破壳企业应急安全(防御方向)课程 应急响应 勒索病毒 挖矿木马 DDOS 日志分析

中国电信企业应用可重置任意用户密码漏洞(泄露用户大量订单信息\域名\邮箱\云盘\建站信息)

编号118020
Urlhttp://www.wooyun.org/bug.php?action=view&id=118020
漏洞状态厂商已经确认
漏洞标题中国电信企业应用可重置任意用户密码漏洞(泄露用户大量订单信息\域名\邮箱\云盘\建站信息)
漏洞类型设计缺陷/逻辑错误
厂商世纪龙信息网络有限责任公司
白帽子千斤拨四两
提交日期2015-06-03 17:55:00
公开日期2015-07-19 09:34:00
修复时间(not set)
确认时间2015-06-04 00:00:00
Confirm Spend1
漏洞标签设计缺陷/边界绕过 逻辑错误 设计不当
关注数0
收藏数0
白帽评级
白帽自评rank20
厂商评级
厂商评rank20
漏洞简介
跑了一些用户名,拿比较敏感的用户来测试吧!
漏洞细节

0x1:用自己用户走一遍正确流程,抓取响应包。

w.png


0x2:点击下一步抓取响应包。

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Wed, 03 Jun 2015 07:57:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: zh-CN
Content-Length: 15654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="keywords" content="企业邮箱,企业邮局,企业邮局系统,企业邮,集团邮箱,中国电信企业邮箱,21CN企业邮箱,中国电信,21CN,电子商务,在线购买企业邮箱">
<meta name="description" content="21CN企业邮箱是中国电信拆资2亿打造的高端企业邮箱品牌, 5G光纤高速接入,企业邮箱系统安全稳定,海外邮件畅通无阻,企业邮箱销售热线020-83787504">
<title>21CN企业应用--中国电信品牌 中国电信企业邮箱 企业邮箱</title>
<LINK href="styles/style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="js/jquery-1.7.2.min.js"></script>
</head>
<body class="pay">
<a href="javascript:void(0);" class="gotop" id="gotop"></a>
<a href="javascript:void(0);" style="display:none" class="olt" id="olt" onclick="clickOlt()"><i class="olt_ico"></i>在线咨询</a>
<div class="olt_con" id="onLineTalk"><a href="javascript:void(0);" class="olt_close" onclick="clickOltCl">x</a>
<div class="olt_con_top">
中国电信21CN企业产品销售中心
</div>
<div style="height:60px"></div>
<div class="olt_con_tit">销售热线</div><p>总部:<strong class="f14 fc4">400-889-0210</strong></p><a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3544&" target="_blank" class="olt_btn">在线销售</a>
<i class="olt_arrow"></i><div class="olt_con_tit">客服热线</div><p>020-83787556/57/58/59/60<br />非工作时间客服热线:<br />020-38733114</p><a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3209" target="_blank" class="olt_btn">在线客服</a></div
>
<script type="text/javascript">
$("#olt").bind("click", clickOlt);
$(".olt_close").bind("click", clickOltCl);
function clickOlt(){$("#onLineTalk").show();$("#olt").hide();}
function clickOltCl(){$("#onLineTalk").hide();$("#olt").show();}
</script>
<div class="head_bg"><div class="header">
<div class="logo"><a href="/" target="_blank"><img src="images/logo.png" width="293" height="51" alt="21cn企业应用商城"/></a></div>
<div class="h_right">
<div class="h_help">销售咨询:<strong class="f14 fc4">400-889-0210</strong>&nbsp;[<a onclick="javascript:window.open('http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&amp;jid=3986521146&amp;skillId=3544&amp;','','width=570,height=430')" href="javascript:void(0)">联系我们</a>]&nbsp;&nbsp;|&nbsp;&nbsp;<a id="top_vip" href="userManage_center.shtml">会员中心</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a id="top_help" href='http://help.21cn.net' target='_blank'>帮助中心</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a id="top_yx_log" href="http://mail.21cn.net" target="_blank">登录企业邮箱</a>
