当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118231

漏洞标题:青橙设计不当重置任意用户密码(公司邮箱测试/泄露用户地址/订单)

相关厂商:上海青橙

漏洞作者: 千斤拨四两

提交时间:2015-06-04 16:52

修复时间:2015-07-23 09:04

公开时间:2015-07-23 09:04

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-04: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

搜索了网站的邮箱,都可进行重置,操作见下。

详细说明:

0x1:正确流程走下,抓取手机响应包数据。

q.png


此步就要抓取手机响应包的信息。

HTTP/1.1 200 OK
Server: nginx/1.0.11
Date: Thu, 04 Jun 2015 06:27:07 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30128
X-Powered-By: ASP.NET
Content-Length: 8398
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
找回帐户密码-青橙手机
</title><meta name="viewport" content="width=device-width, initial-scale=1" /><link href="/reference/css/common.css?20150225" rel="stylesheet" type="text/css" /><link href="/reference/css/proregister.css?20150225" rel="stylesheet" type="text/css" /><link href="/reference/css/bootstrap.css" rel="stylesheet" type="text/css" /><link href="/reference/css/qc.shop.css.pc.css?20150225" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="/reference/scripts/knockout-3.2.0.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/jquery-2.1.3.min.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/bootstrap.min.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/validator.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/public.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/ajax.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/p/findpwd.js?20150225"></script>
<style type="text/css">
.showtext,.reg_input_txt{ float:left; display:block;height:40px;line-height:40px;color:#FF6600;font-family:Verdana,Geneva,sans-serif;font-weight:bold;}
#emailpsbt .reg_botton_btn,#mobilepsbt .reg_botton_btn,#updatepsbt .reg_botton_btn{background-color: #f99114; border: 1px solid #dd621f;color: #ffffff;cursor: pointer;display: block;float: left;font: 700 16px/40px "微软雅黑","宋体","黑体",Arial;height: 40px;width: 130px;}
#mobilepsbt,#updatepsbt{ margin-top:10px;float:left;}
#emailpsbt dd,#mobilepsbt dd,#UpdatePassWord dd{ display:block; float:left;font-size:12px; margin:0; text-align:left; padding-left:20px; height:40px; line-height:40px; margin-left:10px;}
#emailpsbt .tip,#mobilepsbt .tip,#UpdatePassWord .tip{color:#999; background:url(/reference/images/tip.png) no-repeat left center;}
#emailpsbt .error,#mobilepsbt .error,#UpdatePassWord .error{color:red; background:url(/reference/images/error.png) no-repeat left center;}
#emailpsbt .ajax,#mobilepsbt .ajax,#UpdatePassWord .ajax{color:#999; background:url(/reference/images/ajax.gif) no-repeat left center;}
#emailpsbt .success,#mobilepsbt .success,#UpdatePassWord .success{background:url(/reference/images/reg-menu.gif) no-repeat 0px -20px;color:Green;}
.go{ float:left; display:block; width:100%; height:23px; line-height:23px;color:#999;}
.go font{color:#FF6600;font-weight:bold;font-size:13px;margin:0 3px;}
#formReg .reg_input .reg_input_title{ font-weight:normal;width:140px;}
#formReg .reg_input .reg_input_txt{ width:auto;}
#mobileCode{ margin-left:15px;color:#333; padding:0 5px;cursor:pointer;}
#vCode,#newps,#cfnewps{ margin-top:6px;}
#txtMobileTip,#txtVcodeTip,#dddcfnewps,#txtNewpsTip,#txtCfnewpsTip{ line-height:40px;color:#999; margin-left:10px; float:left;}
#updatepsbt{ padding-left:140px;}
</style>
<script type="text/javascript">
function initPage() {
mobileno = "130*****882";
account = "doubao";
token = "B37D451B8AF92E611980E4E8874030FB";
token = "24903690C1ABFE9A8631999A743D7A82";
}
</script>
</head>
<body>

