海信集团在用系统未授权访问可致大量内部接口信息泄露/数十万订单明细泄露/可影响海信全国管理系统

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0132906

漏洞标题：海信集团在用系统未授权访问可致大量内部接口信息泄露/数十万订单明细泄露/可影响海信全国管理系统

漏洞作者：路人甲

提交时间：2015-08-09 19:55

修复时间：2015-09-24 13:18

公开时间：2015-09-24 13:18

漏洞类型：未授权访问/权限绕过

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-08-09：细节已通知厂商并且等待厂商处理中
2015-08-10：厂商已经确认，细节仅向厂商公开
2015-08-20：细节向核心白帽子及相关领域专家公开
2015-08-30：细节向普通白帽子公开
2015-09-09：细节向实习白帽子公开
2015-09-24：细节向公众公开

简要描述：

海信集团在用系统未授权访问可致大量内部接口信息泄露/数十万订单明细泄露/大量内部人员信息

详细说明：

首先未授权访问

mask 区域

1.http://**.**.**/monitoring

大量敏感信息&&接口信息泄露

select smssalesin0_.DIVISION as DIVISI110_111_1_, smssalesin0_.ROW_ID as ROW_ID1_100_1_, smssalesin0_.ROW_ID as ROW_ID1_100_0_, smssalesin0_.ACCOUNT_PERIOD as ACCOUNT_2_100_0_, smssalesin0_.ADDRESSFLAG as ADDRESSF3_100_0_, smssalesin0_.BANK_ACCOUNT as BANK_ACC4_100_0_, smssalesin0_.BANK_ACCOUNT2 as BANK_ACC5_100_0_, smssalesin0_.BANK_ACCOUNT3 as BANK_ACC6_100_0_, smssalesin0_.BANK_COUNTRY as BANK_CO92_100_0_, smssalesin0_.BANK_COUNTRY2 as BANK_C100_100_0_, smssalesin0_.BANK_COUNTRY3 as BANK_C101_100_0_, smssalesin0_.BANK_NAME as BANK_NAM7_100_0_, smssalesin0_.BANK_NAME2 as BANK_NAM8_100_0_, smssalesin0_.BANK_NAME3 as BANK_NAM9_100_0_, smssalesin0_.BANK_OWNER as BANK_OW10_100_0_, smssalesin0_.BANK_OWNER2 as BANK_OW11_100_0_, smssalesin0_.BANK_OWNER3 as BANK_OW12_100_0_, smssalesin0_.BRAND_OPERATE_EXPERIENCE as BRAND_O13_100_0_, smssalesin0_.BUSINESS_LICENSE as BUSINES14_100_0_, smssalesin0_.BUSINESS_LICENSE_FILENAME as BUSINES15_100_0_, smssalesin0_.BUSINESS_LICENSE_FILEPATH as BUSINES16_100_0_, smssalesin0_.BUSINESS_TYPE as BUSINES17_100_0_, smssalesin0_.CHECKOPTION as CHECKOP18_100_0_, smssalesin0_.CHECKRECORD as CHECKRE19_100_0_, smssalesin0_.COMBINE_INVOICE as COMBINE20_100_0_, smssalesin0_.COMP_ADDRESS as COMP_AD21_100_0_, smssalesin0_.CREATED_BY as CREATED22_100_0_, smssalesin0_.CREATED_DATE as CREATED23_100_0_, smssalesin0_.CWFLAG as CWFLAG24_100_0_, smssalesin0_.DELIVER_ADDRESS as DELIVER25_100_0_, smssalesin0_.DELIVER_AREA as DELIVE102_100_0_, smssalesin0_.DELIVER_CITY as DELIVE103_100_0_, smssalesin0_.DELIVER_DIVISION as DELIVE104_100_0_, smssalesin0_.DELIVER_PERSON_ID as DELIVER26_100_0_, smssalesin0_.DELIVER_SIGN as DELIVER27_100_0_, smssalesin0_.DUTY_PERSON as DUTY_PE28_100_0_, smssalesin0_.DUTY_PERSON_MOBILE as DUTY_PE29_100_0_, smssalesin0_.DUTY_PERSON_PHONE as DUTY_PE30_100_0_, smssalesin0_.EMAIL as EMAIL31_100_0_, smssalesin0_.EXIST_FRAME as EXIST_F32_100_0_, smssalesin0_.FAX as FAX33_100_0_, smssalesin0_.FINANCE_ABILITY