当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0114252

漏洞标题:优购时尚商城重置任意用户密码漏洞(非爆破客服邮箱测试)

相关厂商:优购网

漏洞作者: 千斤拨四两

提交时间:2015-05-15 13:42

修复时间:2015-06-29 13:44

公开时间:2015-06-29 13:44

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-15: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-06-29: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

大哥这次你们看清楚了啊,是优购时尚商城和北京那不是一家啊,大哥不要在逗我了,挖洞很不容易的呜呜~~~~~~~~~~

详细说明:

0x1:申请一个用户来测试,先按正确的找回密码的流程走一遍(随后用客服邮箱实验吧)

1.png


要抓取找回方式的正确响应包,为的是后面客服邮箱测试需要,因为客服没有绑定手机。

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 14 May 2015 03:48:36 GMT
Content-Type: text/html;charset=UTF-8
Connection: Keep-Alive
Vary: Accept-Encoding, User-Agent
Content-Language: zh-CN
Content-Length: 8350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache,no-store, must-revalidate">
<meta http-equiv="expires" content="0">
<title>优购网_æ‰¾å›žå¯†ç _é€‰æ‹©æ‰¾å›žå¯†ç æ–¹å¼</title>
<script type="text/javascript" src="http://s1.ygimg.cn/template/common/js/jquery-1.4.2.min.js?3.1.0"></script>
<link href="http://s2.ygimg.cn/template/common/css/base-2.css?3.1.0" type="text/css" rel="stylesheet" />
<link href="http://s2.ygimg.cn/js/common/validate/css/validator.css?3.1.0" type="text/css" rel="stylesheet" />
<link href="http://s1.ygimg.cn/template/common/css/new_log_reg.css?3.1.0" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://s2.ygimg.cn/template/common/js/yg.common.js?3.1.0"></script>
<script type="text/javascript" src="http://s1.ygimg.cn/template/common/js/yg.member.js?3.1.0"></script>
<script type="text/javascript" src="http://s1.ygimg.cn/js/yitianmall/usercenter/findpwd.js?3.1.0"></script>
<script type="text/javascript">
var basePath = "";
</script>
</head>
<body>
<!-- reghead start-->
<!-- top nav bar created time: 2014-11-28 18:34:02-->
<div id="top_nav">
	<div class="view_area clearfix">
		<div class="yg link_box"><a href="http://www.yougou.com/#ref=all&po=logo_yougou">时尚商城</a></div>
		
