当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134214

漏洞标题:车猫网某处任意账号登陆(七万多账号信息告急)

相关厂商:dongdalou.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-08-15 12:46

修复时间:2015-10-01 13:40

公开时间:2015-10-01 13:40

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-17: 厂商已经确认,细节仅向厂商公开
2015-08-27: 细节向核心白帽子及相关领域专家公开
2015-09-06: 细节向普通白帽子公开
2015-09-16: 细节向实习白帽子公开
2015-10-01: 细节向公众公开

简要描述:

一刀穷,一刀富,一刀穿麻布;疯子卖,疯子买,还有疯子在等待。

详细说明:

我们要先注册一个号 并登陆
登陆后我们点击账号 查看资料(这里为了更好的演示 我先截图下自己的 如图)

0.png


上面就是我自己创建的账号 然后我们开启 burp 在点击资料管理 点其他功能也一样 因为是cookie越权

1.png


这里参数比较多要找仔细了(漏洞证明处给出数据包 可对照) 修改参数 ck_unb 的值 这里先修改成 ck_unb=71712 试试 修改完成了 直接 forward 就可以直接看页面了

2.png


3.png


为什么说是等于任意账号登陆呢?因为你修改一次后 点击其他功能照样可以显示那个账号的东西 比如 为了更好的演示 我找了下面这个账号

5.png


我们再点击其他的功能看看

6.png


上面这个id是 10002

7.png


对比我的账号id 后为 71752 也就是 71752 的用户信息

漏洞证明:

GET /user-edit.html HTTP/1.1
Host: www.chemao.com.cn
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.3635.47 Safari/537.36
Referer: http://www.chemao.com.cn/user-profile.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: FC_ID=0a341bed372c58ba979770a7b017d4b5b06dadf5; globalCookieCity=%BD%AD%CB%D5; sguid=%7B%22_type_%22%3A%22string%22%2C%22_val_%22%3A%2212bb104e-1644-10eb-1eb5-194011f21227%22%7D; sgload=%7B%22_type_%22%3A%22number%22%2C%22_val_%22%3A1%7D; sgps=%7B%22_type_%22%3A%22json%22%2C%22_val_%22%3A%22%5B%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22date-scorce-1%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22date-scorce-2%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22date-scorce-3%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22data-ms%5C%22%2C%5C%22val%5C%22%3A%5C%22mechat%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22onclick%5C%22%2C%5C%22val%5C%22%3A%5C%22openEcDialog()%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22class%5C%22%2C%5C%22val%5C%22%3A%5C%22cert-form-btn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22data-type%5C%22%2C%5C%22val%5C%22%3A%5C%22confirm%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22class%5C%22%2C%5C%22val%5C%22%3A%5C%22MECHAT_FLOAT_CHAT%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22onclick%5C%22%2C%5C%22val%5C%22%3A%5C%22mechatClick()%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22confirm%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22onclick%5C%22%2C%5C%22val%5C%22%3A%5C%22openEcDialog()%3B%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22show_tel%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22credit-btn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22sell-car-submit%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22class%5C%22%2C%5C%22val%5C%22%3A%5C%22submitBtn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22byk-form-btn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22submitForm%5C%22%7D%5D%22%7D; __ag_cm_=1439555742507; _hjIncludedInSample=0; _hjUserId=548edf3a-d575-4a1d-b8fc-8fb7908192f6; _gat=1; redirectURL=%252Findex.php%253Fapp%253Duser%2526act%253Dprofile; ck_unb=71752; ck__nk_=177712604%40qq.com; ck__lg_=177712604%40qq.com; ck_user_type=0; sgpth=%7B%22_type_%22%3A%22json%22%2C%22_val_%22%3A%22%5B%7B%5C%22time%5C%22%3A1439555752764%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuLw%3D%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555755418%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555760771%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555783171%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555899537%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556168980%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556170760%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556178612%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556191045%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZm9sbG93Lmh0bWw%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556192708%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcmVsZWFzZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556193975%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556195441%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556199854%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556203230%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556209682%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556221376%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocA%3D%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556236036%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556237942%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556240500%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556242448%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556254684%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556512681%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556514284%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556526342%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%5D%22%7D; Hm_lvt_996dd03d99962cc3d2411df00b3a3e38=1439555742; Hm_lpvt_996dd03d99962cc3d2411df00b3a3e38=1439556526; uuid=21f3be7999692c886cc7e805ed462cee; _ga=GA1.3.9953835.1439555742; ag_fid=OxxEh37D397Pdc0F


修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-08-17 13:38

厂商回复:

漏洞说明很详细,根据说明我们也验证出来了,漏洞对于我们来说影响很大,感谢作者热心指出。

最新状态:

暂无