当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0115974

漏洞标题:博库网重置任意用户密码漏洞(管理员客服用户测试)

相关厂商:bookuu.com

漏洞作者: 千斤拨四两

提交时间:2015-07-03 17:41

修复时间:2015-08-17 17:48

公开时间:2015-08-17 17:48

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-03: 细节已通知厂商并且等待厂商处理中
2015-07-03: 厂商已经确认,细节仅向厂商公开
2015-07-13: 细节向核心白帽子及相关领域专家公开
2015-07-23: 细节向普通白帽子公开
2015-08-02: 细节向实习白帽子公开
2015-08-17: 细节向公众公开

简要描述:

深夜挖洞很不容易啊,给高神rank吧!
博库网是博库网络有限公司独立运营的目前国内领先、可供图书品种最多的文化知识平台,是浙江省新华书店集团有限公司投资人民币5000万元设立的全资子公司。[1]
博库网作为浙江省新华书店集团“十二五”发展规划项目之一,依靠新华书店集团公司强有力的资源背景(全行业领先、具有自主知识产权的ERP系统、14万平方米规模的现代物流中心,丰富的产品资源和信息资源、以及全集团信息一体化、库存一体化、市场一体化的连锁经营运作体系),博库网有信心迈好“走出去——大力发展博库文化品牌”的每一个步伐,努力成为世界一流、国内领先、具有出版物中盘特色的中文图书购书平台和博库文化品牌

详细说明:

0x1:只要知道用户的账户就可以重置用户的密码,于是在官网上找到了这个,就拿热线电话测试!

q.png


95105940


重置热线之前先走一下正确的流程,拿自己手机申请的用户抓取响应包!

w.png


e.png


HTTP/1.1 200 OK
Server: nginx/0.8.46
Date: Sun, 24 May 2015 15:38:49 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 31517
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>找回密码-博库网</title>
<link href="http://style.bookuu.com/css/sys.css" rel="stylesheet" type="text/css" />
<link href="http://style.bookuu.com/css/base.css" rel="stylesheet" type="text/css" />
<link href="http://style.bookuu.com/index/css/layout.css" rel="stylesheet" type="text/css" />
<link href="http://style.bookuu.com/index/css/login-reg.css" rel="stylesheet" type="text/css" />
<link rel="stylesheet" type="text/css" href="http://style.bookuu.com/index_new/css/sub_head.css" />
<link rel="stylesheet" type="text/css" href="http://style.bookuu.com/css/feedback.css">
<link rel="icon" href="http://style.bookuu.com/favicon.ico" type="image/x-icon" />
<script type="text/javascript" src="http://style.bookuu.com/jquery/jquery-1.5.1.min.js"></script>
<script type="text/javascript" src="http://style.bookuu.com/jquery/jqueryTabs.js"></script>
<script type="text/javascript" src="http://style.bookuu.com/jquery/base.js"></script>
<script type="text/javascript">
$(document).ready(function(){
$('#submitid').bind('click',function(){
checkform();
});
//验证表单
function checkform(){
var name= $.trim($("#nicknameid").val());
var checkcode = $('#seccode').val();
if(Len(name)<5||Len(name)>20){
alert('请输入正确的用户名信息!');
return false;
}else if(Len(checkcode)!=4){
alert('请正确的验证码!');
return false;
}/*else{
$.get("getpassword.php", {name:name, checkcode: checkcode,step:1 }, function(data){
if(data.flag==101||data.flag==102){
alert(data.msg);
return false;
}else{
alert('请继续操作');
//window.location.href='./getpassword.php?t='+Math.random();

}
});
}*/
}

//字符串长度
function Len(str){
var i,sum;
sum=0;
for(i=0;i<str.length;i++)
{
if ((str.charCodeAt(i)>=0) && (str.charCodeAt(i)<=255))
sum=sum+1;
else
sum=sum+2;
}
return sum;
}
})

</script>
<style type="text/css">
<!--
.default {color: #999999}
.login_form_wrong {
background: url("../images/bg_login_wrong.gif") no-repeat scroll 3px 4px transparent;
color: #CC3300;
padding-left: 14px !important;
padding-right: 2px;
width: 167px !important;
}
-->
.serve-form{ display: none;}
</style>
</head>
<body>