		<div class="phone link_box">
			<a href="http://www.yougou.com/topics/mobile.html" class="phone_text"><i class="mobile_ico"></i>手机优购<i class="tip"></i></a>
			<div class="phone_con">
                    <p class="clearfix">
                        <span class="fl qr_code">
                        </span>
                        <span class="fl ml10">
                            <a class="btn_app_store btn" href="http://itunes.apple.com/cn/app/zhang-shang-you-gou/id504493912?mt=8" target="_blank">App Store</a>
                            <a class="btn_android_store btn" href="http://mobile.yougou.com/appVersion/package.sc?channelCode=YgYougouwebA59" target="_blank">Android</a>
                        </span>
                    </p>
                    <p class="qr_code_tip">下载安装 <strong>优购客户端</strong></p>
                </div>
		</div>
		<div class="outlets link_box" style="border-right:none"></div>
		<div class="fr">
		<div class="about_user">
			<div class="login"><a  rel="nofollow" href="javascript:login();">登录</a></div>
			<div class="register"><a  rel="nofollow" href="javascript:register();">注册</a></div>
		</div><!--about_user end -->
		<div class="my_yg link_box">
			<a href="http://www.yougou.com/my/ucindex.jhtml" class="a1">我的优购</a>
			<ul class="info_con">
				<li><a href="http://www.yougou.com/my/favorites.jhtml">我的收藏</a></li>
				<li id="commentcount"></li>
				<li id="top_msg"></li>
			</ul>
		</div>
		<div class="my_order link_box"><a href="http://www.yougou.com/my/order.jhtml" rel="nofollow">我的订单</a></div>
		<div class="notice link_box">
			<span class="notice_text">公告</span>
			<ul class="notice_con">
                    <li><a target="_blank" href="http://www.yougou.com/topics/1416561897997.html#ref=index&po=notice_notice1">运动新风尚 新品5折起</a></li>
                    <li><a target="_blank" href="http://www.yougou.com/topics/1415597386968.html#ref=index&po=notice_notice2">摩登男装 秋冬大促 1折起</a></li>
                    <li><a target="_blank" href="http://www.yougou.com/topics/1415587130097.html#ref=index&po=notice_notice3">潮靴秀美腿 价比11.11</a></li>
                    <li><a target="_blank" href="http://www.yougou.com/topics/1415605960629.html#ref=index&po=notice_notice4">女装初冬热促 爆款2折起</a></li>
                    <li><a target="_blank" href='/article/201411/87dc5ccf633611e4b7eea30f61b97b3f.shtml#ref=index&po=notice_notice5'>库房发货时间调整说明</a></li>
			</ul>
		</div>
		<div class="more link_box">
			<a href="javascript:;" class='more_text'>更多</a>
			<ul class="more_con">
				<li><a onclick="YouGou.Biz.WebToolkit.addFavorite();" href="javascript:;">收藏优购</a></li>
				<li><a href="http://www.yougou.com/help/help.html">帮助</a></li>
			</ul>
		</div>
		</div>
	</div><!--view_area end -->
</div><!--top_nav end -->
<div class="uc_hd">
	<div class="cen clearfix rel">
		<h2>æ‰¾å›žå¯†ç </h2>
		<p class="link fl">
			<a href="http://www.yougou.com" class="cblue">返回时尚商城</a>
			<!--
			|<a href="http://www.yougou.com/topics/1394617951051.html" class="cblue">OUTLETS 购划算</a>
			-->
		</p>
	</div>
</div>
<!--更换雅虎邮箱提示 start-->
<div class="uc_email_tip" id="uc_email_tip" style="display:none;">
	<i class="warn"></i><strong>由于雅虎邮箱即将停止服务</strong>ï¼Œä¸ºäº†ä¿éšœæ‚¨ä»¥åŽèƒ½å¤Ÿé€šè¿‡é‚®ç®±æ‰¾å›žå¯†ç ã€æŽ¥æ”¶è®¢å•æé†’ç­‰ï¼Œå»ºè®®å°½å¿«æŠŠè´¦å·å®Œæˆç»‘å®šå…¶ä»–é‚®ç®±ã€‚<a class="Blue" href="javascript:void(0);" id="email_bind_modify">[立即绑定]</a><i class="close"></i>
</div>
<!--更换雅虎邮箱提示 end--><!-- reghead end-->
<div class="findPwd-box cen">
	<h2 class="findPwd-title">æ‰¾å›žå¯†ç </h2>
    <ul class="findPwd-step findPwd-step2">
        <li class="step1">1.输入账号</li>
        <li class="on">2.è´¦æˆ·éªŒè¯åŠå¯†ç é‡ç½®</li>
        <li>3.å¯†ç ä¿®æ”¹æˆåŠŸ</li>
    </ul>
	<div class="findPwd-form relative findPwd-step2-list1">
		<form name="frm" method="GET">
        	<p class="findPwd-step2-t">æ‚¨å¯ä»¥é€‰æ‹©ä»¥ä¸‹æ–¹å¼æ‰¾å›žå¯†ç </p>
        <div class="findPwd-style">
            <input name="findPwd-style" type="radio" value="phone" class="findPwd-styleRadio" />
            <div class="findPwd-t">
                <p class="styleTitle">é€šè¿‡ç»‘å®šæ‰‹æœºå·ç æ‰¾å›ž</p>
                <p>您的手机130****0882å°†æ”¶åˆ°éªŒè¯ç ï¼Œé€šè¿‡ç»‘å®šæ‰‹æœºæ”¶åˆ°çš„éªŒè¯ç å®Œæˆå¯†ç é‡ç½®ï¼Œæœ¬æœåŠ¡å®Œå…¨å…è´¹ã€‚</p>
            </div>
        </div>
        	<div class="findPwd-sbt"><input type="button" class="findPwd-btn findPwd-next" onclick="checkradio()" /></div>
		</form>
	</div>
    <div class="seeProblem">
		<p>遇到问题吗?</p>
        <ul>
            <li>è‹¥å½“å‰å·ç å·²ä¸ç”¨/ä¸¢å¤±ï¼Œæˆ–æ— æ³•æ”¶åˆ°éªŒè¯ç ï¼Ÿè¯·åˆ©ç”¨é‚®ç®±æ‰¾å›žå¯†ç ï¼Œæˆ–è€…ç¡®è®¤æ˜¯å¦è¢«å…¶ä»–è½¯ä»¶æ‰€æ‹¦æˆªã€‚</li>
            <li>å¦‚æžœæŒ‰ç…§ä»¥ä¸Šæ–¹æ³•è¿˜æ˜¯æ— æ³•è§£å†³é—®é¢˜ï¼Œè¯·æ‹¨æ‰“å®¢æœçƒ­çº¿ï¼š<span class="orange b">400 163 8888</span>。</li>
        </ul>
	</div>		
</div>
<!--底部start-->
<div class="footer Gray">
	<p class="tright">Copyright &copy; 2011-2014 Yougou Technology Co., Ltd. <a href="http://www.miibeian.gov.cn" target="_blank">粤ICP备09070608号-4</a> 增值电信业务经营许可证:<a href="http://www.miibeian.gov.cn" target="_blank" style="padding-left:0" >粤 B2-20090203</a></p>
</div>
<!--底部end-->
<script type="text/javascript">
$(function(){
	$(".findPwd-style").not(".valid-code").click(function(){
		$(".findPwd-style").css("border","1px solid #ccc");
		$(this).css("border","1px solid #F67649");
		$(".findPwd-styleRadio").attr("checked","");
		$(this).find(".findPwd-styleRadio").attr("checked","checked");
	})
})
</script> 
<script src="/template/common/js/mv.js?2.9.1" type="text/javascript"></script>
<script>
 var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-23566531-1']);
  _gaq.push(['_setDomainName', '.yougou.com']);
  _gaq.push(['_addOrganic', 'baidu', 'word']);
  _gaq.push(['_addOrganic', 'soso', 'w']);
  _gaq.push(['_addOrganic', '3721', 'name']);
  _gaq.push(['_addOrganic', 'yodao', 'q']);
  _gaq.push(['_addOrganic', 'vnet', 'kw']);
  _gaq.push(['_addOrganic', 'sogou', 'query']);
  _gaq.push(['_trackPageview']);
  _gaq.push(['_trackPageLoadTime']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://analytic' : 'http://analytic') + '.yougou.com/ga.js?2.9.1';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</body>
</html>


