2015-06-03: 细节已通知厂商并且等待厂商处理中 2015-06-04: 厂商已经确认,细节仅向厂商公开 2015-06-14: 细节向核心白帽子及相关领域专家公开 2015-06-24: 细节向普通白帽子公开 2015-07-04: 细节向实习白帽子公开 2015-07-19: 细节向公众公开
跑了一些用户名,拿比较敏感的用户来测试吧!
0x1:用自己用户走一遍正确流程,抓取响应包。
0x2:点击下一步抓取响应包。
HTTP/1.1 200 OKServer: nginx/1.6.2Date: Wed, 03 Jun 2015 07:57:39 GMTContent-Type: text/html; charset=utf-8Connection: keep-aliveVary: Accept-EncodingContent-Language: zh-CNContent-Length: 15654<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="keywords" content="ä¼ä¸é®ç®±,ä¼ä¸é®å±,ä¼ä¸é®å±ç³»ç»,ä¼ä¸é®,éå¢é®ç®±,ä¸å½çµä¿¡ä¼ä¸é®ç®±,21CNä¼ä¸é®ç®±,ä¸å½çµä¿¡,21CN,çµååå¡,å¨çº¿è´ä¹°ä¼ä¸é®ç®±"><meta name="description" content="21CNä¼ä¸é®ç®±æ¯ä¸å½çµä¿¡æèµ2亿æé çé«ç«¯ä¼ä¸é®ç®±åç, 5Gå 纤é«éæ¥å ¥,ä¼ä¸é®ç®±ç³»ç»å®å ¨ç¨³å®,æµ·å¤é®ä»¶ç éæ é»,ä¼ä¸é®ç®±éå®ç线020-83787504"><title>21CNä¼ä¸åºç¨--ä¸å½çµä¿¡åç ä¸å½çµä¿¡ä¼ä¸é®ç®± ä¼ä¸é®ç®±</title><LINK href="styles/style.css" rel="stylesheet" type="text/css"><script type="text/javascript" src="js/jquery-1.7.2.min.js"></script></head><body class="pay"><a href="javascript:void(0);" class="gotop" id="gotop"></a><a href="javascript:void(0);" style="display:none" class="olt" id="olt" onclick="clickOlt()"><i class="olt_ico"></i>å¨çº¿å¨è¯¢</a><div class="olt_con" id="onLineTalk"><a href="javascript:void(0);" class="olt_close" onclick="clickOltCl">x</a><div class="olt_con_top"> ä¸å½çµä¿¡21CNä¼ä¸äº§åéå®ä¸å¿</div><div style="height:60px"></div><div class="olt_con_tit">éå®ç线</div><p>æ»é¨ï¼<strong class="f14 fc4">400-889-0210</strong></p><a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3544&" target="_blank" class="olt_btn">å¨çº¿éå®</a><i class="olt_arrow"></i><div class="olt_con_tit">客æç线</div><p>020-83787556/57/58/59/60<br />éå·¥ä½æ¶é´å®¢æç线ï¼<br />020-38733114</p><a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3209" target="_blank" class="olt_btn">å¨çº¿å®¢æ</a></div ><script type="text/javascript"> $("#olt").bind("click", clickOlt); $(".olt_close").bind("click", clickOltCl); function clickOlt(){$("#onLineTalk").show();$("#olt").hide();} function clickOltCl(){$("#onLineTalk").hide();$("#olt").show();}</script> <div class="head_bg"><div class="header"><div class="logo"><a href="/" target="_blank"><img src="images/logo.png" width="293" height="51" alt="21cnä¼ä¸åºç¨åå"/></a></div><div class="h_right"> <div class="h_help">éå®å¨è¯¢ï¼<strong class="f14 fc4">400-889-0210</strong> [<a onclick="javascript:window.open('http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3544&','','width=570,height=430')" href="javascript:void(0)">èç³»æ们</a>] | <a id="top_vip" href="userManage_center.shtml">ä¼åä¸å¿</a> | <a id="top_help" href='http://help.21cn.net' target='_blank'>帮å©ä¸å¿</a> | <a id="top_yx_log" href="http://mail.21cn.net" target="_blank">ç»å½ä¼ä¸é®ç®±</a> </div> <div class="h_user"> <div id="myCart" class="hd_buy" style="display: none;"> <div class="h_cart" id="h_cart"> <a href="cartManage_list.shtml" class="h_cart_lk"> <i