当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-086493

漏洞标题:华商街某系统多个数据库未授权访问(泄露用户信息)

相关厂商:华商街

漏洞作者: 无心、

提交时间:2014-12-09 13:01

修复时间:2015-01-23 13:02

公开时间:2015-01-23 13:02

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-23: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

华商街某系统多个数据库未授权访问(泄露用户信息)

详细说明:

image.jpg


mask 区域
*****.159*****


/* 0 */
{
"_id" : ObjectId("5387063ba310e10ded5410be"),
"id" : "1",
"username" : "13942508798",
"realname" : "张玉兰",
"pwd" : "4QrcOUm6Wau VuBX8g IPg==",
"pwd1" : "",
"tjrname" : "",
"prename" : "",
"pos" : "1",
"zmdname" : null,
"bdmoney" : "7000.0",
"price" : "377.89",
"price_shop" : "0.0",
"price_repeat" : "0.0",
"pv_reg" : "7000.0",
"pv_consume" : "0.0",
"pv_team_reg" : "1967000.0",
"pv_team_con" : "0.0",
"pv_team_regp" : "1967000.0",
"pv_team_conp" : "0.0",
"rank0" : "1",
"rank" : "1",
"rank1" : "0",
"isdp" : "0",
"state" : "1",
"lognum" : "0",
"regtime" : "1332148435",
"confirmtime" : "1332148435",
"sex" : null,
"province" : null,
"city" : null,
"area" : null,
"mobile" : null,
"postcode" : null,
"address" : null,
"email" : "1278107488@qq.com",
"bank" : null,
"bankid" : "0",
"zhanghao" : null,
"huzhu" : null,
"idcard" : "210603195801254064",
"storename" : null,
"storerank" : "0",
"store_province" : null,
"store_city" : null,
"store_area" : null,
"store_address" : null,
"regusername" : null,
"regrealname" : null,
"regtype" : "0",
"bdprice" : "0.0",
"posnum" : "3",
"isblank" : "0",
"storeregtime" : null,
"gldept" : "0",
"tjdept" : "0",
"receiver" : null,
"nationality" : null,
"bankaddress" : null,
"recontact" : null,
"phone" : null,
"jspv" : "0.0",
"timepre" : null,
"fax" : null,
"bdnum" : "1",
"bdnum_team" : "281",
"qq" : null,
"shopprice" : "0.0",
"price_s" : "0.0",
"price_all" : "0.0",
"tjnum" : "1",
"glstr" : "",
"rank2" : "0",
"bv" : "10500.0",
"gupiaonum" : "0",
"type" : "1",
"salebv" : "0.0",
"regbv" : "0.0",
"posstr" : "",
"price3" : "0.00",
"price1" : "0.00",
"buynum" : "0",
"loginin" : "1",
"dongjie" : "1",
"mmprice" : "8970.0",
"mmstyles" : "1",
"istrue" : "1",
"setsett" : "1"
}


这是点歌平台用户信息

漏洞证明:

image.jpg


image.jpg

修复方案:

版权声明:转载请注明来源 无心、@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2014-12-09 13:49 | 龍 、 ( 普通白帽子 | Rank:398 漏洞数:135 | 你若安好 我就是晴天)

    2B

  2. 2014-12-09 14:07 | 无心、 ( 实习白帽子 | Rank:71 漏洞数:20 | 你不是风儿,我也不是沙,再怎么缠绵也到不...)

    @龍 、 你妹