当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132906

漏洞标题:海信集团在用系统未授权访问可致大量内部接口信息泄露/数十万订单明细泄露/可影响海信全国管理系统

相关厂商:hisense.com

漏洞作者: 路人甲

提交时间:2015-08-09 19:55

修复时间:2015-09-24 13:18

公开时间:2015-09-24 13:18

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-09: 细节已通知厂商并且等待厂商处理中
2015-08-10: 厂商已经确认,细节仅向厂商公开
2015-08-20: 细节向核心白帽子及相关领域专家公开
2015-08-30: 细节向普通白帽子公开
2015-09-09: 细节向实习白帽子公开
2015-09-24: 细节向公众公开

简要描述:

海信集团在用系统未授权访问可致大量内部接口信息泄露/数十万订单明细泄露/大量内部人员信息

详细说明:

首先未授权访问

mask 区域
1.http://**.**.**/monitoring


大量敏感信息&&接口信息泄露

QQ20150809-1@2x.png


QQ20150809-2@2x.png


QQ20150809-3@2x.png


select smssalesin0_.DIVISION as DIVISI110_111_1_, smssalesin0_.ROW_ID as ROW_ID1_100_1_, smssalesin0_.ROW_ID as ROW_ID1_100_0_, smssalesin0_.ACCOUNT_PERIOD as ACCOUNT_2_100_0_, smssalesin0_.ADDRESSFLAG as ADDRESSF3_100_0_, smssalesin0_.BANK_ACCOUNT as BANK_ACC4_100_0_, smssalesin0_.BANK_ACCOUNT2 as BANK_ACC5_100_0_, smssalesin0_.BANK_ACCOUNT3 as BANK_ACC6_100_0_, smssalesin0_.BANK_COUNTRY as BANK_CO92_100_0_, smssalesin0_.BANK_COUNTRY2 as BANK_C100_100_0_, smssalesin0_.BANK_COUNTRY3 as BANK_C101_100_0_, smssalesin0_.BANK_NAME as BANK_NAM7_100_0_, smssalesin0_.BANK_NAME2 as BANK_NAM8_100_0_, smssalesin0_.BANK_NAME3 as BANK_NAM9_100_0_, smssalesin0_.BANK_OWNER as BANK_OW10_100_0_, smssalesin0_.BANK_OWNER2 as BANK_OW11_100_0_, smssalesin0_.BANK_OWNER3 as BANK_OW12_100_0_, smssalesin0_.BRAND_OPERATE_EXPERIENCE as BRAND_O13_100_0_, smssalesin0_.BUSINESS_LICENSE as BUSINES14_100_0_, smssalesin0_.BUSINESS_LICENSE_FILENAME as BUSINES15_100_0_, smssalesin0_.BUSINESS_LICENSE_FILEPATH as BUSINES16_100_0_, smssalesin0_.BUSINESS_TYPE as BUSINES17_100_0_, smssalesin0_.CHECKOPTION as CHECKOP18_100_0_, smssalesin0_.CHECKRECORD as CHECKRE19_100_0_, smssalesin0_.COMBINE_INVOICE as COMBINE20_100_0_, smssalesin0_.COMP_ADDRESS as COMP_AD21_100_0_, smssalesin0_.CREATED_BY as CREATED22_100_0_, smssalesin0_.CREATED_DATE as CREATED23_100_0_, smssalesin0_.CWFLAG as CWFLAG24_100_0_, smssalesin0_.DELIVER_ADDRESS as DELIVER25_100_0_, smssalesin0_.DELIVER_AREA as DELIVE102_100_0_, smssalesin0_.DELIVER_CITY as DELIVE103_100_0_, smssalesin0_.DELIVER_DIVISION as DELIVE104_100_0_, smssalesin0_.DELIVER_PERSON_ID as DELIVER26_100_0_, smssalesin0_.DELIVER_SIGN as DELIVER27_100_0_, smssalesin0_.DUTY_PERSON as DUTY_PE28_100_0_, smssalesin0_.DUTY_PERSON_MOBILE as DUTY_PE29_100_0_, smssalesin0_.DUTY_PERSON_PHONE as DUTY_PE30_100_0_, smssalesin0_.EMAIL as EMAIL31_100_0_, smssalesin0_.EXIST_FRAME as EXIST_F32_100_0_, smssalesin0_.FAX as FAX33_100_0_, smssalesin0_.FINANCE_ABILITY as FINANCE34_100_0_, smssalesin0_.FRAME_AGREEMENT as FRAME_A35_100_0_, smssalesin0_.HOMEPAGE as HOMEPAG36_100_0_, smssalesin0_.INVOICE_ADDRESS as INVOICE37_100_0_, smssalesin0_.INVOICE_AREA as INVOIC105_100_0_, smssalesin0_.INVOICE_CITY as INVOIC106_100_0_, smssalesin0_.INVOICE_COUNTRY as INVOIC107_100_0_, smssalesin0_.INVOICE_DIVISION as INVOIC108_100_0_, smssalesin0_.INVOICE_PERSON as INVOICE38_100_0_, smssalesin0_.INVOICE_PHONE as INVOICE39_100_0_, smssalesin0_.KEY_DUTY_1 as KEY_DUT40_100_0_, smssalesin0_.KEY_DUTY_2 as KEY_DUT41_100_0_, smssalesin0_.KEY_DUTY_3 as KEY_DUT42_100_0_, smssalesin0_.KEY_DUTY_4 as KEY_DUT43_100_0_, smssalesin0_.KEY_DUTY_5 as KEY_DUT44_100_0_, smssalesin0_.KEY_NAME_1 as KEY_NAM45_100_0_, smssalesin0_.KEY_NAME_2 as KEY_NAM46_100_0_, smssalesin0_.KEY_NAME_3 as KEY_NAM47_100_0_, smssalesin0_.KEY_NAME_4 as KEY_NAM48_100_0_, smssalesin0_.KEY_NAME_5 as KEY_NAM49_100_0_, smssalesin0_.KEY_PHONE_1 