<div class="layout">
<div class="login-logo-pannel">
<a href="http://www.bookuu.com" class="bk-logo"></a>
<a href="http://www.bookuu.com" class="gotoboku">回博库首页</a>
</div>

<div class="register-pannel">
<div class="cbox">
<div class="cbox-inner">
<h1 class="underline">找回密码</h1>
<div class="gpb">
<p>您的账号已绑定手机,请选择手机绑定找回密码。</p>
<div class="options">
<a href="./getpwbymobile.php?act=update&step=1"><img src="http://style.bookuu.com/index/images/m1_phone.png">手机绑定找回密码</a>


<a href="http://help.bookuu.com/helper.php?typeDeal=79"><img src="http://style.bookuu.com/index/images/m2_support.png">联系客服找回密码</a>
</div>
</div>
<b class="cbox-ctl"></b>
<b class="cbox-ctr"></b>
<b class="cbox-cbl"></b>
<b class="cbox-cbr"></b>
</div>
</div>
</div>
</div>

<div id="footer" class="footer">
<ul class="clearfix">
<li>
<h3>新手入门</h3>
<ul>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=39" target="_blank">购物流程</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=51" target="_blank">发票制度</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=37" target="_blank">积分说明</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=68" target="_blank">交易条款</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=458" target="_blank">订单状态</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=79" target="_blank">常见问题</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=4153" target="_blank">IC充值卡说明</a></li>
</ul>
</li>
<li>
<h3>配送方式</h3>
<ul>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=41" target="_blank">配送范围与运费</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=42" target="_blank">配送时间</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=44" target="_blank">上门自取</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=43" target="_blank">商品验货与签收</a></li>
</ul>
</li>
<li>
<h3>支付方式</h3>
<ul>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=46" target="_blank">货到付款</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=47" target="_blank">网上支付</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=48" target="_blank">邮局汇款</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=49" target="_blank">银行汇款与转账</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=50" target="_blank">博库币</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=593" target="_blank">博库券</a></li>
</ul>
</li>
<li>
<h3>售后服务</h3>
<ul>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=53" target="_blank">退货说明</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=52" target="_blank">退换货流程</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=59" target="_blank">退换货地址</a></li>
<li><a href="http://help.bookuu.com/helper.php?typeDeal=60" target="_blank">退款说明</a></li>
</ul>
</li>
<li>
<h3>了解博库</h3>
<ul>
<li><a href="http://help.bookuu.com/anentbookuu.php?typeDeal=94" target="_blank">关于博库</a></li>
<li><a href="http://help.bookuu.com/anentbookuu.php?typeDeal=98" target="_blank">关于浙江新华</a></li>
<li><a href="http://help.bookuu.com/anentbookuu.php?typeDeal=459" target="_blank">联系我们</a></li>
<li><a href="http://help.bookuu.com/anentbookuu.php?typeDeal=4034" target="_blank">公司招聘</a></li>
<li><a href="http://help.bookuu.com/anentbookuu.php?typeDeal=97" target="_blank">合作伙伴</a></li>
<li><a href="http://help.bookuu.com/anentbookuu.php?typeDeal=93" target="_blank">友情链接</a></li>
</ul>
</li>
<li class="serphone">
<h3>服务热线</h3>
<div class="phone-footer-bg">
<p>服务时间: 9:00 -- 21:00</p>
<p class="tel">TEL: 95105940</p>
</div>
</li>
</ul>
<p class="binfo">
<img src="http://style.bookuu.com/index_new/images/footer_banner.jpg">
</p>
<div class="copyright">
<dl>
<dd class="polices_icon"></dd>
<dd class="ll"><a href="http://www.itrust.org.cn/yz/pjwx.asp?wm=1575312902" target="_blank" title="点击查验电子证书"><img src="http://style.bookuu.com/images/itrust47.jpg" alt="中国信用企业"></a></dd>
<dd class="web_gs"><script type="text/javascript" src="http://zjnet.zjaic.gov.cn/sjqybswj/3300000000022054.js"></script></dd>
<dd class="copy_txt">Copyright 2005-<script type="text/javascript">(function(){document.write(new Date().getFullYear())})()</script> <a href="http://www.bookuu.com" target="_blank" title="博库网">bookuu.com</a> 版权所有<br>增值电信业务经营许可证:<a href="http://www.miibeian.gov.cn/" target="_blank" title="浙B2-20110278" rel="nofollow">浙B2-20110278</a></dd>
<dd class="ll"><a href="https://ss.knet.cn/verifyseal.dll?sn=e14082133010052836nfbw000000&comefrom=trust&trustKey=dn&trustValue=www.bookuu.com" target="_blank"><img src="http://style.bookuu.com/images/kxwz.jpg"></a></dd>
<dd class="ll">
<a id='___szfw_logo___' href='https://search.szfw.org/cert/l/CX20131024003180003178' target='_blank'><img src='http://style.bookuu.com/images/cxwz.png'></a>
<script type='text/javascript'>(function(){document.getElementById('___szfw_logo___').oncontextmenu = function(){return false;}})();</script>
</dd>
</dl>
</div>
</div>
<!-- E 底部 -->
<div id="cat-menu">
<div class="max-menu"><a href="http://www.bookuu.com/sort/book.html">图书</a></div>
<ul class="cat-menu-bd">
</ul>
<div class="max-menu"><a href="http://www.bookuu.com/sort/music.html">影音</a> <a href="http://www.bookuu.com/sort/software.html">软件</a></div>
</div>
<script type="text/javascript">
//帮助中心
$(".site-help").hover(function(){
$(this).addClass("site-help-on");
$(this).find(".help-bd").show();
},function(){
$(this).removeClass("site-help-on");
$(this).find(".help-bd").hide();
});