2.png


0x2:选择手机验证,之后我们填入正确的验证码抓取返回正确响应包、

3.png


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 14 May 2015 07:03:06 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 45
Connection: keep-alive
{"code":"V_OK","msg":"éªŒè¯ç æ ¡éªŒæˆåŠŸ"}


4.png


漏洞证明:

0x3:重复上面的操作我们现在就用客服用户来测试吧(仅用来测试并未破坏)。

5.png


6.png


截取到找回方式的响应包如下,可以看到是把验证发到客服自己邮箱。

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 14 May 2015 07:08:32 GMT
Content-Type: text/html;charset=UTF-8
Connection: Keep-Alive
Vary: Accept-Encoding, User-Agent
Content-Language: zh-CN
Content-Length: 8318
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache,no-store, must-revalidate">
<meta http-equiv="expires" content="0">
<title>优购网_æ‰¾å›žå¯†ç _é€‰æ‹©æ‰¾å›žå¯†ç æ–¹å¼</title>
<script type="text/javascript" src="http://s1.ygimg.cn/template/common/js/jquery-1.4.2.min.js?3.1.0"></script>
<link href="http://s2.ygimg.cn/template/common/css/base-2.css?3.1.0" type="text/css" rel="stylesheet" />
<link href="http://s2.ygimg.cn/js/common/validate/css/validator.css?3.1.0" type="text/css" rel="stylesheet" />
<link href="http://s1.ygimg.cn/template/common/css/new_log_reg.css?3.1.0" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="http://s2.ygimg.cn/template/common/js/yg.common.js?3.1.0"></script>
<script type="text/javascript" src="http://s1.ygimg.cn/template/common/js/yg.member.js?3.1.0"></script>
<script type="text/javascript" src="http://s1.ygimg.cn/js/yitianmall/usercenter/findpwd.js?3.1.0"></script>
<script type="text/javascript">
var basePath = "";
</script>
</head>
<body>
<!-- reghead start-->
<!-- top nav bar created time: 2014-11-28 18:34:02-->
<div id="top_nav">
	<div class="view_area clearfix">
		<div class="yg link_box"><a href="http://www.yougou.com/#ref=all&po=logo_yougou">时尚商城</a></div>
		