as KEY_PHO50_100_0_, smssalesin0_.KEY_PHONE_2 as KEY_PHO51_100_0_, smssalesin0_.KEY_PHONE_3 as KEY_PHO52_100_0_, smssalesin0_.KEY_PHONE_4 as KEY_PHO53_100_0_, smssalesin0_.KEY_PHONE_5 as KEY_PHO54_100_0_, smssalesin0_.LEGAL_PERSON as LEGAL_P55_100_0_, smssalesin0_.MANAGER as MANAGER56_100_0_, smssalesin0_.MANAGER_MOBILE as MANAGER57_100_0_, smssalesin0_.MDM_CODE as MDM_COD58_100_0_, smssalesin0_.NEWFLAG as NEWFLAG59_100_0_, smssalesin0_.OFFICE_PHONE as OFFICE_60_100_0_, smssalesin0_.ORG_CODE_FILENAME as ORG_COD61_100_0_, smssalesin0_.ORG_CODE_FILEPATH as ORG_COD62_100_0_, smssalesin0_.ORGANIZATION_CODE as ORGANIZ63_100_0_, smssalesin0_.OTHERFLAG as OTHERFL64_100_0_, smssalesin0_.POST_CODE as POST_CO65_100_0_, smssalesin0_.REGISTER_ADDRESS as REGISTE66_100_0_, smssalesin0_.REGISTER_MONEY as REGISTE67_100_0_, smssalesin0_.REGISTER_PHONE as REGISTE68_100_0_, smssalesin0_.REMARK as REMARK69_100_0_, smssalesin0_.SALE_GROUP as SALE_GR70_100_0_, smssalesin0_.SALES_ADDRESS as SALES_A71_100_0_, smssalesin0_.SALES_CODE as SALES_C72_100_0_, smssalesin0_.SALES_NAME as SALES_N73_100_0_, smssalesin0_.SALES_SNAME as SALES_S74_100_0_, smssalesin0_.SH_DX_STATUS as SH_DX_S75_100_0_, smssalesin0_.SH_LT_STATUS as SH_LT_S76_100_0_, smssalesin0_.SH_YD_STATUS as SH_YD_S77_100_0_, smssalesin0_.SIGN_FILENAME as SIGN_FI78_100_0_, smssalesin0_.SIGN_FILEPATH as SIGN_FI79_100_0_, smssalesin0_.DEPT_ID as DEPT_I109_100_0_, smssalesin0_.AREA as AREA97_100_0_, smssalesin0_.CITY as CITY90_100_0_, smssalesin0_.COUNTRY as COUNTRY91_100_0_, smssalesin0_.DIVISION as DIVISI110_100_0_, smssalesin0_.STATUS as STATUS111_100_0_, smssalesin0_.TAX_CODE as TAX_COD80_100_0_, smssalesin0_.TAX_REGISTRATION_FILENAME as TAX_REG81_100_0_, smssalesin0_.TAX_REGISTRATION_FILEPATH as TAX_REG82_100_0_, smssalesin0_.ACCOUNTING_TYPE as ACCOUN112_100_0_, smssalesin0_.ADMINISTRATION_LEVEL as ADMINIS86_100_0_, smssalesin0_.BRAND as BRAND87_100_0_, smssalesin0_.BRAND_2 as BRAND_113_100_0_, smssalesin0_.BRAND_3 as BRAND_114_100_0_, smssalesin0_.BRAND_4 as BRAND_115_100_0_, smssalesin0_.BRAND_5 as BRAND_116_100_0_, smssalesin0_.BRAND_6 as BRAND_117_100_0_, smssalesin0_.CHANNEL1 as CHANNEL88_100_0_, smssalesin0_.CHANNEL2 as CHANNEL89_100_0_, smssalesin0_.CUSTOMESTATUS as CUSTOM118_100_0_, smssalesin0_.GROUPWO as GROUPW119_100_0_, smssalesin0_.INVOICETYPE as INVOICE99_100_0_, smssalesin0_.MARKET_LEVEL as MARKET_94_100_0_, smssalesin0_.MARKETING_MODE as MARKETI98_100_0_, smssalesin0_.MARKETING_MODE2 as MARKET120_100_0_, smssalesin0_.MARKETING_MODE3 as MARKET121_100_0_, smssalesin0_.MARKETING_MODE4 as MARKET122_100_0_, smssalesin0_.MARKETING_MODE5 as MARKET123_100_0_, smssalesin0_.MARKETING_MODE6 as MARKET124_100_0_, smssalesin0_.PAY_TYPE as PAY_TY125_100_0_, smssalesin0_.PRICE_ASSEMBLE as PRICE_126_100_0_, smssalesin0_.PRODUCTS as PRODUCT96_100_0_, smssalesin0_.PRODUCTS_2 as PRODUC127_100_0_, smssalesin0_.PRODUCTS_3 as PRODUC128_100_0_, smssalesin0_.PRODUCTS_4 as PRODUC129_100_0_, smssalesin0_.PRODUCTS_5 as PRODUC130_100_0_, smssalesin0_.PRODUCTS_6 as PRODUC131_100_0_, smssalesin0_.PUJIE_LEVEL as PUJIE_L93_100_0_, smssalesin0_.RANK as RANK132_100_0_, smssalesin0_.SALE_CLASS as SALE_C133_100_0_, smssalesin0_.SALE_LEVEL as SALE_L134_100_0_, smssalesin0_.SUBJECT_ASSEMBLE as SUBJECT95_100_0_, smssalesin0_.TELPHONE as TELPHON83_100_0_, smssalesin0_.UPDATED_BY as UPDATED84_100_0_, smssalesin0_.UPDATED_DATE as UPDATED85_100_0_ from SMSSALES_INFO smssalesin0_ where smssalesin0_.DIVISION=?


