艺龙某系统逻辑错误导致可以修改任意用户密码(查询账号信息等)

  • 内容
  • 相关

漏洞详情

披露状态:

 

2016-05-09: 细节已通知厂商并且等待厂商处理中
2016-05-09: 厂商已经确认,细节仅向厂商公开
2016-05-19: 细节向核心白帽子及相关领域专家公开
2016-05-29: 细节向普通白帽子公开
2016-06-08: 细节向实习白帽子公开
2016-06-23: 细节向公众公开

简要描述:

逻辑错误,设计缺陷

详细说明:

http://ebooking.elong.com/ebkauth/forgotpwd

1.png



输入任意用户名,拦截数据包

2.png



经测试,验证码可重复利用,根据返回数据包可判断用户是否存在

获取到大量用户名,包括管理员用户

admin

admin1

yangjie

zhoumin

yangmin

zhangxiufang

yangmei

lixiumei

limei

zhangfengying

zhangwei

liuhuan

lixiang

wanglili

wangting

yangxue

yangliu

liwei

wangyang

zhangchunmei

liying

liying

zhangrui

wanglong

lifeng

huangmin

lijianhua

liyang

liyang

liyang

liubing

wanglu

lilin

lilin

liqin

wangchao

zhangbin

zhangfei

chenhao

yangwei

liuxia

wangrong

liujing

wangtao

wangjianhua

zhangxiumei

wangdong

zhangna

liumei

wangguixiang

wangjuan

zhangxiulan

wangqin

zhangying

zhangying

zhangying

zhouli

zhangning

yangling

chenchen

yangbo

chenlin

chenlin

yangyang

yangyang

lixue

wangyu

wanghao

zhangjian

zhangjian

wangwei

liuqin

lixin

lixin

chenying

lichao

liqian

yangfang

chenqiang

wangqiang

wangxu

zhangfeng

liting

wanglihua

xuwei

yangjuan

wangzhiqiang

liuchang

zhangbo

zhangbo

yangjun

liutao

lihao

zhanghongmei

wanggang

zhoujie

chenfang

chenyong

yangping

lilei

zhangxiuying

chenjun

chenjun

chenbo

lixiuyun

zhaomin

zhangpeng

sunwei

yangfan

liqiang

zhangxu

wangdan

chenlei

liujianjun

liuli

liuli

chenfei

yangming

chenming

zhanghui

zhanghui

wangmin

liuna

lijing

lijing

liuchao

zhangjun

zhangjun

lixiufang

chenxin

liuyun

lihaiyan

wangpeng

wangshuying

lipeng

lijian

lijian

zhangliang

zhangxiurong

chenjie

chenjie

yangli

liukai

wangping

wangping

wangping

lidongmei

liuhao

zhangqiang

liubin

litao

zhoujing

wangxin

wangxin

lifang

wangcheng

zhanghao

yanghong

yanglin

liuxin

liufei

wanghuan

wangying

wangying

wangying

wangjing

wangjing

lixiuzhen

zhaoyong

chenlong

lifei

wangjun

wangjun

wangyong

gaofeng

chengang

lihui

lihui

chenling

zhouyong

liyan

liyan

liyan

zhangli

zhangli

zhangli

chenmei

liwen

liuling

liuqiang

zhaowei

zhanglei

zhanglei

lihongmei

liudan

zhangqin

huangyong

zhangxin

liuhong

zhangjianguo

wangjie

wangbin

wangbin

wangjian

wangjian

lijia

lilong

liuhui

liuhui

lixiuying

liubo

lichunmei

liuyan

liuyan

huangwei

liujun

liujun

liyun

chenxiuying

zhangjing

zhangjing

lijianjun

libing

wangfang

liuwei

wangli

limin

zhangyong

lijie

lijun

lixia

liujie

liufang

liping

liling

lidan

liping

chenwei

lihong

zhangling

libin

zhangyu

wangkai

wangbo

wangli

zhangjuan

wangxue

wanghua

chentao

wangna

zhangting

chenhong

zhanglin

liyumei

wangmei

wangqian

zhaojing

chenchao

chenliang

yanghua

zhanglong

wangrui

chenhui

liuting

liuming

zhanghaiyan

yanglei

chenyun

zhangyu

lijie

wangbo

libin

liufeng

lixiuhua

liuyuhua

zhaoli

zhanglin

zhangxiuhua

zhaojun

yangbin

zhangnan

liuyu

wangli

zhangfan

zhangyu

xujing

zhangwen

利用任意存在用户名(这里使用yangjie做测试),修改返回数据包中的手机号码,我改成我自己的号码了

3.png



然后选择获取验证码

4.png



这里要说一下,截取获取验证码的数据包可以看到,直接含手机号,估计只要修改这里的手机号就可以了,而且这里的号码直接显示我的号码,应该是从页面获取来的

5.png



验证码直接发到我手机了,然后就进入密码重置页面了,直接输入新密码修改成功(密码改为wooyun123)

6.png



就只测试了这个账号,其他账号木有改动

(审核大大辛苦了,求帮忙打码)

漏洞证明:

 

7.png

 

修复方案:

逻辑呀逻辑,罪过罪过

发送手机验证码的手机号就不要从客户端页面获取啦!

求好评!

版权声明:转载请注明来源 Angoddess@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2016-05-09 14:01

厂商回复:

感谢白帽子!

最新状态:

暂无


本文标签:

版权声明:若无特殊注明,本文皆为《安三》原创,转载请保留文章出处。『鹦鹉搜索』

百度收录:百度已收录『查看详情』

本文链接:艺龙某系统逻辑错误导致可以修改任意用户密码(查询账号信息等) - https://www.15qq.cn/wooyun/475.html

发表评论

电子邮件地址不会被公开。 必填项已用*标注

允许邮件通知