当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156767

漏洞标题:速8酒店漏洞修复不善可再次重置任意用户密码(关爱土豪从你我做起)

相关厂商:速8酒店

漏洞作者: 路人甲

提交时间:2015-11-30 09:50

修复时间:2016-01-17 12:28

公开时间:2016-01-17 12:28

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-11-30: 细节已通知厂商并且等待厂商处理中
2015-12-03: 厂商已经确认,细节仅向厂商公开
2015-12-13: 细节向核心白帽子及相关领域专家公开
2015-12-23: 细节向普通白帽子公开
2016-01-02: 细节向实习白帽子公开
2016-01-17: 细节向公众公开

简要描述:

为不影响业务,所以未使用土豪手机号码做验证
只拿了自己的另一个账号进行了验证

详细说明:

目标地址:http://www.super8.com.cn/
1、找回密码处
2、验证身份处,随意输入一个手机验证码

1.png


3、输入错误验证码后,拦截返回包,将错误的返回包替换为正确的,并将其中包含的手机号码改为目标手机号码

<!DOCTYPE html>
<html lang="zh-cn">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="pragma" content="no-cache">
    <title>速8酒店官网-全国酒店查询预订,照片,点评</title>
    <meta name="keywords" content="速8,Super8,速八,速8酒店,速8酒店预订,速八酒店,速八酒店预订,40018-40018,酒店预订,酒店预定,宾馆预订,连锁酒店,经济型酒店,特
价酒店,会员打折,网上订房,连锁加盟,加盟酒店,温德姆酒店集团,WYNDHAM" />
    <meta name="description" content="美国速8国际有限公司是全球最大的经济型连锁酒店运营商之一,2004年进入中国。速8在中国近200多座城市拥有约1000家酒店,为
您提供干净和友好的酒店服务。" />
    <script src="/Statics/scripts/base/gomobile.js"></script>
    <link href="/Statics/css/base.css" rel="stylesheet"/>
<link href="/Statics/css/2015q2.css" rel="stylesheet"/>
<link href="/Statics/css/homeAd.css" rel="stylesheet"/>
    <script src="/Statics/Data/arounddata.js?151030152833205" charset="utf8"></script>
    <script src="/Statics/Data/citydata.js?151102094452539"></script>
    <script src="/Statics/Data/hoteldata.js?151102094452836"></script>
    <script src="/Statics/scripts/base/jquery-1.9.1.js"></script>
<script src="/Statics/scripts/base/jquery.datepicker.js"></script>
<script src="/Statics/scripts/base/popup.js"></script>
<script src="/Statics/scripts/base/base.js"></script>
<script src="/Statics/scripts/base/reference.js"></script>
<script src="/Statics/scripts/base/enum.js"></script>
   
