乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-11-30: 细节已通知厂商并且等待厂商处理中 2015-12-03: 厂商已经确认,细节仅向厂商公开 2015-12-13: 细节向核心白帽子及相关领域专家公开 2015-12-23: 细节向普通白帽子公开 2016-01-02: 细节向实习白帽子公开 2016-01-17: 细节向公众公开
为不影响业务,所以未使用土豪手机号码做验证只拿了自己的另一个账号进行了验证
目标地址:http://www.super8.com.cn/1、找回密码处2、验证身份处,随意输入一个手机验证码
3、输入错误验证码后,拦截返回包,将错误的返回包替换为正确的,并将其中包含的手机号码改为目标手机号码
<!DOCTYPE html><html lang="zh-cn"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="pragma" content="no-cache"> <title>速8酒店官网-全国酒店查询预订,照片,点评</title> <meta name="keywords" content="速8,Super8,速八,速8酒店,速8酒店预订,速八酒店,速八酒店预订,40018-40018,酒店预订,酒店预定,宾馆预订,连锁酒店,经济型酒店,特价酒店,会员打折,网上订房,连锁加盟,加盟酒店,温德姆酒店集团,WYNDHAM" /> <meta name="description" content="美国速8国际有限公司是全球最大的经济型连锁酒店运营商之一,2004年进入中国。速8在中国近200多座城市拥有约1000家酒店,为您提供干净和友好的酒店服务。" /> <script src="/Statics/scripts/base/gomobile.js"></script> <link href="/Statics/css/base.css" rel="stylesheet"/><link href="/Statics/css/2015q2.css" rel="stylesheet"/><link href="/Statics/css/homeAd.css" rel="stylesheet"/> <script src="/Statics/Data/arounddata.js?151030152833205" charset="utf8"></script> <script src="/Statics/Data/citydata.js?151102094452539"></script> <script src="/Statics/Data/hoteldata.js?151102094452836"></script> <script src="/Statics/scripts/base/jquery-1.9.1.js"></script><script src="/Statics/scripts/base/jquery.datepicker.js"></script><script src="/Statics/scripts/base/popup.js"></script><script src="/Statics/scripts/base/base.js"></script><script src="/Statics/scripts/base/reference.js"></script><script src="/Statics/scripts/base/enum.js"></script> <script> var _hmt = _hmt || [];(function() { var hm = document.createElement("script");hm.src = "//hm.baidu.com/hm.js?5ea893975c140fb2300e807a3da2b058"; var s = document.getElementsByTagName("script")[0];s.parentNode.insertBefore(hm, s); })(); </script></head><body class="page-login"><link href="/Statics/css/login.css" rel="stylesheet" /><script type="text/javascript"> try { var _oztime = (new Date()).getTime(); var _ozuid; var _user = ""; var _domain = document.domain.match(/\.[a-zA-Z0-9.-]+/); if ($.cookie("ozuid")) { if ($.cookie("ozuid") == _user) { _ozuid = $.cookie("ozuid"); } else { $.cookie("ozuid", _user, { path: "/", expires: 365, domain: _domain }); _ozuid = $.cookie("ozuid"); } } else { $.cookie("ozuid", _user, { path: "/", expires: 365, domain: _domain }); _ozuid = $.cookie("ozuid"); } } catch (e) {}</script><div id="mask"></div><div class="top_head"> <div class=" top_head_left"> <img src="/Statics/images/slogan.png" width="382" height="26" /> </div> <div class=" top_head_right"> <img src="/Statics/images/app_ad.png" width="200" height="58" /> </div> <div class="top-head-400">预订热线 40018-40018</div> <div class="top-head-pop"> <div class="pop-img"></div> <a href="/activity/iSuper8" class="pop-bottom" target="_blank">速8酒店手机版 ></a> </div> <div class="top_logo"> <img src="/Statics/images/top_logo.png" width="52" height="80" /> </div></div><div class="top_menu"> <div class="top_menu_text"> <a href="/" class="hover">首页</a> <a href="/Hotel/List" class="">酒店预订</a> <a href="/TeamBuy/Index" class="">客房团购</a> <a href="/MemInfo/MemLogin" class="">会员专区</a> <a href="/Gift/Index" target="_blank" class="">兑换商城</a> <a href="/Article/Investment" class="">加盟速8</a> <a href="/Company/ComPreferential" class="">企业客户</a> </div> <div class="top_menu_mys8"> <em class="mys8-menu"><a href="javascript:void(0)" onclick="popupMemberSupper('pop-login');" id="dlogin">登录 | </a><a id="dregister" href="javascript:void(0)">注册</a></em> <span> <a href="/MemInfo/MemLogin" onclick="return false;" class="mys8-menu ">我的速8</a> <!--有待付款订单时class中添加alert-pay--> <div class="dropmenu-content dropmenu-nlogin"> <a href="/MemInfo/MemLogin" class="login-btn">登录</a><br /> <a href="/MemInfo/MemLogin?tabconpanytype=1" class="login-company">企业会员登录</a> </div> </span> </div></div><!