当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0205729

漏洞标题:APP安全之鱼泡泡无效xss杀入俩后台系统操控80万用户

相关厂商:yupaopao.cn

漏洞作者: 小龙

提交时间:2016-05-11 13:09

修复时间:2016-06-25 13:20

公开时间:2016-06-25 13:20

漏洞类型:XSS 跨站脚本攻击

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-11: 细节已通知厂商并且等待厂商处理中
2016-05-11: 厂商已经确认,细节仅向厂商公开
2016-05-21: 细节向核心白帽子及相关领域专家公开
2016-05-31: 细节向普通白帽子公开
2016-06-10: 细节向实习白帽子公开
2016-06-25: 细节向公众公开

简要描述:

111

详细说明:

下载APP 鱼泡泡 的APP, 反馈建议输入xss
然后坐等cookie
等到俩,不过cookie都过期进不去

location : http://yunying.yupaopao.cn/home/nim
toplocation : http://yunying.yupaopao.cn/home/nim
cookie : XSRF-TOKEN=eyJpdiI6IkRkYWJISkZjbUxXT1lsWmNQV0phQlE9PSIsInZhbHVlIjoiZmNwazc5ZkRYWmtXVkkxZDRnYzBYYklvMTZpSEtiektSR2RHd0F4elBldUtJeEh1a1NBZzIrR2NZS1FrRE5BMGpnWUJrOXQ4SGdqMVpiK3krekxOZ0E9PSIsIm1hYyI6IjljOGJlMDNiYTVmOTAzYzNkYTMxZmMzOGI2NWFmYWM5OGQ1YWY3OGFhNjJkMTViZTBhNmY5MDAxZDA2ZTgzYTUifQ%3D%3D


toplocation : http://121.40.188.99/admin/index#rechargeList
cookie : ci_session=a%3A6%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22c25970a13b81d10f3d6a869e104a8888%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22101.81.229.174%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0 %28Windows NT 6.1%3B WOW64%29 AppleWebKit%2F537.36 %28KHTML%2C like Gecko%29 Chrome%2F38.0.2125.122 Safari%2F537.36 SE 2.X Met%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1462390551%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22session_admin%22%3BO%3A8%3A%22stdClass%22%3A9%3A%7Bs%3A4%3A%22role%22%3Bs%3A32%3A%22f521f2c69931eabcf2b834e6008b043a%22%3Bs%3A2%3A%22id%22%3Bs%3A32%3A%223e000929e52e97d503bd9db643c87004%22%3Bs%3A8%3A%22username%22%3Bs%3A6%3A%22%E5%BC%A0%E8%B6%85%22%3Bs%3A5%3A%22token%22%3Bs%3A32%3A%2248c122fe22b28d05840a3d56c5241c1f%22%3Bs%3A6%3A%22gender%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22avatar%22%3Bs%3A41%3A%22upload%2Favatar%2F20150507%2F14309661165878.jpg%22%3Bs%3A4%3A%22name%22%3Bs%3A21%3A%22%E9%B1%BC%E6%B3%A1%E6%B3%A1%E5%A4%A7%E7%A5%9E%E5%AE%A2%E6%9C%8D%22%3Bs%3A4%3A%22city%22%3Bs%3A1%3A%220%22%3Bs%3A5%3A%22roles%22%3Bs%3A2738%3A%224cc10b57c12c70cdfd6ad4b7aa08563f%2C452559355d373a13b5c13cbcb0cbcaf1%2C452559355d373a13b5c13cbcb0cbcaf1%2C06c2a6b3cbabe1848d95c2d161cef8db%2Ce031413d7ce068cba1feb2a2409a0e51%2Ce031413d7ce068cba1feb2a2409a0e51%2Ca8bb9fa022acaf89b4012104bac506df%2C0d197d817d5d25f1103295289f75d683%2C18f8e14ac1a41d9fe5f9e65fe0855ec5%2Cf98482963bf38777336a49f3f94ac768%2Cf98482963bf38777336a49f3f94ac768%2Cdd01d648c7a7733f73e9fe3db6d8c0ae%2C99f3a6619fcb38057795f2b46c0e5da7%2C99f3a6619fcb38057795f2b46c0e5da7%2C5c982d0b0ba5657ee5f0dac11e0ad30b%2C16fb0eac9fa1b58ab14b49339418744c%2Cf282ffb4f82a3010fa5c099e5c296c99%2C26d9b611fea05dd6d5a1da76b5ba5336%2C17d6db163a9ec87775ccd8052215dc24%2C68b3cc7809032edce8e67d2e4fbfe6ec%2Cfe1fa945e66da5cf317925e686c2f81f%2C6cb431633be134e17d9c865af19d4514%2C8e2c8e63bf2a8d32d8244698adab89ea%2C8e2c8e63bf2a8d32d8244698adab89ea%2C690804cf744c3d36f86c960fda9c812a%2Cc8324d0190290bb235b95bb3cfc2a6b0%2Cc8324d0190290bb235b95bb3cfc2a6b0%2Cdc94e6417af696a9616840552435f798%2Cdc94e6417af696a9616840552435f798%2Cfad6f6b3144c574031b27561a7e9a0d2%2C779799cf8934365707b0d93f164ee44d%2Cbe3effe13c2fd269d7551f96f01c0f32%2C5ebfc8481fcddc214b48588e117daa99%2C856f6486d77bebfb1a0f26a0c0a22edc%2Ce9ef4b4229ec0b20a1566ed691c4d2d9%2C16fe48747833d30cfe867cf2fc191806%2C16fe48747833d30cfe867cf2fc191806%2Cf9de10ec9a059afa79b88bc77a079e59%2C4b34c2ca8056872d33428fb688d00e06%2C60b733ff0789c6085a0cc63ddb8fa2bc%2C670668852853da0032e3f4eed99e28af%2C50b4cff0fcc6e17c6506aee3d2204d96%2C9ce4606c8cf2e835eb923d4e18904c40%2Caadc04d96de1716f3eb30e256bd9e3c3%2C4bcd6b19dec558a1b81c67e7086e0faf%2C4bcd6b19dec558a1b81c67e7086e0faf%2C636696f14d619041f331a62ef813b767%2C12771c9d455367003a68138edc8c9df9%2C12771c9d455367003a68138edc8c9df9%2C06c3bd223bd135c3714bedba29408028%2Cfa15fba94e01d4b802cad7c492780e7e%2Ce2ce55df4407856d7921080298373e2d%2Cfdd2dc65524cd8fb8175934b8c687423%2Cfdd2dc65524cd8fb8175934b8c687423%2C55ebf33d9636bf40c644e545fd543feb%2C52a6289c60d0d3112d8b331fd98ff5e4%2Cde8fbcf7bf06846cabfa21fee6cc7123%2Ccdfbf0db5c4535e3effb545ea0c11517%2Ccc8646430c9f113f500622600e80ae34%2Cb5ef594bec43e5d7fb6ebd1648ddf5fe%2Cb280938f495e2cef142b20ec5746cc49%2Cb280938f495e2cef142b20ec5746cc49%2C735529e042584b67c79f49cb8f5e81d0%2C735529e042584b67c79f49cb8f5e81d0%2Cc27843a440c87f695279dd92d146a355%2Cc27843a440c87f695279dd92d146a355%2C25e675a6444daeccbf6dae9f0d3bad3a%2C6ecf9ac2bee7ad42d27b2ffdfa344243%2C6ecf9ac2bee7ad42d27b2ffdfa344243%2C1605aee88642a96b00f0e4510e9b77ac%2C1605aee88642a96b00f0e4510e9b77ac%2C7e9e3565f843aba129518f058e03bfc0%2Cfe24c2e2486191419358bfb1308ca374%2C811581afbaccf61dd8d7b91d2faadec5%2C811581afbaccf61dd8d7b91d2faadec5%2C3c0b60538ec617fc64f2c617eb5f7e08%2C498abbcdb175cee30bca883cc89ef30c%2C0abc8bd4aafa0119ebc66dd884ee0ea5%2C0abc8bd4aafa0119ebc66dd884ee0ea5%2Cb6bb75c81fcbd05312cebf6f9c3dfa60%2C52467aaee2223d49160fad9ec5a40d25%2Cc08c386ca627d390809a389181ff56db%2Cc08c386ca627d390809a389181ff56db%22%3B%7D%7D7b1efdeb5e3db98a960625b83d3ae7f6