//搜索框
$('#key_S').focus(function(){
if($(this).val()==this.defaultValue){
$(this).css("color","#000");
}
}).blur(function(){
if($(this).val()==''){
$(this).val(this.defaultValue);
$(this).css("color","#999");
}
});
//分类
var timer = 0;
$('.main-nav h2').hover(function(){
clearTimeout(timer);
$('#cat-menu').toposition(this, {x:0, y:35}).show();
$(this).addClass("on");
});
$(".cat-menu-bd li").hover(function(){
$(this).addClass("hover");

var oChild = $(".cat-mod", this);
// 计算 .cat-mod 的 top
var iHeight = 35 + 32 * ($(this).index() + 1),
iChildHeight = oChild.height(),
iMinHeight = 50; // paddingTop + 30
if ((iChildHeight - iHeight) < iMinHeight) {
var iCatHeight = $('#cat-menu').height() - 35,
iTop = iHeight - (iChildHeight - iMinHeight);
if ((iTop + iChildHeight) > iCatHeight) {
iTop = iCatHeight - iChildHeight;
}
oChild.css('top', iTop);
}
oChild.show();
},function(){
$(this).removeClass("hover");
$(".cat-mod", this).hide();
});
$('.main-nav h2').mouseout(function() {
timer = setTimeout(function() {
$("#cat-menu").hide();
$(".main-nav h2").removeClass("on");
}, 100);
});
$('#cat-menu').live('mouseout', function() {
timer = setTimeout(function() {
$("#cat-menu").hide();
$(".main-nav h2").removeClass("on");
}, 100);
});
$('#cat-menu').live('mouseover', function() {
clearTimeout(timer);
});

//购物车
var enter = function(){
if($("#top-cart-list").is(":hidden")){
$("#top-cart-list").show();
var html_list = $.ajax({url:"/sync/getcart.php",async:false});
$('#top-cart-list').html(html_list.responseText);
if($(".smb .shoppingcartnumid").html()===null){
$(".shoppingcartnumid").html(0);
}else{
$(".shoppingcartnumid").html(parseFloat($(".smb .shoppingcartnumid").html()));
};
return false;
}else{
$("#top-cart-list").hide();
return false;
};
};
var _enter;
$("#bk-t-cart").mouseenter(function(){
clearTimeout(_enter);
_enter = setTimeout(enter, 200);
});
$("#bk-t-cart").mouseleave(function(){
clearTimeout(_enter);
$("#top-cart-list").hide();
return false;
});
function del_cart(spbs){
var dnum = parseFloat($("#cald_"+spbs).attr('cal'));
$.ajax({
url:"http://www.bookuu.com/sync/getcart.php",
data :{
action:'del',
spbs:spbs
},
success: function(data){
$("#top-cart-list").html(data);
$(".shoppingcartnumid").html(parseFloat($(".shoppingcartnumid").html())-dnum);
}
});
}

