漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0140434
漏洞标题:快保通任意用户密码重置漏洞(可导致576719万订单信息泄露)
相关厂商:快保通
漏洞作者: 路人甲
提交时间:2015-09-11 11:50
修复时间:2015-10-26 11:52
公开时间:2015-10-26 11:52
漏洞类型:成功的入侵事件
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-09-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-10-26: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
、、、、
详细说明:
漏洞证明:
[email protected]
jinri@#$1810
www.baikuai.net
www.inskuai.net/
http://www.100kuai.cn/
http://www.inskuai.com/
另外请删除 站点上bin.rar,www.rar, service站点上也是
这套系统 据说现在只卖给了一家,911这叫票代,
系统分为 权限系统,支付系统,前台,后台,控制台 然后你们懂的
<?xml version="1.0"?>
<configuration>
<configSections>
<sectionGroup name="system.web.extensions"
type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="scriptResourceHandler"
type="System.Web.Configuration.ScriptingScriptResourceHandlerSection,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
requirePermission="false" allowDefinition="MachineToApplication"/>
<sectionGroup name="webServices"
type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<section name="jsonSerialization"
type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
requirePermission="false" allowDefinition="Everywhere"/>
<section name="profileService"
type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="authenticationService"
type="System.Web.Configuration.ScriptingAuthenticationServiceSection,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
requirePermission="false" allowDefinition="MachineToApplication"/>
<section name="roleService"
type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
requirePermission="false" allowDefinition="MachineToApplication"/>
</sectionGroup>
</sectionGroup>
</sectionGroup>
</configSections>
<appSettings>
<!--字符串密钥,不配置默认为88888888-->
<add key="EncryptKey" value="!@#$%^~*"/>
<!--Cookie缓存过期时间(单位:分钟),不配置默认为60-->
<add key="CookieExpiresTime" value="60"/>
<!--Cookie密钥,不配置默认为88888888-->
<add key="CookieEncryptKey" value=")!^N~f8ks.d168qd"/>
<!--权限缓存时间(单位:分钟),不配置默认为0-->
<add key="CachePopedomTreeTime" value="60"/>
</appSettings>
<connectionStrings>
<add name="VirtualRead" connectionString="Data Source=10.10.1.16;Initial
Catalog=Virtual3.0;User ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist
Security Info=True;" providerName="System.Data.SqlClient"/>
<add name="VirtualOperate" connectionString="Data Source=10.10.1.16;Initial
Catalog=Virtual3.0;User ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist
Security Info=True;" providerName="System.Data.SqlClient"/>
<add name="Rate" connectionString="Data Source=10.10.1.16;Initial Catalog=Rate;User
ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist Security Info=True;"
providerName="System.Data.SqlClient"/>
<add name="Order" connectionString="Data Source=10.10.1.16;initial
catalog=Order;uid=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist Security
Info=True;" providerName="System.Data.SqlClient"/>
<add name="Config" connectionString="Data Source=10.10.1.16;Initial Catalog=Config;User
ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist Security Info=True;"
providerName="System.Data.SqlClient"/>
<add name="User" connectionString="Data Source=10.10.1.16;Initial Catalog=User;User
ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist Security Info=True;"
providerName="System.Data.SqlClient"/>
<add name="Log4net" connectionString="Data Source=10.10.1.16;Initial
Catalog=Log4net;User ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist Security
Info=True;" providerName="System.Data.SqlClient"/>
<add name="Popedom" connectionString="Data Source=10.10.1.16;Initial
Catalog=Popedom;User ID=100kuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist Security
Info=True;" providerName="System.Data.SqlClient"/>
<add name="Insurance" connectionString="Data Source=10.10.1.15;Initial
Catalog=Ins_Database;User ID=inskuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist
Security Info=True;" providerName="System.Data.SqlClient"/>
<add name="SsoInsurance" connectionString="Data Source=10.10.1.15;Initial
Catalog=Ins_Database;User ID=inskuai;password=01q2we3ert4rtyu@WSX3edc$RFV%TGB;Persist
Security Info=True;" providerName="System.Data.SqlClient"/>
<add name="WIN.TPLIFE.20120224" connectionString="Data Source=.;Initial
Catalog=WIN.TPLIFE.20120224;User ID=TPLIFE;password=i1n@s3k$TPLIFEu5a^i7#DDR*;Persist