as FINANCE34_100_0_, smssalesin0_.FRAME_AGREEMENT as FRAME_A35_100_0_, smssalesin0_.HOMEPAGE as HOMEPAG36_100_0_, smssalesin0_.INVOICE_ADDRESS as INVOICE37_100_0_, smssalesin0_.INVOICE_AREA as INVOIC105_100_0_, smssalesin0_.INVOICE_CITY as INVOIC106_100_0_, smssalesin0_.INVOICE_COUNTRY as INVOIC107_100_0_, smssalesin0_.INVOICE_DIVISION as INVOIC108_100_0_, smssalesin0_.INVOICE_PERSON as INVOICE38_100_0_, smssalesin0_.INVOICE_PHONE as INVOICE39_100_0_, smssalesin0_.KEY_DUTY_1 as KEY_DUT40_100_0_, smssalesin0_.KEY_DUTY_2 as KEY_DUT41_100_0_, smssalesin0_.KEY_DUTY_3 as KEY_DUT42_100_0_, smssalesin0_.KEY_DUTY_4 as KEY_DUT43_100_0_, smssalesin0_.KEY_DUTY_5 as KEY_DUT44_100_0_, smssalesin0_.KEY_NAME_1 as KEY_NAM45_100_0_, smssalesin0_.KEY_NAME_2 as KEY_NAM46_100_0_, smssalesin0_.KEY_NAME_3 as KEY_NAM47_100_0_, smssalesin0_.KEY_NAME_4 as KEY_NAM48_100_0_, smssalesin0_.KEY_NAME_5 as KEY_NAM49_100_0_, smssalesin0_.KEY_PHONE_1 as KEY_PHO50_100_0_, smssalesin0_.KEY_PHONE_2 as KEY_PHO51_100_0_, smssalesin0_.KEY_PHONE_3 as KEY_PHO52_100_0_, smssalesin0_.KEY_PHONE_4 as KEY_PHO53_100_0_, smssalesin0_.KEY_PHONE_5 as KEY_PHO54_100_0_, smssalesin0_.LEGAL_PERSON as LEGAL_P55_100_0_, smssalesin0_.MANAGER as MANAGER56_100_0_, smssalesin0_.MANAGER_MOBILE as MANAGER57_100_0_, smssalesin0_.MDM_CODE as MDM_COD58_100_0_, smssalesin0_.NEWFLAG as NEWFLAG59_100_0_, smssalesin0_.OFFICE_PHONE as OFFICE_60_100_0_, smssalesin0_.ORG_CODE_FILENAME as ORG_COD61_100_0_, smssalesin0_.ORG_CODE_FILEPATH as ORG_COD62_100_0_, smssalesin0_.ORGANIZATION_CODE as ORGANIZ63_100_0_, smssalesin0_.OTHERFLAG as OTHERFL64_100_0_, smssalesin0_.POST_CODE as POST_CO65_100_0_, smssalesin0_.REGISTER_ADDRESS as REGISTE66_100_0_, smssalesin0_.REGISTER_MONEY as REGISTE67_100_0_, smssalesin0_.REGISTER_PHONE as REGISTE68_100_0_, smssalesin0_.REMARK as REMARK69_100_0_, smssalesin0_.SALE_GROUP as SALE_GR70_100_0_, smssalesin0_.SALES_ADDRESS as SALES_A71_100_0_, smssalesin0_.SALES_CODE as SALES_C72_100_0_, smssalesin0_.SALES_NAME as SALES_N73_100_0_, smssalesin0_.SALES_SNAME as SALES_S74_100_0_, smssalesin0_.SH_DX_STATUS as SH_DX_S75_100_0_, smssalesin0_.SH_LT_STATUS as SH_LT_S76_100_0_, smssalesin0_.SH_YD_STATUS as SH_YD_S77_100_0_, smssalesin0_.SIGN_FILENAME as SIGN_FI78_100_0_, smssalesin0_.SIGN_FILEPATH as SIGN_FI79_100_0_, smssalesin0_.DEPT_ID as DEPT_I109_100_0_, smssalesin0_.AREA as AREA97_100_0_, smssalesin0_.CITY as CITY90_100_0_, smssalesin0_.COUNTRY as COUNTRY91_100_0_, smssalesin0_.DIVISION as DIVISI110_100_0_, smssalesin0_.STATUS as STATUS111_100_0_, smssalesin0_.TAX_CODE