</script>
<!--点击-->
<div class="contact-list">
<ul>
<li class="yjfk"><a href="javascript:void(0);" id="_yjfk" name="yjfk">用户反馈</a></li>
<li class="hdsy"id="huidao_top"><a href="javascript:void(0);">回到顶部</a></li>
</ul>
</div>
<!-- 弹窗遮罩 -->
<div class="fb-mask"></div>
<!--用户登录-->
<div class="serve-form">
<div id="khzx-login">
<div id="kfzx-header" class="khzx-hd"><h3>用户登录</h3><em id="close" class="close">×</em></div>
<div class="khzx-bd login">
<p id="kfzx_show_info"></p>
<!-- <h4>用户登录</h4> -->
<div class="info">
<form>
<ul>
<li><label class="label">用户名:</label>
<input type="text" name="nickname" id="_nickname" onkeydown='if(event.keyCode==13){syncLogin()}' value="" maxlength="32" ></li>
<li><label class="label">密&nbsp;&nbsp;&nbsp;码:</label>
<input type="password" name="passwd" id="_passwd" onkeydown='if(event.keyCode==13){syncLogin()}' value="" maxlength="32"></li>
<li class="li-btn">
<input id="kfzx-send-login" type="button" value="提交" class="submit-btn" onclick="syncLogin();" /><a href="http://passport.bookuu.com/getpassword.php">找回密码</a>
</li>
<li class="alliance-login">
<a href="http://passport.bookuu.com/qqlogin.php" target="_blank" title="用QQ账号登录"><img src="http://style.bookuu.com/index/images/qqlogin_icon.gif" alt="用QQ账号登录"></a>
<a href="http://passport.bookuu.com/alilogin.php" target="_blank" title="用支付宝帐号登录"><img src="http://style.bookuu.com/index/images/alipaylogin_icon.gif" alt="用支付宝帐号登录" /></a>
<a href="http://passport.bookuu.com/xunleilogin.php" target="_blank" title="迅雷账号登录"><img src="http://style.bookuu.com/index/images/xunlei.jpg" alt="迅雷账号登录" style="vertical-align:middle;">迅雷</a>
<a href="http://passport.bookuu.com/feixinlogin.php" target="_blank" title="飞信账号登录"><img src="http://style.bookuu.com/index/images/feixin.png" alt="飞信账号登录" style="vertical-align:middle;">飞信</a>
</li>
<li class="sub-reg">还不是博库网用户?<a href="http://passport.bookuu.com/reg.php" target="_blank">快速注册>></a></li>
</ul>
</form>
</div>
</div>
</div>
<!--用户反馈-->
<div id="khzx-feedback">
<div id="kfzx-header3" class="khzx-hd"><h3>用户反馈</h3><em id="close" class="close">×</em></div>
<div class="khzx-bd khzx-fb" id="khzx-fb" style="display: none">
<span class="yjjy">
<label class="on"><input type="radio" id="_yjjy" name="radio" checked="checked" value="0">意见建议</label>
<label><input type="radio" id="_ddwt" name="radio" value="1">订单问题</label>
<label><input type="radio" id="_wycw" name="radio" value="2">网站错误</label>
</span>
<div class="info" id="_yjandjy">
<form>
<textarea id="content1" name="yjfka" rows="10" maxLength="1000" style="width:418px;" onkeyup="checkLength(this)" placeholder="为更好的提升博库网服务,真诚希望您能对博库网的不足提出宝贵意见。"></textarea>
<br />
<span>您还可以输入<span style="color:#DE5401" id="spanword">1000</span>字</span>
<br />
<span id="yj-eeror"></span>
<input type="button" value="提交反馈" class="submit-btn" onclick="yjfkbutton()">
</form>
</div>
<div class="info" id="_ddandwt" style="display: none">
<ul>
<li><label class="label"><font color='red'>*</font>订单编号:</label>
<input class="inpt" type="text" name="num" id="num" maxlength="32" placeholder="如:E00019999912" style="width:300px;">&nbsp;&nbsp;</li>
<li style="padding-left:70px;"><span id="dd-num"></span></li>
<li><label class="label"><font color='red'>*</font>联系电话:</label>
<input class="inpt" type="phone" name="phone" id="phone" maxlength="32" placeholder="手机号码" style="width:300px;"></li>
<li style="padding-left:70px;"><span id="dd-phone"></span></li>
<li><label class="label" style="vertical-align: top;"><font color='red'>*</font>详细描述:</label>
<textarea id="content" name="content" rows="5" maxLength="500" onkeyup="Lengthb(this)" placeholder="请尽量详细描述您的订单问题" ></textarea>
<br />