<link href="/reference/css/proothertop.css?20150225" rel="stylesheet" type="text/css" />
<div class="other_top">
<div class="other_top_logo">
<a href="http://www.qingcheng.com">
<img src="/reference/images/v5_top_logo.png" alt="青橙logo" title="青橙logo" />
</a>
</div>
</div>
<div id="proregister">
<div id="proregister_content">
<div class="proregister_content_top">
<span>找回帐户密码</span>
</div>
<div class="proregister_content_form">
<form id="formFindPwd" method="post">
<div id="divMsg" data-bind="html: message, visible: showMessage, attr: { class: messageClass }" role="alert" style="display:none;padding-left:0px">
message
</div>
<div id="divFindMethods" class="defaultinput">
<div class="btn-group" style="width:100%;">
<button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-expanded="false" data-bind="html:selectedMethod">
<span class="caret"></span>
</button>
<ul class="dropdown-menu" role="menu" style="margin-left:10px;padding-left:10px;"><li><a href="#" data-bind="click:clickShowMobile">通过手机找回</a></li></ul></div>
</div>
<div id="divFindByEmail" class="defaultinput" data-bind="visible: showEmail">
<div id="emailps" class="reg_input">
<div class="defaultinput" style="text-align:left;padding-left:0px;width:100%"><h5><span data-bind="text: email"></span></h5>
</div>
</div>

<div id="emailpsbt" class="defaultinput" style="width:100%">
<input type="button" id="btnSendEmail" data-bind="click: sendEmail" class="btn btn-warning btn-lg btn_standard" value="发送邮件" />
</div>
</div>
<div id="divFindByMobile" class="defaultinput" data-bind="visible: showMobile">
<div id="mobileps" class="defaultinput" style="text-align:left;padding-left:0px;width:100%">
<h5><span data-bind="text: mobileno"></span></h5>
</div>
<div id="divMVCode" class="defaultinput" data-bind="visible: showMobile" style="width:100%">
<input name="txtCode" id="txtCode" type="text" data-bind="value: mvcode" class="form-control w60" style="float:left;" placeholder="短信验证码"/>
<input name="btnSendSMSCode" id="btnSendSMSCode" type="button" class="btn btn-default w40 mobileVeryfyCode" data-bind="click: sendSMSCode" style="cursor:pointer" value="获取短信验证码" />
</div>
<div id="mobilepsbt" class="defaultinput" style="width:100%" >
<input type="button" id="btnMobileNext" data-bind="click: mobileNextAction" class="btn btn-warning btn-lg btn_standard" value="下一步" />
</div>
</div>
<div id="divCannot" class="defaultinput short" data-bind="visible: showCannot">
<div id="loginid" class="reg_input"><div class="reg_input_txt" style="color:#333;">抱歉,该账号未绑定邮箱和手机,无法找回密码!<a href="/m/login/index">重新登录</a></div><span></span></div>
</div>
</form>
</div>
</div>
</div>

<link href="/reference/css/prootherfoot.css?20150225" rel="stylesheet" type="text/css" />
<div class="other_foot">
<ul>
<li>
<span><a href="http://www.qingcheng.com">青橙官网</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://bbs.qingcheng.com">青橙论坛</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://go.qingcheng.com">橙友部落</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://www.myuios.com">MYUI</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://www.qingcheng.com/contact">联系我们</a></span>
</li>
<li class="line">|</li>
<li>
<span class="other_foot_icp">青橙公司版权所有-沪ICP备12006100号</span>
</li>
</ul>
</div>
</body>
</html>


可以查看到account ,token的值。所以我们可以抓取任意用户的token值。
0x2:继续下去,到了获取验证码这一步,不用获取验证码,可直接绕过,在输入框任意输入一串6位数字,修改响应包!

w.png


返回的信息肯定是错误,把验证码错误-->success,放行。

e.png


0x3:此步再次抓取响应包。

r.png


HTTP/1.1 200 OK
Server: nginx/1.0.11
Date: Thu, 04 Jun 2015 06:40:50 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30128
X-Powered-By: ASP.NET
Content-Length: 5210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
找回帐户密码-青橙手机
</title><meta name="viewport" content="width=device-width, initial-scale=1" /><link href="/reference/css/common.css?20150225" rel="stylesheet" type="text/css" /><link href="/reference/css/proregister.css?20150225" rel="stylesheet" type="text/css" /><link href="/reference/css/bootstrap.css?20150225" rel="stylesheet" type="text/css" /><link href="/reference/css/qc.shop.css.pc.css?20150225" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="/reference/scripts/knockout-3.2.0.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/jquery-2.1.3.min.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/bootstrap.min.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/validator.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/public.js?20150428"></script>
<script type="text/javascript" src="/reference/scripts/ajax.js?20150428"></script>
<script type="text/javascript" src="/reference/scripts/p/findpwde.js?20150225"></script>
<script type="text/javascript" src="/reference/scripts/aes.js?20150225"></script>