    <script>
    var _hmt = _hmt || [];(function() { var hm = document.createElement("script");hm.src = "//hm.baidu.com/hm.js?5ea893975c140fb2300e807a3da2b058"; var s 
= document.getElementsByTagName("script")[0];s.parentNode.insertBefore(hm, s); })();
    </script>
</head>
<body class="page-login">
<link href="/Statics/css/login.css" rel="stylesheet" />
<script type="text/javascript">
    try {						
        var _oztime = (new Date()).getTime();
        var _ozuid;
        var _user = "";
        var _domain = document.domain.match(/\.[a-zA-Z0-9.-]+/);
        if ($.cookie("ozuid")) {
            if ($.cookie("ozuid") == _user) {
                _ozuid = $.cookie("ozuid");
            } else {
                $.cookie("ozuid", _user, { path: "/", expires: 365, domain: _domain });
                _ozuid = $.cookie("ozuid");
            }
        } else {
            $.cookie("ozuid", _user, { path: "/", expires: 365, domain: _domain });
            _ozuid = $.cookie("ozuid");
        }
    } catch (e) {}
</script>
<div id="mask"></div>
<div class="top_head">
    <div class=" top_head_left">
        <img src="/Statics/images/slogan.png" width="382" height="26" />
    </div>
    <div class=" top_head_right">
        <img src="/Statics/images/app_ad.png" width="200" height="58" />
    </div>
    <div class="top-head-400">预订热线 40018-40018</div>
    <div class="top-head-pop">
        <div class="pop-img"></div>
        <a href="/activity/iSuper8" class="pop-bottom" target="_blank">速8酒店手机版 &gt;</a>
    </div>
    <div class="top_logo">
        <img src="/Statics/images/top_logo.png" width="52" height="80" />
    </div>
</div>
<div class="top_menu">
    <div class="top_menu_text">
        <a href="/" class="hover">首页</a>
        <a href="/Hotel/List" class="">酒店预订</a>
        <a href="/TeamBuy/Index" class="">客房团购</a>
            <a href="/MemInfo/MemLogin" class="">会员专区</a>
        <a href="/Gift/Index" target="_blank" class="">兑换商城</a>
        <a href="/Article/Investment" class="">加盟速8</a>
            <a href="/Company/ComPreferential" class="">企业客户</a>
    </div>
    <div class="top_menu_mys8">
            <em class="mys8-menu"><a href="javascript:void(0)" onclick="popupMemberSupper('pop-login');" id="dlogin">登录&nbsp|&nbsp</a><a id="dregister" 
href="javascript:void(0)">注册</a></em> 
        <span>
             <a href="/MemInfo/MemLogin" onclick="return false;" class="mys8-menu ">我的速8</a>
            <!--有待付款订单时class中添加alert-pay-->
                <div class="dropmenu-content dropmenu-nlogin">
                    <a href="/MemInfo/MemLogin" class="login-btn">登录</a><br />
                    <a href="/MemInfo/MemLogin?tabconpanytype=1" class="login-company">企业会员登录</a>
                </div>
        </span>
    </div>
</div>
<!--登录框弹出层-->
<div style="z-index: 19999; position: fixed; top: 45px; left: 50.5px;">
    <div class="box-login" id="pop-login" style="display: none;">
        <div class="close">
            <a href="javascript:void(0)" id="closelogin" onclick="closeWindow('pop-login')">
                <img src="/Statics/images/close-icon.gif" />
            </a>
        </div>
        <div class="title-barlogin title-bar-pop">
            <h2 class="tab-person current" id="checkchengeindexlogin"><em>个人</em>登录</h2>
            <h2 class="tab-company" id="checkchengeindexlogincompany"><em>企业</em>登录</h2>
        </div>
        <div class="login-tab-content login-tab-content-pop">
            <div class="tab-person">
<form action="/MemInfo/IndexLogin" id="IndexLogin" method="post">                    <div id="Indexloginerror">
                        
                        
                    </div>
                    <div class="form-group form-group-name">
                        <label class="ui-placeholder" for="input-name" node_type="key">
                            <span class="placeholder-text">手机号码</span>
                            <input id="LoginName" name="LoginName" type="text" value="" />
                        </label>
                        <input id="RefUrl" name="RefUrl" type="hidden" value="" />
                    </div>
                    <div class="form-group form-group-password">
                        <label class="ui-placeholder" for="input-pw" node_type="key">
                            <span class="placeholder-text">密码</span>
                            <input id="PassWd" name="PassWd" type="password" />
                        </label>
                    </div>
                    <div class="item item-remember">
                        <a class="link-forgot fr" href="/Forgotpwd/Forgotpwd1">忘记密码</a>
                        <label for="input-remember">
                            <input id="RememberMe" name="RememberMe" type="checkbox" value="true" /><input name="RememberMe" type="hidden" value="false" 
/>
                            记住我</label>
                    </div>
                    <div class="item">
                        <a href="javascript:void(0)" id="btn3" class="btn"></a>
                    </div>
                    <a class="btn btn-nMem"  href="#" onclick="closeWindow('pop-login');"><em>非会员直接预订</em></a>
                    <dl class="item item-third">
                        <dt><a id="tandregister" href="javascript:void(0)">立即注册</a></dt>
                        
                    </dl> 
</form>            </div>
            <div class="tab-company" style="display: none">
<form action="/Company/IndexCompanyLogin" id="IndexCompanyLogin" method="post">                    <div id="Indexcompanyloginerror">
                        