</li>
<li style="padding-left:70px;"><span>您还可以输入<span style="color:#DE5401" id="spanwordb">500</span>字</span><br /><span id="dd-error"></span></li>
<li>
<input type="hidden" id="ckitem_ddadwt" value="0" >
<input type="button" value="提交反馈" class="submit-btn" onclick="send_msg()">
</li>
</ul>
</div>
<div class="info" id="_wyandcw" style="display: none">
<form action='/sync/feedback.php?a=uploadimg' method="post">
<ul>
<li><label class="label"><font color="red">*</font>页面链接:</label>
<input class="inpt" type="text" name="url" id="_url" maxlength="200" placeholder="如: http://www.bookuu.com/">
<select id="_oldtime" name="oldtime" style="padding:5px;">
<option value="">错误发生时间</option>
<option value="刚刚">刚刚</option>
<option value="一小时前">一小时前</option>
<option value="一天前">一天前</option>
<option value="三天前">三天前</option>
</select>
<br />
<li style="padding-left:70px;"><span id="ym-url"></span></li>

</li>
<!--li><label class="label"><font color="red">*</font>错误图片上传:</label>
<input type="file" name="publish" id="file" style="width:180px;" /><span>JPG/PNG&nbsp;&nbsp;500K以内</span>
</li-->
<li><label class="label"><font color="red">*</font>描述操作:</label>
<textarea id="_bugcontent" name="bugcontent" rows="5" maxLength="500" onkeyup="Length(this)" placeholder="请详细描述页面发生错误前您的操作"></textarea>
<li style="padding-left:70px;">
<span>您还可以输入<span style="color:#DE5401" id="spanworda">500</span>字</span>
<br /><span id="ym-error"></span></li>
</li>
<li><input type="button" value="提交反馈" class="submit-btn" onclick="send_bugmsg()"></li>
</ul>
</form>
</div>
</div>
</div>
</div>
<script type="text/javascript">
//弹出层点击时
var is_opened = false;
//判断是否登录
var _logined = false;
if (!_logined) {
$.get("/sync/feedback.php?login=1&num="+Math.round(Math.random()*10000),function(result){
if(result==1){
_logined=true;
}else{
_logined=false;
}
});
}
$(".yjfk").click(function() {
$(".fb-mask").fadeIn(200);
$(".serve-form").fadeIn(400);
$("#khzx-fb").show();
if (_logined) {
if (is_opened) {
is_opened = false;
$(".serve-form").hide();
$("#khzx-feedback").hide();
// $("#khzx-fb").hide();
} else {
$("#khzx-feedback").show();
$("#khzx-login").hide();
is_opened = true;
}
} else {
if (is_opened) {
is_opened = false;
$(".serve-form").hide();
$("#khzx-feedback").hide();
// $("#khzx-fb").hide();
} else {
$("#khzx-login").show();
$("#khzx-feedback").hide();
is_opened = true;
}
}
});
// $(".contact-list").show();
// 用户反馈隐藏显示
$(window).scroll(function(){
if( $(document).scrollTop() > 0 ) {
$('.contact-list').show();
} else {
$('.contact-list').hide();
}
});
//登录
function syncLogin() {
$.post("/sync/login.php", {
nickname: $("#_nickname").val(),
passwd: $("#_passwd").val()
},
function(result) {
if (result == "登录成功") {
$("#kfzx-t").text("客服咨询");
//获取网页标头消息
$.post("/sync/refreshheader.php",
function(result) {
$("#bk-site-nav").html(result);
});
_logined = true;
$("div.serve-form").show();
$("#khzx-fb").show();
$("#khzx-login").hide();
$("#khzx-feedback").show();
} else {
$("#kfzx-t").text("用户登录");
$("#kfzx_show_info").html("<font color='red'>" + result + "</font>");
}
});
}
//意见建议提交
function yjfkbutton() {
var data = $("#content1").val();
if (data == '') {