Security Info=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<!--用于对 Forms 身份验证 Cookie 数据和视图状态数据进行加密和解密,并将其用于对进程外会
话状态标识进行验证。-->
<!--<machineKey
validationKey="B8CEF0C74E23E7197FCC4C9E3617C0007D94D43C7F7A79C582C54B95D69B946DFD49CAF5AA72
F9A8CA2CBA040A9DF64DC1DF90DAE1214AE4F1AB7FA56DD65C0D"
decryptionKey="280450BB36319B474C996B506A95AEDF9B51211B1D2B7A77"
validation="3DES"
decryption="3DES" />-->
<sessionState cookieless="false" mode="InProc" timeout="60">
</sessionState>
<compilation debug="true">
<assemblies>
<add assembly="System.Core, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=B77A5C561934E089"/>
<add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=B77A5C561934E089"/>
<add assembly="log4net, Version=1.2.10.0, Culture=neutral,
PublicKeyToken=1B44E1D426115821"/>
</assemblies>
</compilation>
<authentication mode="Windows"/>
<customErrors mode="RemoteOnly" defaultRedirect="error.aspx">
<error statusCode="302" redirect="error.aspx?msg=请求的资源暂时驻留在另一不同的统一资
源标识符下。"></error>
<error statusCode="400" redirect="error.aspx?msg=您的输入可能有误,链接地址有错
误。"></error>
<error statusCode="401" redirect="error.aspx?msg=权限不能被认可,请退出系统重新尝试。
"></error>
<error statusCode="403" redirect="error.aspx?msg=您的输入可能有误,不具备可执行的权限
。"></error>
<error statusCode="404" redirect="error.aspx?msg=链接地址不正确,请尝试重新链
接。"></error>
<error statusCode="408" redirect="error.aspx?msg=服务器连接超时,请退出系统重新尝试。
"></error>
<error statusCode="414" redirect="error.aspx?msg=您的输入可能有误,参数传递超出范围。
"></error>
<error statusCode="500" redirect="error.aspx?msg=服务器忙,请稍后再试。"></error>
<error statusCode="503" redirect="error.aspx?msg=服务器忙或网络连接异常,请退出系统重
新尝试。"></error>
<error statusCode="505" redirect="error.aspx?msg=浏览器不支持,请升级您的浏览
器。"></error>
</customErrors>
<pages>
<controls>
<add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add tagPrefix="asp" namespace="System.Web.UI.WebControls"
assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
</controls>
</pages>
<httpHandlers>
<remove verb="*" path="*.asmx"/>
<add verb="*" path="*.asmx" validate="false"
type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="*" path="*_AppService.axd" validate="false"
type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add verb="GET,HEAD" path="ScriptResource.axd"
type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
</httpHandlers>
<httpModules>
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="Session" type="System.Web.SessionState.SessionStateModule"/>
</httpModules>
<globalization requestEncoding="gb2312" responseEncoding="gb2312" culture="zh-cn"
uiCulture="en"/>
</system.web>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" warningLevel="4"
type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" warningLevel="4"
type="Microsoft.VisualBasic.VBCodeProvider, System, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089">
<providerOption name="CompilerVersion" value="v3.5"/>
<providerOption name="OptionInfer" value="true"/>
<providerOption name="WarnAsError" value="false"/>
</compiler>
</compilers>
</system.codedom>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="ScriptModule"/>
<add name="ScriptModule" preCondition="managedHandler"
type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0,
Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</modules>
<handlers>
<remove name="WebServiceHandlerFactory-Integrated"/>
<remove name="ScriptHandlerFactory"/>
<remove name="ScriptHandlerFactoryAppServices"/>
<remove name="ScriptResource"/>
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode"
type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions,
Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd"
preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD"
path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler,
System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
</handlers>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Extensions.Design"
publicKeyToken="31bf3856ad364e35"/>
<bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
<system.web.extensions>
<scripting>
<webServices>
<jsonSerialization maxJsonLength="2147483647"/>
</webServices>
</scripting>
</system.web.extensions>
</configuration>
就不深入了。。。。
修复方案:
你们说安全运营了四年了,这次能好好改改了
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:15 (WooYun评价)