		<div class="phone link_box">
			<a href="http://www.yougou.com/topics/mobile.html" class="phone_text"><i class="mobile_ico"></i>手机优购<i class="tip"></i></a>
			<div class="phone_con">
                    <p class="clearfix">
                        <span class="fl qr_code">
                        </span>
                        <span class="fl ml10">
                            <a class="btn_app_store btn" href="http://itunes.apple.com/cn/app/zhang-shang-you-gou/id504493912?mt=8" target="_blank">App Store</a>
                            <a class="btn_android_store btn" href="http://mobile.yougou.com/appVersion/package.sc?channelCode=YgYougouwebA59" target="_blank">Android</a>
                        </span>
                    </p>
                    <p class="qr_code_tip">下载安装 <strong>优购客户端</strong></p>
                </div>
		</div>
		<div class="outlets link_box" style="border-right:none"></div>
		<div class="fr">
		<div class="about_user">
			<div class="login"><a  rel="nofollow" href="javascript:login();">登录</a></div>
			<div class="register"><a  rel="nofollow" href="javascript:register();">注册</a></div>
		</div><!--about_user end -->
		<div class="my_yg link_box">
			<a href="http://www.yougou.com/my/ucindex.jhtml" class="a1">我的优购</a>
			<ul class="info_con">
				<li><a href="http://www.yougou.com/my/favorites.jhtml">我的收藏</a></li>
				<li id="commentcount"></li>
				<li id="top_msg"></li>
			</ul>
		</div>
		<div class="my_order link_box"><a href="http://www.yougou.com/my/order.jhtml" rel="nofollow">我的订单</a></div>
		<div class="notice link_box">
			<span class="notice_text">公告</span>
			<ul class="notice_con">
                    <li><a target="_blank" href="http://www.yougou.com/topics/1416561897997.html#ref=index&po=notice_notice1">运动新风尚 新品5折起</a></li>
                    <li><a target="_blank" href="http://www.yougou.com/topics/1415597386968.html#ref=index&po=notice_notice2">摩登男装 秋冬大促 1折起</a></li>
                    <li><a target="_blank" href="http://www.yougou.com/topics/1415587130097.html#ref=index&po=notice_notice3">潮靴秀美腿 价比11.11</a></li>
                    <li><a target="_blank" href="http://www.yougou.com/topics/1415605960629.html#ref=index&po=notice_notice4">女装初冬热促 爆款2折起</a></li>
                    <li><a target="_blank" href='/article/201411/87dc5ccf633611e4b7eea30f61b97b3f.shtml#ref=index&po=notice_notice5'>库房发货时间调整说明</a></li>
			</ul>
		</div>
		<div class="more link_box">
			<a href="javascript:;" class='more_text'>更多</a>
			<ul class="more_con">
				<li><a onclick="YouGou.Biz.WebToolkit.addFavorite();" href="javascript:;">收藏优购</a></li>
				<li><a href="http://www.yougou.com/help/help.html">帮助</a></li>
			</ul>
		</div>
		</div>
	</div><!--view_area end -->
</div><!--top_nav end -->
<div class="uc_hd">
	<div class="cen clearfix rel">
		<h2>æ‰¾å›žå¯†ç </h2>
		<p class="link fl">
			<a href="http://www.yougou.com" class="cblue">返回时尚商城</a>
			<!--
			|<a href="http://www.yougou.com/topics/1394617951051.html" class="cblue">OUTLETS 购划算</a>
			-->
		</p>
	</div>
</div>
<!--更换雅虎邮箱提示 start-->
<div class="uc_email_tip" id="uc_email_tip" style="display:none;">
	<i class="warn"></i><strong>由于雅虎邮箱即将停止服务</strong>ï¼Œä¸ºäº†ä¿éšœæ‚¨ä»¥åŽèƒ½å¤Ÿé€šè¿‡é‚®ç®±æ‰¾å›žå¯†ç ã€æŽ¥æ”¶è®¢å•æé†’ç­‰ï¼Œå»ºè®®å°½å¿«æŠŠè´¦å·å®Œæˆç»‘å®šå…¶ä»–é‚®ç®±ã€‚<a class="Blue" href="javascript:void(0);" id="email_bind_modify">[立即绑定]</a><i class="close"></i>