$("#yj-eeror").html("<font color='red'>内容不能为空</font>");
return;
}
$.post("/sync/feedback.php", {
yjfka: encodeURIComponent($("#content1").val()),
surl: window.location.href
},
function(_data) {
var _show = _data == '1' ? "<font color='green'>您的意见已提交成功,我们将仔细阅读您的反馈意见,感谢您的支持。</font>": "<font color='red'>抱歉,消息发送失败,请稍后重试。</font>";
$("div.khzx-bd").html(_show);
setTimeout("location.reload()", 1500);
});
}
//订单错误提交
function send_msg() {
$("#num").blur();
$("#phone").blur();
var number = $("#num").val();
var phone = $("#phone").val();
var content = $("#content").val();
if (content.length > 500) {
$("#dd-error").html("<font color='red'>字数超出限制</font>");
error = 1;
} else if (!content) {
$("#dd-error").html("<font color='red'>内容不能为空</font>");
} else {
$("#dd-error").html("");
}
if ($('#dd-num').html() || $('#dd-phone').html() || $('#dd-error').html()) {
return;
}
if (phone != "" && number != "" && content != "") {
$.get("/sync/feedback.php?a=ddbh&phone=" + $("#phone").val() + "&ddbh=" + number + "&msg_content=" + encodeURIComponent(content),
function(data) {
var _show = data == '1' ? "<font color='green'>您的意见已提交成功,我们将仔细阅读您的反馈意见,感谢您的支持。</font>": "<font color='red'>抱歉,消息发送失败,请稍后重试!</font>";
$("div.khzx-bd").html(_show);
setTimeout("location.reload()", 1500);
});
} else {
$("#dd-error").html("<font color='red'>内容不能为空</font>");
return;
}
}
// 网站错误
function send_bugmsg() {
$("#_url").blur();
var url = $("#_url").val();
var bugcontent = $('#_bugcontent').val();
var oldtime = $('#_oldtime').val();
if (bugcontent.length > 500) {
$("#ym-error").html("<font color='red'>字数超出限制</font>");
} else if (!bugcontent) {
$("#ym-error").html("<font color='red'>内容不能为空</font>");
} else {
$("#ym-error").html("");
}
if ($('#ym-url').html() || $('#ym-error').html()) {
return;
}
if (url != "") {
$.post("/sync/feedback.php", {a: 'pagebug', url : url, oldtime : oldtime, bugcontent: encodeURIComponent(bugcontent)},
function(data) {
var _show = data == '1' ? "<font color='green'>您的意见已提交成功,我们将仔细阅读您的反馈意见,感谢您的支持。</font>": "<font color='red'>抱歉,消息发送失败,请稍后重试!</font>";
$("div.khzx-bd").html(_show);
setTimeout("location.reload()", 1500);
});
} else {
$("#ym-error").html("<font color='red'>内容不能为空</font>");
return;
}
}
$(".close").click(function() {
$(".fb-mask").fadeOut(200);
$("#khzx-login").fadeOut(200);
$("#khzx-feedback").hide();
//$('#khzx-feedback input').val('');
//$('#khzx-feedback textarea').val('');
//location.reload();
is_opened = false;
});
$(function() {
$(":radio").click(function() {
var radio = $(this).val();
switch (radio) {
case "1":
$("#_ddandwt").show();
$("#_wyandcw").hide();
$("#_yjandjy").hide();
break;
case "2":
$("#_wyandcw").show();
$("#_ddandwt").hide();
$("#_yjandjy").hide();
break;
default:
$("#_yjandjy").show();
$("#_ddandwt").hide();
$("#_wyandcw").hide();
}
});
$("#content1").blur(function(){

});
$("#num").blur(function(){
var number = $("#num").val();
var reg = /^[A-Z]\d{11}$/;
var error = 0
if (number == '') {
$("#dd-num").html("<font color='red'>订单编号不能为空!</font>");
error = 1;
}else if (!reg.test(number)) {
$("#dd-num").html("<font color='red'>订单号码格式有误。</font>");
error = 1;
}
if (!error) {
$("#dd-num").html("");
}