通过一系列摸排之后
得知第一个是 运营管理系统
第二个是 客服管理系统
通过爆破客服管理系统
chenyan
liuna
zhanglin
zhangyong
guochao
liyongsheng
得知存在6位大侠的账户
然后果断用户名撞用户名
得到
guochao/guochao
liyongsheng/liyongsheng
俩弱口令
杀入进去

1.jpg


昨晚跟妹纸聊天
我还以为是机器人呢,居然不是- -

2.jpg


3.jpg


妹纸手机号码到手。(*^__^*) 嘻嘻……

4.jpg


猜测还有大量弱口令
第2个系统
同样账号密码通用
http://yunying.yupaopao.cn/home/nim

5.jpg


进主系统看看
发现

权	是	http://main.yupaopao.cn	/purview/site-list	2016-01-05 17:02:00
张勇	张	是	http://zhangyong.yunying.cn:8080	/	2016-04-06 18:30:32
报表系统	表	是	http://report.yupaopao.cn	/	2016-01-12 14:31:34
文档系统	档	是	http://doc.yupaopao.cn	/	2016-01-05 16:32:46
运营系统	营	是	http://yunying.yupaopao.cn	/	2016-03-08 11:02:53
郭超	郭	是	http://guochao.yunying.cn:8080	/	2016-04-06 18:32:24


看看http://doc.yupaopao.cn
丢~
没权限

6.jpg


7.jpg


最后将超级管理员guoyinglong的密码改成189837992了
再试试权限多大

8.jpg


80万用户

9.jpg


太牛逼了。 检测完赶快撤。
ps:程序员在做着后台的时候保证是没脾气的。。。

10.jpg


漏洞证明:

11

修复方案:

22

版权声明:转载请注明来源 小龙@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2016-05-11 13:14

厂商回复:

确实是比较大的漏洞,会泄露内部数据,目前正在修复中。

最新状态:

暂无