                        
                    </div>
                    <div class="form-group form-group-name">
                        <label class="ui-placeholder" for="input-name" node_type="key">
                            <span class="placeholder-text">企业用户名</span>
                            <input id="LoginName" name="LoginName" type="text" value="" />
                        </label>
                    </div>
                    <div class="form-group form-group-password">
                        <label class="ui-placeholder" for="input-pw" node_type="key">
                            <span class="placeholder-text">密码</span>
                            <input id="PassWd" name="PassWd" type="password" />
                        </label>
                    </div>
                    <div class="item item-remember">
                        <a class="link-forgot fr" href="/Forgotpwd/Forgotpwd1">忘记密码</a>
                        <label for="input-remember">
                            <input id="RememberMe" name="RememberMe" type="checkbox" value="true" /><input name="RememberMe" type="hidden" value="false" 
/>
                            记住我</label>
                    </div>
                    <div class="item">
                        <a href="javascript:void(0)" id="btn4" class="btn"></a>
                    </div>
                    <a class="btn btn-nMem" href="/Hotel/List"><em>非会员直接预订</em></a>
                    <dl class="item item-third">
                        <dt><a href="/Register/RegisterCompany">立即注册企业会员</a></dt>
                    </dl> 
</form>            </div>
        </div>
    </div>
</div>
<script src="/Statics/scripts/business/UC/HeardInfo.js"></script>
<link href="/Statics/css/forgetpass.css" rel="stylesheet" />
<form action="/Forgotpwd/Forgotpwd5" method="post">    <div class="wrapper grid-950">
        <h4 class="fp-title mt50">找回密码</h4>
        <div class="fpassCtnWrap">
            <ul class="fsteps">
                <li class="first"><span><i>1</i><em>输入账户名</em></span></li>
                <li class="center"><span><i>2</i><em>验证身份</em></span></li>
                <li class="center ccurrent"><span><i>3</i><em>重置密码</em></span></li>
                <li class="end"><span><i>4</i><em>完成</em></span></li>
            </ul>
            <div class="formWrap">
                <div class="fwSpan ui-placeholder-re">
                    <label class="tit">新密码</label>
                    <label for="new-pass">
                        <input class="i_text_f" id="new-pass" name="UsPwd" placeholder="密码长度6-14位,区分大小写" type="password" />
                        <input id="UsPhone" name="UsPhone" type="hidden" value="18121217291" />
                        
                    </label>
                    
                </div>
                <div class="fwSpan fwSpan2">
                    <label class="tit">确认密码</label>
                    <input class="i_text_f" id="UsPwd2" name="UsPwd2" type="password" />
                    
                    
                    