</div>
<div class="h_user">
<div id="myCart" class="hd_buy" style="display: none;">
<div class="h_cart" id="h_cart">
<a href="cartManage_list.shtml" class="h_cart_lk">
<i class="h_cart_ico"></i>
<span class="h_cart_txt">购物车</span>
</a>
<i class="h_cart_line"></i>
<span class="h_cart_num" id="mycartNumber">0</span>
<i class="h_cart_arrow"></i>
</div>
<div class="h_order" id="hd_buy_my"><a href="javascript:void(0);">我的订单</a><i class="h_order_arrow"></i></div>
</div>
<div class="h_log" id="topLogonInfo" style="margin-right: 10px;">欢迎来临!<a id="top_log" href='user_login.shtml' class="fc1">请登录</a>&nbsp;&nbsp;|&nbsp;&nbsp;<a id="top_reg" href="register_input.shtml" class="fc1">免费注册</a></div>
</div>
</div>
<div id="logonInfo" style="display:none;">
<div class="hd_log_af" >
<div class="mem_info_hd">
<a href="userManage_account.shtml" class="link">
<img src="images/head_img.png" width="55" height="55" />
</a>
<div class="mem_name">欢迎您!<br />
<a href="userManage_account.shtml" class="link">
<span class="link" id="right_username_show"></span>
</a>
</div>
<div class="clear"></div>
</div>
<div class="mem_info_bd">
<div class="left"><a href="userManage_center.shtml" class="link">进入会员中心</a></div>
<div class="right"><a href="user_logout.shtml" class="mem_quit">退出</a></div>
<div class="clear"></div>
</div>
</div>
</div> </div></div>
<div class="content register">
<div class="register_box">
<div class="forget_flow fg_flow_bg2 fy">
<div class="flow1">1.填写帐号信息</div>
<div class="flow2">2.验证帐号信息</div>
<div class="flow3 fc2">3.重置密码</div>
<div class="flow4">4.成功</div>
</div>
<form id="retResetF" method="post" action="retrieve_reset.shtml">
<div class="register_ipt">
<label class="item fy" for="newPassword">重置密码:<font color="red"><b>*</b></font></label>
<div class="ipt_box">
<input name="newPassword" class="ipt_login ipt_login_out" type="password" id="newPassword" />
<ul class="pwd_result">
<li id="pr1">弱</li><li id="pr2">中</li><li id="pr3">强</li>
</ul>
</div>
<div class="ipt_tips hide" id="newPassword_tips">6-14位字符,包含数字和英文字符!</div>
<div class="clear"></div>
</div>
<div class="register_ipt">
<label class="item fy" for="newPasswordConfirm">确定新密码:<font color="red"><b>*</b></font></label>
<div class="ipt_box code"><input name="newPasswordConfirm" class="ipt_login ipt_login_out" type="password" id="newPasswordConfirm" /></div>
<div class="ipt_tips hide" id="newPasswordConfirm_tips"></div>
<div class="clear"></div>
</div>