});
$("#phone").blur(function(){
var phone = $("#phone").val();
var error = 0;
var reg = /^(13[0-9]|15[0|3|6|7|8|9]|18[8|9])\d{8}$/;

if (phone == '') {
$("#dd-phone").html("<font color='red'>联系电话不能为空。</font>");
error = 1;
} else if (!reg.test(phone)) {
$("#dd-phone").html("<font color='red'>请输入有效的手机号码。</font>");
error = 1;
}
if (!error) {
$("#dd-phone").html("");
}

});
$("#_url").blur(function(){
var url = $("#_url").val();
var error = 0;
if (url == '') {
$("#ym-url").html("<font color='red'>请输入页面链接地址。</font>");
error = 1;
} else if (url.indexOf('bookuu') < 0) {
$("#ym-url").html("<font color='red'>URL格式有误。</font>");
error = 1;
}
if (!error) {
$("#ym-url").html("");
}

});
});
$(".yjjy label").click(function() {
$(".yjjy label").removeClass("on");
$(this).addClass("on");
});
//回到顶层
window.onload = function() {
var oTop = document.getElementById("huidao_top");
var screenw = document.documentElement.clientWidth || document.body.clientWidth;
var screenh = document.documentElement.clientHeight || document.body.clientHeight;
oTop.style.left = screenw - oTop.offsetWidth +"px";
oTop.style.top = screenh - oTop.offsetHeight + "px";
window.onscroll = function() {
var scrolltop = document.documentElement.scrollTop || document.body.scrollTop;
oTop.style.top = screenh - oTop.offsetHeight + scrolltop +"px";
}
oTop.onclick = function() {
document.documentElement.scrollTop = document.body.scrollTop =0;
}
}
//字数统计
function checkLength(which) {
var maxChars = 1000;
if (which.value.length > maxChars)
which.value = which.value.substring(0,maxChars);
var curr = maxChars - which.value.length;
document.getElementById("spanword").innerHTML = curr.toString();
}
function Length(lengths) {
var maxChars = 500;
if (lengths.value.length > maxChars)
lengths.value = lengths.value.substring(0,maxChars);
var curr = maxChars - lengths.value.length;
document.getElementById("spanworda").innerHTML = curr.toString();
}
function Lengthb(lengthb) {
var maxChars = 500;
if (lengthb.value.length > maxChars)
lengthb.value = lengthb.value.substring(0,maxChars);
var curr = maxChars - lengthb.value.length;
document.getElementById("spanwordb").innerHTML = curr.toString();
}
</script>
<!--END客户咨询-->
</body>
</html>
<script type="text/javascript" src="http://style.bookuu.com/shoping/js/shopping-cart.js"></script>
<script type="text/javascript">
function reg(){}
function resign() {
var qq = Math.round((Math.random()) * 100000000);
$('#sign').attr('src', './imgcode.php?r='+qq);
}
$(".contact-list").hide();
</script>


0x2:需要的数据抓到就可以重置热线!

q.png


热线是没有绑定手机号!

w.png


所以在第一步填入用户名时截断数据把返回的数据包修改成第一步的响应包,就能通过手机修改密码!

e.png


选择手机修改密码,手机号显示****其实是不存在手机号,就无法发送验证码,验证码若是发送不成功是不能提交数据进行下一步,其实4位的验证码,但无法爆破输入三次就无法在输入!

r.png


获取验证码截断数据,修改响应包102改为100放行即可!

t.png


之后在验证码随意输入几个数字点击提交,接着修改响应包102改为100放行!

y.png


u.png


漏洞证明:

0x3:之后放行就能到修改密码的页面,修改密码为wooyun123!

a.png


i.png


0x4:修改密码成功登录验证!

o.png


方法一样复线上面的过程重置admin的密码,密码wooyun123

s.png

修复方案:

完善服务端的验证机制!
深夜挖洞求高神rank!

版权声明:转载请注明来源 千斤拨四两@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-07-03 17:46

厂商回复:

感谢乌云和千斤拨四两大神提供漏洞信息,我们会尽快修复,致敬。

最新状态:

暂无


漏洞评价:

评论