class="h_cart_ico"></i> <span class="h_cart_txt">è´ç©è½¦</span> </a> <i class="h_cart_line"></i> <span class="h_cart_num" id="mycartNumber">0</span> <i class="h_cart_arrow"></i> </div> <div class="h_order" id="hd_buy_my"><a href="javascript:void(0);">æç订å</a><i class="h_order_arrow"></i></div> </div> <div class="h_log" id="topLogonInfo" style="margin-right: 10px;">欢è¿æ¥ä¸´ï¼<a id="top_log" href='user_login.shtml' class="fc1">请ç»å½</a> | <a id="top_reg" href="register_input.shtml" class="fc1">å 费注å</a></div> </div> </div><div id="logonInfo" style="display:none;"> <div class="hd_log_af" > <div class="mem_info_hd"> <a href="userManage_account.shtml" class="link"> <img src="images/head_img.png" width="55" height="55" /> </a> <div class="mem_name">欢è¿æ¨ï¼<br /> <a href="userManage_account.shtml" class="link"> <span class="link" id="right_username_show"></span> </a> </div> <div class="clear"></div> </div> <div class="mem_info_bd"> <div class="left"><a href="userManage_center.shtml" class="link">è¿å ¥ä¼åä¸å¿</a></div> <div class="right"><a href="user_logout.shtml" class="mem_quit">éåº</a></div> <div class="clear"></div> </div></div></div> </div></div><div class="content register"> <div class="register_box"> <div class="forget_flow fg_flow_bg2 fy"> <div class="flow1">1.å¡«åå¸å·ä¿¡æ¯</div> <div class="flow2">2.éªè¯å¸å·ä¿¡æ¯</div> <div class="flow3 fc2">3.éç½®å¯ç </div> <div class="flow4">4.æå</div> </div> <form id="retResetF" method="post" action="retrieve_reset.shtml"> <div class="register_ipt"> <label class="item fy" for="newPassword">éç½®å¯ç ï¼<font color="red"><b>*</b></font></label> <div class="ipt_box"> <input name="newPassword" class="ipt_login ipt_login_out" type="password" id="newPassword" /> <ul class="pwd_result"> <li id="pr1">å¼±</li><li id="pr2">ä¸</li><li id="pr3">强</li> </ul> </div> <div class="ipt_tips hide" id="newPassword_tips">6-14ä½å符ï¼å å«æ°ååè±æå符ï¼</div> <div class="clear"></div> </div> <div class="register_ipt"> <label class="item fy" for="newPasswordConfirm">ç¡®å®æ°å¯ç ï¼<font color="red"><b>*</b></font></label> <div class="ipt_box code"><input name="newPasswordConfirm" class="ipt_login ipt_login_out" type="password" id="newPasswordConfirm" /></div> <div class="ipt_tips hide" id="newPasswordConfirm_tips"></div> <div class="clear"></div> </div> <div class="register_txt"> <input id="resetSubmitBtn" type="submit" class="btn_login" value="ä¸ä¸æ¥" /></div> </form> </div></div><div class="foot_bg" style="clear: both;" > <div class="mod_link"> <dl> <dt><a href="/index_help.shtml?r=7" target="_blank">æ¯ä»æ¹å¼</a></dt> <dd><a href="/index_help.shtml?r=7" target="_blank">ç½ä¸æ¯ä»ï¼æ¨èï¼</a><br /> <a href="/index_help.shtml?r=8" target="_blank">é¶è¡çµæ±</a><br /> </dd> </dl> <dl> <dt><a href="/index_help.shtml?r=3" target="_blank">常è§é®é¢</a></dt> <dd><a href="/index_help.shtml?r=4" target="_blank">å¦ä½è®¾ç½®å®¢æ·ç«¯</a><br /> <a href="/index_help.shtml?r=20" target="_blank">å¦ä½ç³è¯·å è´¹è¯ç¨</a><br /> <a href="/index_help.shtml?r=21" target="_blank">å¦ä½ä½¿ç¨è´ç©è½¦</a></dd> </dl> <dl> <dt><a href="/index_help.shtml" target="_blank">æå¡æ¯æ</a></dt> <dd><a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3544&" target="_blank">å¨çº¿éå®å¨è¯¢</a><br /> <a href="/index_help.shtml" target="_blank">帮å©ä¸å¿</a></dd> </dl> <dl> <dt><a href="http://weibo.com/mail21cn" target="_blank">å ³æ³¨æ们</a></dt> <dd><a href="/introduce.jsp" target="_blank">å ¬å¸ä»ç»</a><br /> <a href="about_sitemap.shtml" target="_blank">ç½ç«å°å¾</a><br /> <a href="about_link.shtml" target="_blank">åæ é¾æ¥</a><br /> <a href="http://weibo.com/mail21cn" target="_blank">æ°æµªå¾®å</a><br /> <a href="http://w.21cn.com/apollo/views/web/edm/recruit/index.html" target="_blank" style="color:red">人ææè</a></dd> </dl> <div class="clear"></div> <div class="yq_link"><a href="http://www.chinaemail.com.cn/" target="_blank">ä¸å½é®ç®±ç½</a><a href="http://eboss.cn/" target="_blank">çµåé</a><a href="http://www.12321.org.cn/" target="_blank">ååå¾ä¿¡æ¯ä¸å¿</a><a href="http://www.5dmail.net/" target="_blank">é®ä»¶ææ¯èµè®¯ç½</a><a href="http://www.it.com.cn/" target="_blank">ITä¸çç½</a><a href="http://www.liao1.com/" target="_blank">è¾½ä¸ç½</a> </div> </div> <div class="footer"> ç»è¥è®¸å¯è¯ç¼å·ï¼<a href="http://www.miibeian.gov.cn/" target="_blank">粤ICPå¤09014623å·-8</a> å¢å¼çµä¿¡ä¸å¡ç»è¥è®¸å¯è¯ï¼<a href="http://www.21cn.com/other/copyright/icps.html" target="_blank">粤B2-20040116</a> ä¸è¯ä¿¡æ¯ä¸¾æ¥ï¼<a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3209" target="_blank">[ç¹å»èç³»] å³æ¶å¨çº¿å®¢æ </a> <br />客æç线ï¼020-83787556/57/58/59/60 ä¸å½çµä¿¡ä¼ä¸é®ç®±ãä¸çºªé¾ä¿¡æ¯ç½ç»æéè´£ä»»å ¬å¸çæææ ã<a href="http://www.21cn.com/other/copyright/index.html" target="_blank">æå¡å£°æ</a> </div></div><!--<div style="display:none"><script type="text/javascript">var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F25a3a66cf9a4ca03df4ff3fc0a3f6a87' type='text/javascript'%3E%3C/script%3E"));</script></div>--><script type="text/javascript">var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F25a3a66cf9a4ca03df4ff3fc0a3f6a87' type='text/javascript'%3E%3C/script%3E"));</script><script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1254629062'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "w.cnzz.com/q_stat.php%3Fid%3D1254629062' type='text/javascript'%3E%3C/script%3E"));</script></body></html> <script>function getStandPrCode(){ return "1364890532957";}function getSupperPrCode(){ return "1365564754673";}function getNetdiskPrCode(){ return "1118201608280";}function getEntPrCode(){ return "1072419581621";}function getEntGPrCode(){ return "1159172288282";}function getEnt5GPrCode(){ return "1271403456864";}function isSessionOut(){ if(0==0) return false; else return true;}function getUsername(){ var username = "doubao"; return "doubao";}function getErrMsg(){ return "";}function getBindedMobile(){ return "13080180882";}function isEmailValid(emailAddr){ if(emailAddr.search(/^w+((-w+)|(.w+))*@[a-za-z0-9]+((.