<div class="register_txt">
<input id="resetSubmitBtn" type="submit" class="btn_login" value="下一步" /></div>
</form>
</div>
</div>
<div class="foot_bg" style="clear: both;" >
<div class="mod_link">
<dl>
<dt><a href="/index_help.shtml?r=7" target="_blank">支付方式</a></dt>
<dd><a href="/index_help.shtml?r=7" target="_blank">网上支付(推荐)</a><br />
<a href="/index_help.shtml?r=8" target="_blank">银行电汇</a><br />
</dd>
</dl>
<dl>
<dt><a href="/index_help.shtml?r=3" target="_blank">常见问题</a></dt>
<dd><a href="/index_help.shtml?r=4" target="_blank">如何设置客户端</a><br />
<a href="/index_help.shtml?r=20" target="_blank">如何申请免费试用</a><br />
<a href="/index_help.shtml?r=21" target="_blank">如何使用购物车</a></dd>
</dl>
<dl>
<dt><a href="/index_help.shtml" target="_blank">服务支持</a></dt>
<dd><a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3544&" target="_blank">在线销售咨询</a><br />
<a href="/index_help.shtml" target="_blank">帮助中心</a></dd>
</dl>
<dl>
<dt><a href="http://weibo.com/mail21cn" target="_blank">关注我们</a></dt>
<dd><a href="/introduce.jsp" target="_blank">公司介绍</a><br />
<a href="about_sitemap.shtml" target="_blank">网站地图</a><br />
<a href="about_link.shtml" target="_blank">友情链接</a><br />
<a href="http://weibo.com/mail21cn" target="_blank">新浪微博</a><br />
<a href="http://w.21cn.com/apollo/views/web/edm/recruit/index.html" target="_blank" style="color:red">人才招聘</a></dd>
</dl>
<div class="clear"></div>
<div class="yq_link"><a href="http://www.chinaemail.com.cn/" target="_blank">中国邮箱网</a><a href="http://eboss.cn/" target="_blank">电商通</a><a href="http://www.12321.org.cn/" target="_blank">反垃圾信息中心</a><a href="http://www.5dmail.net/" target="_blank">邮件技术资讯网</a><a href="http://www.it.com.cn/" target="_blank">IT世界网</a><a href="http://www.liao1.com/" target="_blank">辽一网</a>
</div>
</div>


<div class="footer">

经营许可证编号:<a href="http://www.miibeian.gov.cn/" target="_blank">粤ICP备09014623号-8</a>&nbsp;&nbsp;
增值电信业务经营许可证:<a href="http://www.21cn.com/other/copyright/icps.html" target="_blank">粤B2-20040116</a>&nbsp;&nbsp;
不良信息举报:<a href="http://chat32.live800.com/live800/chatClient/chatbox.jsp?companyID=241394&jid=3986521146&skillId=3209" target="_blank">[点击联系] 即时在线客服 </a> <br />客服热线:020-83787556/57/58/59/60&nbsp;&nbsp;
中国电信企业邮箱 世纪龙信息网络有限责任公司版权所有  <a href="http://www.21cn.com/other/copyright/index.html" target="_blank">服务声明</a>
</div>
</div>
<!--<div style="display:none">
<script type="text/javascript">
var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://");
document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F25a3a66cf9a4ca03df4ff3fc0a3f6a87' type='text/javascript'%3E%3C/script%3E"));
</script></div>-->
<script type="text/javascript">
var _bdhmProtocol = (("https:" == document.location.protocol) ? " https://" : " http://");
document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F25a3a66cf9a4ca03df4ff3fc0a3f6a87' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var cnzz_protocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1254629062'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "w.cnzz.com/q_stat.php%3Fid%3D1254629062' type='text/javascript'%3E%3C/script%3E"));
</script>
</body>
</html>

<script>
function getStandPrCode(){
return "1364890532957";
}
function getSupperPrCode(){
return "1365564754673";
}
function getNetdiskPrCode(){
return "1118201608280";
}
function getEntPrCode(){
return "1072419581621";
}
function getEntGPrCode(){
return "1159172288282";
}
function getEnt5GPrCode(){
return "1271403456864";
}
function isSessionOut(){
if(0==0)
return false;
else
return true;
}
function getUsername(){
var username = "doubao";
return "doubao";
}
function getErrMsg(){
return "";
}
function getBindedMobile(){
return "13080180882";
}
function isEmailValid(emailAddr){
if(emailAddr.search(/^w+((-w+)|(.w+))*@[a-za-z0-9]+((.|-)[a-za-z0-9]+)*.[a-za-z0-9]+$/) == -1){
return false;
}
}
function isMobileValid(mobile){
if(/^13\d{9}$/g.test(mobile)||(/^15[0-35-9]\d{8}$/g.test(mobile))|| (/^18\d{9}$/g.test(mobile))){
return true;
}else{
return false;
}
//if(!(/^(?:13d|15[89])-?d{5}(d{3}|*{3})$/.test(mobile))){
}
function getPwdLevel(pwd){
var strongRegex = new RegExp("^(?=.{8,})(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9])(?=.*\\W).*$", "g");
var mediumRegex = new RegExp("^(?=.{7,})(((?=.*[A-Z])(?=.*[a-z]))|((?=.*[A-Z])(?=.*[0-9]))|((?=.*[a-z])(?=.*[0-9]))).*$", "g");
var enoughRegex = new RegExp("(?=.{6,}).*", "g");