</div>
<!--更换雅虎邮箱提示 end--><!-- reghead end-->
<div class="findPwd-box cen">
	<h2 class="findPwd-title">æ‰¾å›žå¯†ç </h2>
    <ul class="findPwd-step findPwd-step2">
        <li class="step1">1.输入账号</li>
        <li class="on">2.è´¦æˆ·éªŒè¯åŠå¯†ç é‡ç½®</li>
        <li>3.å¯†ç ä¿®æ”¹æˆåŠŸ</li>
    </ul>
	<div class="findPwd-form relative findPwd-step2-list1">
		<form name="frm" method="GET">
        	<p class="findPwd-step2-t">æ‚¨å¯ä»¥é€‰æ‹©ä»¥ä¸‹æ–¹å¼æ‰¾å›žå¯†ç </p>
        <div class="findPwd-style">
            <input name="findPwd-style" type="radio" value="email" class="findPwd-styleRadio" />
            <div class="findPwd-t">
                <p class="styleTitle">通过邮箱找回</p>
                <p>您的邮箱ser****@yougou.comå°†æ”¶åˆ°éªŒè¯é‚®ä»¶ï¼Œé€šè¿‡é‚®ä»¶ä¸­çš„æ‰¾å›žé“¾æŽ¥å®Œæˆå¯†ç é‡ç½®ã€‚</p>
            </div>
        </div>
        	<div class="findPwd-sbt"><input type="button" class="findPwd-btn findPwd-next" onclick="checkradio()" /></div>
		</form>
	</div>
    <div class="seeProblem">
		<p>遇到问题吗?</p>
        <ul>
            <li>è‹¥å½“å‰å·ç å·²ä¸ç”¨/ä¸¢å¤±ï¼Œæˆ–æ— æ³•æ”¶åˆ°éªŒè¯ç ï¼Ÿè¯·åˆ©ç”¨é‚®ç®±æ‰¾å›žå¯†ç ï¼Œæˆ–è€…ç¡®è®¤æ˜¯å¦è¢«å…¶ä»–è½¯ä»¶æ‰€æ‹¦æˆªã€‚</li>
            <li>å¦‚æžœæŒ‰ç…§ä»¥ä¸Šæ–¹æ³•è¿˜æ˜¯æ— æ³•è§£å†³é—®é¢˜ï¼Œè¯·æ‹¨æ‰“å®¢æœçƒ­çº¿ï¼š<span class="orange b">400 163 8888</span>。</li>
        </ul>
	</div>		
</div>
<!--底部start-->
<div class="footer Gray">
	<p class="tright">Copyright &copy; 2011-2014 Yougou Technology Co., Ltd. <a href="http://www.miibeian.gov.cn" target="_blank">粤ICP备09070608号-4</a> 增值电信业务经营许可证:<a href="http://www.miibeian.gov.cn" target="_blank" style="padding-left:0" >粤 B2-20090203</a></p>
</div>
<!--底部end-->
<script type="text/javascript">
$(function(){
	$(".findPwd-style").not(".valid-code").click(function(){
		$(".findPwd-style").css("border","1px solid #ccc");
		$(this).css("border","1px solid #F67649");
		$(".findPwd-styleRadio").attr("checked","");
		$(this).find(".findPwd-styleRadio").attr("checked","checked");
	})
})
</script> 
<script src="/template/common/js/mv.js?2.9.1" type="text/javascript"></script>
<script>
 var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-23566531-1']);
  _gaq.push(['_setDomainName', '.yougou.com']);
  _gaq.push(['_addOrganic', 'baidu', 'word']);
  _gaq.push(['_addOrganic', 'soso', 'w']);
  _gaq.push(['_addOrganic', '3721', 'name']);
  _gaq.push(['_addOrganic', 'yodao', 'q']);
  _gaq.push(['_addOrganic', 'vnet', 'kw']);
  _gaq.push(['_addOrganic', 'sogou', 'query']);
  _gaq.push(['_trackPageview']);
  _gaq.push(['_trackPageLoadTime']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://analytic' : 'http://analytic') + '.yougou.com/ga.js?2.9.1';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</body>
</html>


7.png


0x4:次步要把我们0x1步里抓到的响应包替换此处放行,就会看到亮点。

8.png


虽然可以到手机发送验证码的页面,但是手机号并不会得到验证码,次步我们可以绕过验证码,修改响应包的数据,就可成功到重置密码页面。

10.png


这是我们随意填的验证码,看到是4位的是不是想到爆破,但是不行的,不过没关系可绕过。

11.png


响应包自然是错误,我们把这里的响应包给改了,改成0x2里正确的响应包在放行,看效果。

12.png


哈哈直接到了修改密码的页面,把密码设置为wooyun123吧。

13.png


14.png


0x5:登陆客服账户验证。

16.png


17.png

修复方案:

写的过程很详细,求给20rank,测试真的很累啊!!!
完善服务端的验证机制,不单单是前端。

版权声明:转载请注明来源 千斤拨四两@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)