<script type="text/javascript">
function initPage() {
account = "doubao";
token = "B37D451B8AF92E611980E4E8874030FB";
message = "";
}
</script>
</head>
<body>

<link href="/reference/css/proothertop.css?20150225" rel="stylesheet" type="text/css" />
<div class="other_top">
<div class="other_top_logo">
<a href="http://www.qingcheng.com">
<img src="/reference/images/v5_top_logo.png" alt="青橙logo" title="青橙logo" />
</a>
</div>
</div>
<div id="proregister">
<div id="proregister_content">
<div class="proregister_content_top">
<span>找回帐户密码</span>
</div>
<div class="proregister_content_form">
<form id="formReg">
<div id="divMsg" data-bind="html: message, visible: showMessage, attr: { class: messageClass }" role="alert" style="display:none">
message
</div>
<div data-bind="visible: isCorrect">
<div id="loginid" class="defaultinput" style="text-align:left;padding-left:10px;"><h4>账户名<span style="padding-left:10px;" data-bind="text: account"></span></h4></div>
<div id="divPassword" class="defaultinput short">
<input type="password" name="txtPassword" id="txtPassword" data-bind="value: password, event: { blur: blurPassword }" class="form-control" placeholder="新密码" />
</div>
<div id="divRepassword" class="defaultinput short">
<input type="password" name="txtPassword2" id="txtPassword2" data-bind="value: repassword, event: { blur: blurPassword }" class="form-control" placeholder="确认新密码" />
</div>
<div id="divVCode" class="defaultinput short">
<input type="text" value="" id="txtVCode" data-bind="value: vcode" class="form-control w60" style="float:left" placeholder="注册验证码">
<img alt="点击换一张" class="img_01 w40 veryfyCodeImage" src="/reference/plugin/VerifyCode.aspx" onclick="this.src='/reference/plugin/VerifyCode.aspx?t='+Math.random();" style="cursor:pointer">
</div>
<div id="reg_botton" class="defaultinput_button">
<button type="button" id="btnUpdatePs" data-bind="click: updatePassword" class="btn btn-warning btn-lg btn_standard" >提交修改</button>
</div>
</div>
</form>
</div>
</div>
</div>

<link href="/reference/css/prootherfoot.css?20150225" rel="stylesheet" type="text/css" />
<div class="other_foot">
<ul>
<li>
<span><a href="http://www.qingcheng.com">青橙官网</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://bbs.qingcheng.com">青橙论坛</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://go.qingcheng.com">橙友部落</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://www.myuios.com">MYUI</a></span>
</li>
<li class="line">|</li>
<li>
<span><a href="http://www.qingcheng.com/contact">联系我们</a></span>
</li>
<li class="line">|</li>
<li>
<span class="other_foot_icp">青橙公司版权所有-沪ICP备12006100号</span>
</li>
</ul>
</div>
</body>
</html>


t.png


就这样轻松的绕弱验证即可修改密码,这是绑定了手机号的用户绕过验证码的方法,下面说说邮箱没有绑定手机号的方法。

y.png


漏洞证明:

greenorange@51greenorange.com邮箱测试


0x4:在第一步输入用户名下一步截断信息,提取token值,修改响应包。

z.png


把手机响应包修改用0x1的数据替换掉,注意把accont和token值也要替换掉。
放行就能到手机获取验证码页面。

x.png


0x5:不在复现绕过验证码的方法,修改响应包数据,用0x2抓到的数据替换,accont和token值也要更换。

c.png


修改放行。

v.png


修改密码wooyun123
0x6:登录验证!

z.png


x.png


c.png


修复方案:

版权声明:转载请注明来源 千斤拨四两@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-08 09:04

厂商回复:

确认漏洞,非常感谢千斤拨四两

最新状态:

暂无