if (false == enoughRegex.test(pwd)) {
return 0;
} else if (strongRegex.test(pwd)) {
return 3;
} else if (mediumRegex.test(pwd)) {
return 2;
} else {
return 1;
}
}
function getStr(str){
return str==null?"":str;
}
function isDomainValid(domain){
if(/^(\w-?)+(\.\w{2,})+$/.test(domain)||/^[\w\-\u4e00-\u9fa5]+(\.中国)$/.test(domain)
||/^[\w\-\u4e00-\u9fa5]+(\.公司)$/.test(domain)||/^[\w\-\u4e00-\u9fa5]+(\.网络)$/.test(domain)||/^[\w\-\u4e00-\u9fa5]+(\.cn)$/.test(domain)){
return true;
}else{
return false;
}
}
</script>
<script>
$(document).ready(function(){
initRetResetForm();
initPageEvents();
});
function initPageEvents(){
$("#newPassword").bind("focus",{fId:"newPassword",msg:"请输入用户密码!"},focusField);
$("#newPassword").bind("keyup",keyupPwd);
$("#newPassword").bind({blur:chkPwd});

$("#newPasswordConfirm").bind("focus",{fId:"newPasswordConfirm",msg:"请输入确认密码!"},focusField);
$("#newPasswordConfirm").bind({blur:chkCpwd});

$("#newPassword").bind({focus:focusInput,blur:blurInput});
$("#newPasswordConfirm").bind({focus:focusInput,blur:blurInput});

$("#resetSubmitBtn").bind({
mouseover:function(){$(this).removeClass().addClass("btn_login_hover")},
mouseout:function(){$(this).removeClass().addClass("btn_login")}
});

$("#retResetF").bind({submit:chkRetResetF});
}
function initRetResetForm(){
if(getErrMsg()!=""){
showErrTips("newPasswordConfirm_tips","确定密码和密码不一致!");
}
}
function focusInput(){
var id = $(this).attr("id");
$("#"+id+"_label").hide();
$("#"+id).removeClass().addClass("ipt_login ipt_login_on");
$("#"+id).css({imeMode:"disabled"});
}
function blurInput(){
var id = $(this).attr("id");
$("#"+id+"_label").hide();
$("#"+id).removeClass().addClass("ipt_login ipt_login_out");
$("#"+id).val()==""?$("#"+id+"_label").show():$("#"+id+"_label").hide();
}
function keyupPwd(){
var pwdVal = $(this).val();
var level = getPwdLevel(pwdVal);
switch(level){
case 0:
$(".pwd_result").children(".pc").removeClass("pc");
showErrTips("newPassword_tips","密码过于简单,6-14位字符,包含数字和英文字符!");
break;
case 1:
$(".pwd_result").children(".pc").removeClass("pc");
$("#pr1").addClass("pc");
showOkTips("newPassword_tips");
break;
case 2:
$(".pwd_result").children(".pc").removeClass("pc");
$("#pr2").addClass("pc");
showOkTips("newPassword_tips");
break;
case 3:
$(".pwd_result").children(".pc").removeClass("pc");
$("#pr3").addClass("pc");
showOkTips("newPassword_tips");
}
}
function chkRetResetF(){
$.ajaxSetup({async:false});
var pwdOk = chkPwd();
var cpwdOk = chkCpwd();
$.ajaxSetup({async:true});