--登录框弹出层--><div style="z-index: 19999; position: fixed; top: 45px; left: 50.5px;"> <div class="box-login" id="pop-login" style="display: none;"> <div class="close"> <a href="javascript:void(0)" id="closelogin" onclick="closeWindow('pop-login')"> <img src="/Statics/images/close-icon.gif" /> </a> </div> <div class="title-barlogin title-bar-pop"> <h2 class="tab-person current" id="checkchengeindexlogin"><em>个人</em>登录</h2> <h2 class="tab-company" id="checkchengeindexlogincompany"><em>企业</em>登录</h2> </div> <div class="login-tab-content login-tab-content-pop"> <div class="tab-person"><form action="/MemInfo/IndexLogin" id="IndexLogin" method="post"> <div id="Indexloginerror"> </div> <div class="form-group form-group-name"> <label class="ui-placeholder" for="input-name" node_type="key"> <span class="placeholder-text">手机号码</span> <input id="LoginName" name="LoginName" type="text" value="" /> </label> <input id="RefUrl" name="RefUrl" type="hidden" value="" /> </div> <div class="form-group form-group-password"> <label class="ui-placeholder" for="input-pw" node_type="key"> <span class="placeholder-text">密码</span> <input id="PassWd" name="PassWd" type="password" /> </label> </div> <div class="item item-remember"> <a class="link-forgot fr" href="/Forgotpwd/Forgotpwd1">忘记密码</a> <label for="input-remember"> <input id="RememberMe" name="RememberMe" type="checkbox" value="true" /><input name="RememberMe" type="hidden" value="false" /> 记住我</label> </div> <div class="item"> <a href="javascript:void(0)" id="btn3" class="btn"></a> </div> <a class="btn btn-nMem" href="#" onclick="closeWindow('pop-login');"><em>非会员直接预订</em></a> <dl class="item item-third"> <dt><a id="tandregister" href="javascript:void(0)">立即注册</a></dt> </dl> </form> </div> <div class="tab-company" style="display: none"><form action="/Company/IndexCompanyLogin" id="IndexCompanyLogin" method="post"> <div id="Indexcompanyloginerror"> </div> <div class="form-group form-group-name"> <label class="ui-placeholder" for="input-name" node_type="key"> <span class="placeholder-text">企业用户名</span> <input id="LoginName" name="LoginName" type="text" value="" /> </label> </div> <div class="form-group form-group-password"> <label class="ui-placeholder" for="input-pw" node_type="key"> <span class="placeholder-text">密码</span> <input id="PassWd" name="PassWd" type="password" /> </label> </div> <div class="item item-remember"> <a class="link-forgot fr" href="/Forgotpwd/Forgotpwd1">忘记密码</a> <label for="input-remember"> <input id="RememberMe" name="RememberMe" type="checkbox" value="true" /><input name="RememberMe" type="hidden" value="false" /> 记住我</label> </div> <div class="item"> <a href="javascript:void(0)" id="btn4" class="btn"></a> </div> <a class="btn btn-nMem" href="/Hotel/List"><em>非会员直接预订</em></a> <dl class="item item-third"> <dt><a href="/Register/RegisterCompany">立即注册企业会员</a></dt> </dl> </form> </div> </div> </div></div><script src="/Statics/scripts/business/UC/HeardInfo.js"></script><link href="/Statics/css/forgetpass.css" rel="stylesheet" /><form action="/Forgotpwd/Forgotpwd5" method="post"> <div class="wrapper grid-950"> <h4 class="fp-title mt50">找回密码</h4> <div class="fpassCtnWrap"> <ul class="fsteps"> <li class="first"><span><i>1</i><em>输入账户名</em></span></li> <li class="center"><span><i>2</i><em>验证身份</em></span></li> <li class="center ccurrent"><span><i>3</i><em>重置密码</em></span></li> <li class="end"><span><i>4</i><em>完成</em></span></li> </ul> <div class="formWrap"> <div class="fwSpan ui-placeholder-re"> <label class="tit">新密码</label> <label for="new-pass"> <input class="i_text_f" id="new-pass" name="UsPwd" placeholder="密码长度6-14位,区分大小写" type="password" /> <input id="UsPhone" name="UsPhone" type="hidden" value="18121217291" /> </label> </div> <div class="fwSpan fwSpan2"> <label class="tit">确认密码</label> <input class="i_text_f" id="UsPwd2" name="UsPwd2" type="password" /> </div> <button type="submit" class="fp-btn">下一步</button> </div> </div> </div></form><script> $(document).ready(function () { var phone = '18121217291'; $("#UsPhone").val(phone); });</script> <div class="footer"> <div