|-)[a-za-z0-9]+)*.[a-za-z0-9]+$/) == -1){ return false; }}function isMobileValid(mobile){ if(/^13\d{9}$/g.test(mobile)||(/^15[0-35-9]\d{8}$/g.test(mobile))|| (/^18\d{9}$/g.test(mobile))){ return true; }else{ return false; } //if(!(/^(?:13d|15[89])-?d{5}(d{3}|*{3})$/.test(mobile))){ }function getPwdLevel(pwd){ var strongRegex = new RegExp("^(?=.{8,})(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*\\W).*$", "g"); var mediumRegex = new RegExp("^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$", "g"); var enoughRegex = new RegExp("(?=.{6,}).*", "g"); if (false == enoughRegex.test(pwd)) { return 0; } else if (strongRegex.test(pwd)) { return 3; } else if (mediumRegex.test(pwd)) { return 2; } else { return 1; }}function getStr(str){ return str==null?"":str;}function isDomainValid(domain){ if(/^(\w-?)+(\.\w{2,})+$/.test(domain)||/^[\w\-\u4e00-\u9fa5]+(\.ä¸å½)$/.test(domain) ||/^[\w\-\u4e00-\u9fa5]+(\.å ¬å¸)$/.test(domain)||/^[\w\-\u4e00-\u9fa5]+(\.ç½ç»)$/.test(domain)||/^[\w\-\u4e00-\u9fa5]+(\.cn)$/.test(domain)){ return true; }else{ return false; }} </script><script>$(document).ready(function(){ initRetResetForm(); initPageEvents();});function initPageEvents(){ $("#newPassword").bind("focus",{fId:"newPassword",msg:"请è¾å ¥ç¨æ·å¯ç ï¼"},focusField); $("#newPassword").bind("keyup",keyupPwd); $("#newPassword").bind({blur:chkPwd}); $("#newPasswordConfirm").bind("focus",{fId:"newPasswordConfirm",msg:"请è¾å ¥ç¡®è®¤å¯ç ï¼"},focusField); $("#newPasswordConfirm").bind({blur:chkCpwd}); $("#newPassword").bind({focus:focusInput,blur:blurInput}); $("#newPasswordConfirm").bind({focus:focusInput,blur:blurInput}); $("#resetSubmitBtn").bind({ mouseover:function(){$(this).removeClass().addClass("btn_login_hover")}, mouseout:function(){$(this).removeClass().addClass("btn_login")} }); $("#retResetF").bind({submit:chkRetResetF});}function initRetResetForm(){ if(getErrMsg()!=""){ showErrTips("newPasswordConfirm_tips","ç¡®å®å¯ç åå¯ç ä¸ä¸è´ï¼"); }}function focusInput(){ var id = $(this).attr("id"); $("#"+id+"_label").hide(); $("#"+id).removeClass().addClass("ipt_login ipt_login_on"); $("#"+id).css({imeMode:"disabled"});} function blurInput(){ var id = $(this).attr("id"); $("#"+id+"_label").hide(); $("#"+id).removeClass().addClass("ipt_login ipt_login_out"); $("#"+id).val()==""?