return pwdOk&&cpwdOk;
}
function chkPwd(){
var isOk = false;
var pwdVal = $("#newPassword").val();
if(pwdVal==""){
showErrTips("newPassword_tips","密码不能为空!");
}else{
showOkTips("newPassword_tips");
isOk = true;
}
return isOk;
}
function chkCpwd(){
var isOk = false;
var cpwdVal = $("#newPasswordConfirm").val();
var pwdVal = $("#newPassword").val();
if(cpwdVal==""){
showErrTips("newPasswordConfirm_tips","确定密码不能为空!");
}else{
if(cpwdVal!=pwdVal){
showErrTips("newPasswordConfirm_tips","确定密码和密码不一致!");
}else{
showOkTips("newPasswordConfirm_tips");
isOk = true;
}
}
return isOk;
}
function focusField(event){
var fId = event.data.fId;
var msg = event.data.msg;
$("#"+fId+"_tips").removeClass().addClass("ipt_login ipt_login_on");
showHintTips(fId+"_tips",msg);
}
function showErrTips(elemId,tips){
$("#"+elemId).removeClass().addClass("ipt_tips ipt_err");
$("#"+elemId).html(tips);
}
function showOkTips(elemId){
$("#"+elemId).removeClass().addClass("ipt_tips ipt_ok");
$("#"+elemId).html("");
}
function showHintTips(elemId,tips){
$("#"+elemId).removeClass().addClass("ipt_tips");
$("#"+elemId).html(tips);
}
</script>


e.png


0x3:就用撞出来的用户测试,用1111111来测试!

c.png


需要输入用户的手机号,可以绕过填写任意手机号修改响应包。

t.png


0x4:把2修改成0一直修改到可获取验证码为止。

y.png


u.png


0x5:获取成功在验证码位置填写任意验证码。

i.png


o.png


0x6:将第二步的响应包替换掉放行,跳到修改密码的页面。

p.png


POC

0x7:修改密码(wooyun123)。

a.png


s.png


0x8:登录验证!

f.png


mask 区域
*****ode*****
*****aa*****
*****de*****
*****11*****
*****el*****
*****ea*****
*****ku*****
*****ai*****
*****ta*****
*****te*****
*****dh*****
*****ro*****
*****on*****
*****ai*****
*****bl*****
*****ha*****
*****rg*****
*****ke*****
*****ti*****
*****in*****
*****be*****
*****nn*****
*****ep*****
*****ti*****
*****te*****
*****in*****
*****it*****
*****em*****
*****on*****
*****be*****
*****to*****
*****ha*****
*****as*****
*****nt*****
*****ra*****
*****mo*****
*****vi*****
*****ce*****
*****ce*****
*****it*****
*****vb*****
*****yan*****
*****ner*****
*****nce*****
*****ike*****
*****art*****
*****lle*****
*****nes*****
*****ion*****
*****rce*****
*****lma*****
*****ced*****
*****hai*****
*****est*****
*****rro*****
*****nty*****
*****guo*****
*****hop*****
*****cod*****


撞出来的用户名,重置了几个密码都是wooyun123!

7U4BUP3`]3F]UTWM8LWRP[U.png


修复方案

完善服务端验证机制。求高分rank啊!!!

状态信息 2015-06-03: 细节已通知厂商并且等待厂商处理中
2015-06-04: 厂商已经确认,细节仅向厂商公开
2015-06-14: 细节向核心白帽子及相关领域专家公开
2015-06-24: 细节向普通白帽子公开
2015-07-04: 细节向实习白帽子公开
2015-07-19: 细节向公众公开
厂商回复感谢您对我们业务安全的关注,根据您的报告,问题已着手处理,谢谢。
回应信息危害等级:高漏洞Rank:20 确认时间:2015-06-04 09:33
Showing 1-2 of 2 items.
评论内容评论人点赞数评论时间

@Angelic47 手机号已不用!!!!

千斤拨四两02015-07-19 21:56:00

function getUsername(){ var username = "doubao"; return "doubao";}function getErrMsg(){ return "";}function getBindedMobile(){ return "13080180882";}13080180882 兄弟你码打的好像不够。。

Angelic4702015-07-19 11:36:00