class="k_link"> <div> <h3> <img src="/Statics/images/f_icon_zn.png" width="32" height="32" />订房指南</h3> <ul> <li><a href="/News/42004.html">预订酒店</a></li> <li><a href="/News/42005.html">修改取消订单</a></li> <li><a href="/News/42502.html">入住和离店</a></li> <li><a href="/News/42503.html">团购和钟点房</a></li> <li><a href="/News/42009.html">余额账户使用</a></li> <li><a href="/News/42007.html">代金券规则</a></li> </ul> </div> <div> <h3> <img src="/Statics/images/f_icon_hy.png" width="32" height="32" />会员服务</h3> <ul> <li><a href="/News/42001.html">成为速8会员</a></li> <li><a href="/News/42017.html">会员等级和权益</a></li> <li><a href="/News/42010.html">间夜点数获取与使用</a></li> <li><a href="/Article/MemberAnnouncement">会员公告</a></li> </ul> </div> <div> <h3> <img src="/Statics/images/f_icon_zf.png" width="32" height="32" />支付方式</h3> <ul> <li><a href="/News/42019.html">前台付款</a></li> <li><a href="/News/42021.html">网上预付房费</a></li> <li><a href="/News/42022.html">信用卡担保</a></li> <li><a href="/News/42020.html">发票说明</a></li> </ul> </div> <div class="nofl"> <h3> <img src="/Statics/images/f_icon_jm.png" width="32" height="32" />酒店加盟</h3> <ul> <li><a href="/News/40282.html">合作方式</a></li> <li><a href="/Article/Investment">招商会信息</a></li> <li><a href="/News/40281.html">速8中国样板间</a></li> <li><a href="/News/40283.html">在线加盟申请表</a></li> <li><a href="/News/40430.html">投资方向</a></li> <li><a href="/News/40425.html">指定/推荐供应商</a></li> </ul> </div> </div> <div class="b_link"><a href="/News/41119.html">关于速8</a>|<a href="/Article/Contact">联系我们</a>|<a href="/Article/News">速8动态</a>|<a href="/Hotel/List">酒店列表</a>|<a href="http://myportal.super8.com.cn/" target="_blank">业主门户</a>|<a href="/News/41005.html">使用条款</a>|<a href="/News/41120.html">温德姆集团</a>|<a href="http://job.super8.com.cn/" target="_blank">招贤纳士</a>|<a href="/News/41006.html">友情链接</a>|<a href="/News/41007.html">隐私声明</a></div> <div class="b_logobox"> <img src="/Statics/images/blogo-01.png" width="168" height="37" /> <div class="b-logos-wrap"> <ul class="firstUl"> <li><a target="_blank" id="fb_dolce" href="http://www.dolce.com">Dolce Hotels and Resorts</a></li> <li><a target="_blank" id="fb_wyndham_grand_collection" href="http://www.wyndham.com/">Wyndham Grand ® Collection</a></li> <li><a target="_blank" id="fb_wyndham_hotels_resorts" href="http://www.wyndham.com/">Wyndham ® Hotels and Resorts</a></li> <li><a target="_blank" id="fb_wyndham_garden" href="http://www.wyndham.com/">Wyndham Garden ®</a></li> <li><a target="_blank" id="fb_tryp" href="http://www.tryphotels.com/">Tryp</a></li> <li><a target="_blank" id="fb_wingate" href="http://www.wingatehotels.com/">Wingate ® by Wyndham</a></li> <li><a target="_blank" id="fb_hawthorn" href="http://www.hawthorn.com/">Hawthorn ® Suites by Wyndham</a></li> <li><a target="_blank" id="fb_microtel" href="http://www.microtelinn.com/">Microtel ® Inn & Suites</a></li> </ul> <ul> <li><a target="_blank" id="fb_ramada" href="http://www.ramada.com/">Ramada ®</a></li> <li><a target="_blank" id="fb_baymont" href="http://www.baymontinns.com/">Baymont ® Inn & Suites</a></li> <li><a target="_blank" id="fb_days_inn" href="http://www.daysinn.com">Days Inn ®</a></li> <li><a target="_blank" id="fb_super8" href="http://www.super8.com/">Super 8 ®</a></li> <li><a target="_blank" id="fb_howard_johnson" href="http://www.hojo.com/">Howard Johnson ®</a></li> <li><a target="_blank" id="fb_travelodge" href="http://www.travelodge.com/">Travelodge ®</a></li> <li><a target="_blank" id="fb_knights_inn" href="http://www.knightsinn.com/">Knights Inn ®</a></li> </ul> </div> </div> <div class="copyright">Copyright © 2004-2015 速8酒店 Super 8 Hotel (China) Co., Ltd, All Rights Reserved. 京ICP备13008407号-1 京公网安备110105005616</div></div><script src="/Statics/scripts/analytics/o_code.js"></script><!--弹出层广告--> <script src="/Statics/scripts/control/global.js"></script><script src="/Statics/scripts/control/login.js"></script></body></html>
4、输入新的密码
5、重置密码成功
同上
最后一步可以将验证码再发到服务端进行一次验证
危害等级:中
漏洞Rank:8
确认时间:2015-12-03 12:26
谢谢提醒
暂无