="c_3_po_right_and" href="javascript:;"></a> <a class="c_3_po_right_iph" href="javascript:;"></a> </p> </div> </li> <li class=" c_3" style="padding:0;"> <span>客服电话: 400-998-1001</span> </li> </ul> <ul class="head_login"> <li class="head_login_a"> [<a href="/login.html" target="_parent">登录</a>] [<a href="/register.html" target="_parent">快速注册</a>] </li> <li class="head_login_b"><a href="/article/37.html" target="_blank">帮助</a> <a href="/article/75.html" target="_blank">关于我们</a></li> </ul> </div> <div class="clear"></div> </div> <div class="box border-b"> <div class="header_nav wide_box clearfix"> <a href="/article/140.html" target="_self">新手指引</a> <a href="/article/121.html" target="_self">安全保障</a> <a href="/member" target="_self">我的账户</a> <a href="/lists.html" target="_self">我要投资</a> <a href="/" target="_self">首页</a> <a href="/index.html" title="返回首页" class="alogo" target="_parent" onfocus="this.blur()"><img title="财智魔方" alt="财智魔方" src="/images/logo.png" style="border:0;height:60px;width:auto;"/></a> </div> </div> <script> $(function(){ $(".czmf_mouse").mouseenter(function(){ $(".c_3_po").show(); }); $(".czmf_mouse").mouseleave(function(){ $(".c_3_po").hide(); }); }); </script><div style="border-bottom:solid 1px #ddd;font-size:12px;height:45px;line-height:43px;background-color:#f3f3f3;"> <div class="container"> <div class="text-center fz16"> <span>请按照以下步骤找回密码</span> </div> </div></div> <div class="h20 "></div> <div class="container"> <!-- start:Row --> <div class="row"> <!-- start:Wall --> <div class="col-md-4 col-md-offset-4 pb20 panel panel-default" style="padding:0;"> <div class="panel-heading mt10"> <span class="fz18">重新设置密码</span> <span class="fr"> <a href="/login.html">返回登录</a></span> </div> <div id="result" class="result mt10 mb10" style="display:none;color:red;width:260px;"></div> <form class="form-horizontal" id="theForm" method="post" action="/newPwd.action" enctype="multipart/form-data" style="padding:10px 15px 20px;"> <div class="form-group pt20 clearfix"> <label class="col-md-4 control-label"><span class="red">* </span>新密码</label> <div class="col-md-7 pr30 pt5"> <input id="newPassword" name="newPassword" class="form-control" autocomplete="off" type="password" onblur="isMust(this.value)"> </div> </div> <div class="h10"></div> <div class="form-group clearfix"> <label class="col-md-4 control-label"><span class="red">* </span>确认密码</label> <div class="col-md-7 pr30 pt5"> <input id="re_newPassword" name="re_newPassword" class="form-control" autocomplete="off" type="password"> </div> </div> <div class="h10"></div> <input id="btnauthcode" name="btnauthcode" onclick="validate()" class="btn btn-primary btn-block" value="保 存" type="button"> </form> </div> </div></div><!-- end center--><script type="text/javascript">var pas = /^\w+$/i;function validate(){ var new1 = $("#newPassword").val(); var new2 = $("#re_newPassword").val(); if(new1==null || new1==""){ alert("请输入新密码。"); return false; } //wangyarong 2015-05-26 update 不限制特殊字符 //if(new1.length<6 || !new1.match(pas)){ if(new1.length<6){ $("#newPassword").val(""); $("#re_newPassword").val(""); $("#new_pwd_status").html("至少6位,由字母、数字、下划线组成。"); } if(new2==null || new2==""){ $("#new_pwd_status").html("请确认新密码。"); return false; } if( new1!=new2 ){ $("#new_pwd_status").html("两次密码不一致。"); return false; } $("#theForm").submit();}function isMust(doc){ if(doc.length<6 || !doc.match(pas)){ $("#newPassword").val(""); $("#new_pwd_status").html("至少6位,由字母、数字、下划线组成"); return false; }}</script> <style>body{font-size:14px;}</style><div class="box bgfooter"> <div class="wide_box"> <div class="lovelink"> <a class="tit">友情链接</a> <a href="http://www.wangdaizhijia.com" target="_blank">网贷之家</a> <a href="http://www.p2pchina.com" target="_blank">网贷中国</a> <a href="http://www.boc.cn/" target="_blank">中国银行</a> <a href="http://www.ebatong.com" target="_blank">贝付支付</a> <a href="http://www.abchina.com/cn/" target="_blank">农业银行</a> <a href="http://www.icbc.com.cn/" target="_blank">工商银行</a> <a href="http://www.ccb.com" target="_blank">建设银行</a> <a href="http://www.bankcomm.com/BankCommSite/default.shtml" target="_blank">交通银行</a> <a href="http://ecitic.zibolan.com/" target="_blank">中信银行</a> <a href="http://www.cmbchina.com/" target="_blank">招商银行</a> </div> <div class="footer_item clearfix"> <ul class="clearfix"> <li class="f_itemA"> <a href="/article/37" target="_blank">帮助中心</a> <a href="/article/75.html" target="_blank">联系我们</a> </li> <li class="f_kf"><span>400-998-1001</span><br>客服工作时间: 早9:30-晚18:30</li> <!--xuechanggui 添加app下载的二维码 --- start --> <li class="f_wx"><span>官方微信<br>扫我一下</span></li> <li class="f_app"><span>官方APP<br>扫我一下</span></li><!--xuechanggui 添加app下载的二维码 --- end --> <li class="f_sina">新浪微博 <a href="http://weibo.com/u/5187199188" target="_blank">立即关注</a></li> <li class="f_qq">QQ群308036637</li> </ul> </div> <div class="f_copy"> <!--备案号-->财智魔方(北京)金融服务外包有限公司 网站备案号:豫ICP备14010262号-1<!--//备案号--> <br> Copyright © caizhimofang.com All Rights Reserved </div> <div class="f_rz clearfix"> <a target='_blank' href="http://webscan.360.cn/index/checkwebsite/url/www.caizhimofang.com"><img border="0" src="/template/caizhimofang/images/360.png"/></a><a href='http://www.anquan.org' target='_blank'><img src='/template/caizhimofang/images/aqlm.png'></a> </div> </div></div><div class="right_side_nav"> <ul> <li class="online_question"><a href="http://crm2.qq.com/page/portalpage/wpa.php?uin=4009981001&aty=0&a=0&curl=&ty=1"></a></li> <li class="Income_calculat"><a data-target="#calcModal" data-toggle="modal" href="calculator.action"></a></li> <!-- <li class="hot_line" ><a href="#"></a></li--> <li class="screen_up"><a href="javascript:;"></a></li> </ul></div><script>$(function(){ $(".screen_up").click(function(){ $("html,body").animate({scrollTop: 0}, '1000'); });});</script></body></html>
2、再次进行重置密码操作,使用手机号18613811111,提交任意短信码
3、抓取请求包
4、使用步骤1中的响应包替代此请求包
5、释放请求后,进入设置新密码页面,可成功修改新密码
6、使用新密码已成功登录系统
已重置如下账号的密码
18638553589
完善认证逻辑
危害等级:高
漏洞Rank:20
确认时间:2015-06-23 15:04
感谢
暂无