                </div>
                <button type="submit" class="fp-btn">下一步</button>
            </div>
        </div>
    </div>
</form><script>
    $(document).ready(function () {
        var phone = '18121217291';
        $("#UsPhone").val(phone);
    });
</script>
    <div class="footer">
    <div class="k_link">
        <div>
            <h3>
                <img src="/Statics/images/f_icon_zn.png" width="32" height="32" />订房指南</h3>
            <ul>
                <li><a href="/News/42004.html">预订酒店</a></li>
                <li><a href="/News/42005.html">修改取消订单</a></li>
                <li><a href="/News/42502.html">入住和离店</a></li>
                <li><a href="/News/42503.html">团购和钟点房</a></li>
                <li><a href="/News/42009.html">余额账户使用</a></li>
                <li><a href="/News/42007.html">代金券规则</a></li>
            </ul>
        </div>
        <div>
            <h3>
                <img src="/Statics/images/f_icon_hy.png" width="32" height="32" />会员服务</h3>
            <ul>
                <li><a href="/News/42001.html">成为速8会员</a></li>
                <li><a href="/News/42017.html">会员等级和权益</a></li>
                <li><a href="/News/42010.html">间夜点数获取与使用</a></li>
                <li><a href="/Article/MemberAnnouncement">会员公告</a></li>
            </ul>
        </div>
        <div>
            <h3>
                <img src="/Statics/images/f_icon_zf.png" width="32" height="32" />支付方式</h3>
            <ul>
                <li><a href="/News/42019.html">前台付款</a></li>
                <li><a href="/News/42021.html">网上预付房费</a></li>
                <li><a href="/News/42022.html">信用卡担保</a></li>
                <li><a href="/News/42020.html">发票说明</a></li>
            </ul>
        </div>
        <div class="nofl">
            <h3>
                <img src="/Statics/images/f_icon_jm.png" width="32" height="32" />酒店加盟</h3>
            <ul>
                <li><a href="/News/40282.html">合作方式</a></li>
                <li><a href="/Article/Investment">招商会信息</a></li>
                <li><a href="/News/40281.html">速8中国样板间</a></li>
                <li><a href="/News/40283.html">在线加盟申请表</a></li>
                <li><a href="/News/40430.html">投资方向</a></li>
                <li><a href="/News/40425.html">指定/推荐供应商</a></li>
            </ul>
        </div>
    </div>
    <div class="b_link"><a href="/News/41119.html">关于速8</a>|<a href="/Article/Contact">联系我们</a>|<a href="/Article/News">速8动态</a>|<a 
href="/Hotel/List">酒店列表</a>|<a href="http://myportal.super8.com.cn/" target="_blank">业主门户</a>|<a href="/News/41005.html">使用条款</a>|<a 
href="/News/41120.html">温德姆集团</a>|<a href="http://job.super8.com.cn/" target="_blank">招贤纳士</a>|<a href="/News/41006.html">友情链接</a>|<a 
href="/News/41007.html">隐私声明</a></div>
    <div class="b_logobox">
        <img src="/Statics/images/blogo-01.png" width="168" height="37" />
        <div class="b-logos-wrap">
            <ul class="firstUl">
                <li><a target="_blank" id="fb_dolce" href="http://www.dolce.com">Dolce Hotels and Resorts</a></li>
                <li><a target="_blank" id="fb_wyndham_grand_collection" href="http://www.wyndham.com/">Wyndham Grand &reg; Collection</a></li>
                <li><a target="_blank" id="fb_wyndham_hotels_resorts" href="http://www.wyndham.com/">Wyndham &reg; Hotels and Resorts</a></li>
                <li><a target="_blank" id="fb_wyndham_garden" href="http://www.wyndham.com/">Wyndham Garden &reg;</a></li>
                <li><a target="_blank" id="fb_tryp" href="http://www.tryphotels.com/">Tryp</a></li>
                <li><a target="_blank" id="fb_wingate" href="http://www.wingatehotels.com/">Wingate &reg; by Wyndham</a></li>
                <li><a target="_blank" id="fb_hawthorn" href="http://www.hawthorn.com/">Hawthorn &reg; Suites by Wyndham</a></li>
                <li><a target="_blank" id="fb_microtel" href="http://www.microtelinn.com/">Microtel &reg; Inn &amp; Suites</a></li>
            </ul>
            <ul>
                <li><a target="_blank" id="fb_ramada" href="http://www.ramada.com/">Ramada &reg;</a></li>
                <li><a target="_blank" id="fb_baymont" href="http://www.baymontinns.com/">Baymont &reg; Inn &amp; Suites</a></li>
                <li><a target="_blank" id="fb_days_inn" href="http://www.daysinn.com">Days Inn &reg;</a></li>
                <li><a target="_blank" id="fb_super8" href="http://www.super8.com/">Super 8 &reg;</a></li>
                <li><a target="_blank" id="fb_howard_johnson" href="http://www.hojo.com/">Howard Johnson &reg;</a></li>
                <li><a target="_blank" id="fb_travelodge" href="http://www.travelodge.com/">Travelodge &reg;</a></li>
                <li><a target="_blank" id="fb_knights_inn" href="http://www.knightsinn.com/">Knights Inn &reg;</a></li>
            </ul>
        </div>
    </div>
    <div class="copyright">Copyright &copy; 2004-2015 速8酒店 Super 8 Hotel (China) Co., Ltd, All Rights Reserved. &nbsp; 京ICP备13008407号-1 &nbsp; 京公
网安备110105005616</div>
</div>
<script src="/Statics/scripts/analytics/o_code.js"></script>
<!--弹出层广告-->
    <script src="/Statics/scripts/control/global.js"></script>
<script src="/Statics/scripts/control/login.js"></script>
</body>
</html>


4、输入新的密码

2.png


5、重置密码成功

3.png


4.png

漏洞证明:

同上

修复方案:

最后一步可以将验证码再发到服务端进行一次验证

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-12-03 12:26

厂商回复:

谢谢提醒

最新状态:

暂无