as TAX_COD80_100_0_, smssalesin0_.TAX_REGISTRATION_FILENAME as TAX_REG81_100_0_, smssalesin0_.TAX_REGISTRATION_FILEPATH as TAX_REG82_100_0_, smssalesin0_.ACCOUNTING_TYPE as ACCOUN112_100_0_, smssalesin0_.ADMINISTRATION_LEVEL as ADMINIS86_100_0_, smssalesin0_.BRAND as BRAND87_100_0_, smssalesin0_.BRAND_2 as BRAND_113_100_0_, smssalesin0_.BRAND_3 as BRAND_114_100_0_, smssalesin0_.BRAND_4 as BRAND_115_100_0_, smssalesin0_.BRAND_5 as BRAND_116_100_0_, smssalesin0_.BRAND_6 as BRAND_117_100_0_, smssalesin0_.CHANNEL1 as CHANNEL88_100_0_, smssalesin0_.CHANNEL2 as CHANNEL89_100_0_, smssalesin0_.CUSTOMESTATUS as CUSTOM118_100_0_, smssalesin0_.GROUPWO as GROUPW119_100_0_, smssalesin0_.INVOICETYPE as INVOICE99_100_0_, smssalesin0_.MARKET_LEVEL as MARKET_94_100_0_, smssalesin0_.MARKETING_MODE as MARKETI98_100_0_, smssalesin0_.MARKETING_MODE2 as MARKET120_100_0_, smssalesin0_.MARKETING_MODE3 as MARKET121_100_0_, smssalesin0_.MARKETING_MODE4 as MARKET122_100_0_, smssalesin0_.MARKETING_MODE5 as MARKET123_100_0_, smssalesin0_.MARKETING_MODE6 as MARKET124_100_0_, smssalesin0_.PAY_TYPE as PAY_TY125_100_0_, smssalesin0_.PRICE_ASSEMBLE as PRICE_126_100_0_, smssalesin0_.PRODUCTS as PRODUCT96_100_0_, smssalesin0_.PRODUCTS_2 as PRODUC127_100_0_, smssalesin0_.PRODUCTS_3 as PRODUC128_100_0_, smssalesin0_.PRODUCTS_4 as PRODUC129_100_0_, smssalesin0_.PRODUCTS_5 as PRODUC130_100_0_, smssalesin0_.PRODUCTS_6 as PRODUC131_100_0_, smssalesin0_.PUJIE_LEVEL as PUJIE_L93_100_0_, smssalesin0_.RANK as RANK132_100_0_, smssalesin0_.SALE_CLASS as SALE_C133_100_0_, smssalesin0_.SALE_LEVEL as SALE_L134_100_0_, smssalesin0_.SUBJECT_ASSEMBLE as SUBJECT95_100_0_, smssalesin0_.TELPHONE as TELPHON83_100_0_, smssalesin0_.UPDATED_BY as UPDATED84_100_0_, smssalesin0_.UPDATED_DATE as UPDATED85_100_0_ from SMSSALES_INFO smssalesin0_ where smssalesin0_.DIVISION=?

//smsproduct!doNotNeedSecurity_getProduct 	56 	1 	10,389 	10,389 	0 	37 	577 	0.00 	64 	873
//ImeiThreeGuaranteesIn!doNotNeedSecurity_gridAll 	12 	1 	2,262 	2,262 	0 	12 	187 	0.00 	44 	252
//fixFlow!doNotNeedSessionAndSecurity_getMyTask 	11 	1 	2,137 	2,137 	0 	27 	436 	0.00 	2 	671
/base/user!doNotNeedSessionAndSecurity_login 	10 	1 	1,887 	1,887 	0 	13 	218 	0.00 	321 	1,140
/base/organization!doNotNeedSecurity_comboTree 	5 	1 	1,029 	1,029 	0 	6 	109 	0.00 	108 	294
//smsproduct!doNotNeedSecurity_combobox 	2 	2 	187 	187 	65 	0 	0 	0.00 	1 	23
/base/resource!doNotNeedSecurity_getMainMenu 	0 	1 	172 	172 	0 	1 	31 	0.00 	2 	62
//announcements!doNotNeedSecurity_grid 	0 	1 	46 	46