$("#"+id+"_label").show():$("#"+id+"_label").hide();}function keyupPwd(){ var pwdVal = $(this).val(); var level = getPwdLevel(pwdVal); switch(level){ case 0: $(".pwd_result").children(".pc").removeClass("pc"); showErrTips("newPassword_tips","å¯ç è¿äºç®å,6-14ä½å符ï¼å å«æ°ååè±æå符ï¼"); break; case 1: $(".pwd_result").children(".pc").removeClass("pc"); $("#pr1").addClass("pc"); showOkTips("newPassword_tips"); break; case 2: $(".pwd_result").children(".pc").removeClass("pc"); $("#pr2").addClass("pc"); showOkTips("newPassword_tips"); break; case 3: $(".pwd_result").children(".pc").removeClass("pc"); $("#pr3").addClass("pc"); showOkTips("newPassword_tips"); }}function chkRetResetF(){ $.ajaxSetup({async:false}); var pwdOk = chkPwd(); var cpwdOk = chkCpwd(); $.ajaxSetup({async:true}); return pwdOk&&cpwdOk;}function chkPwd(){ var isOk = false; var pwdVal = $("#newPassword").val(); if(pwdVal==""){ showErrTips("newPassword_tips","å¯ç ä¸è½ä¸ºç©ºï¼"); }else{ showOkTips("newPassword_tips"); isOk = true; } return isOk;}function chkCpwd(){ var isOk = false; var cpwdVal = $("#newPasswordConfirm").val(); var pwdVal = $("#newPassword").val(); if(cpwdVal==""){ showErrTips("newPasswordConfirm_tips","ç¡®å®å¯ç ä¸è½ä¸ºç©ºï¼"); }else{ if(cpwdVal!=pwdVal){ showErrTips("newPasswordConfirm_tips","ç¡®å®å¯ç åå¯ç ä¸ä¸è´ï¼"); }else{ showOkTips("newPasswordConfirm_tips"); isOk = true; } } return isOk;}function focusField(event){ var fId = event.data.fId; var msg = event.data.msg; $("#"+fId+"_tips").removeClass().addClass("ipt_login ipt_login_on"); showHintTips(fId+"_tips",msg);}function showErrTips(elemId,tips){ $("#"+elemId).removeClass().addClass("ipt_tips ipt_err"); $("#"+elemId).html(tips);}function showOkTips(elemId){ $("#"+elemId).removeClass().addClass("ipt_tips ipt_ok"); $("#"+elemId).html("");}function showHintTips(elemId,tips){ $("#"+elemId).removeClass().addClass("ipt_tips"); $("#"+elemId).html(tips);}</script>
0x3:就用撞出来的用户测试,用1111111来测试!
需要输入用户的手机号,可以绕过填写任意手机号修改响应包。
0x4:把2修改成0一直修改到可获取验证码为止。
0x5:获取成功在验证码位置填写任意验证码。
0x6:将第二步的响应包替换掉放行,跳到修改密码的页面。
0x7:修改密码(wooyun123)。
0x8:登录验证!
*****ode**********aa**********de**********11**********el**********ea**********ku**********ai**********ta**********te**********dh**********ro**********on**********ai**********bl**********ha**********rg**********ke**********ti**********in**********be**********nn**********ep**********ti**********te**********in**********it**********em**********on**********be**********to**********ha**********as**********nt**********ra**********mo**********vi**********ce**********ce**********it**********vb**********yan**********ner**********nce**********ike**********art**********lle**********nes**********ion**********rce**********lma**********ced**********hai**********est**********rro**********nty**********guo**********hop**********cod*****
撞出来的用户名,重置了几个密码都是wooyun123!
完善服务端验证机制。求高分rank啊!!!
危害等级:高
漏洞Rank:20
确认时间:2015-06-04 09:33
感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢。
暂无
function getUsername(){ var username = "doubao"; return "doubao";}function getErrMsg(){ return "";}function getBindedMobile(){ return "13080180882";}13080180882 兄弟你码打的好像不够。。
@Angelic47 手机号已不用!!!!
![7U4BUP3`]3F]UTWM8LWRP[U.png](https://wooyun-img.oss-cn-beijing.aliyuncs.com/upload/201506/031726079d9a6e176ff2f8b72afa4969dfce6022.png)