//smsproduct!doNotNeedSecurity_getProduct 	56 	1 	10,389 	10,389 	0 	37 	577 	0.00 	64 	873
//ImeiThreeGuaranteesIn!doNotNeedSecurity_gridAll 12 1 2,262 2,262 0 12 187 0.00 44 252
//fixFlow!doNotNeedSessionAndSecurity_getMyTask 11 1 2,137 2,137 0 27 436 0.00 2 671
/base/user!doNotNeedSessionAndSecurity_login 10 1 1,887 1,887 0 13 218 0.00 321 1,140
/base/organization!doNotNeedSecurity_comboTree 5 1 1,029 1,029 0 6 109 0.00 108 294
//smsproduct!doNotNeedSecurity_combobox 2 2 187 187 65 0 0 0.00 1 23
/base/resource!doNotNeedSecurity_getMainMenu 0 1 172 172 0 1 31 0.00 2 62
//announcements!doNotNeedSecurity_grid 0 1 46 46


221.0.232.181


弱口令登录
admin/admin
数十万订单明细

QQ20150809-4@2x.png


QQ20150809-5@2x.png


QQ20150809-6@2x.png


QQ20150809-7@2x.png


QQ20150809-8@2x.png


QQ20150809-9@2x.png


QQ20150809-10@2x.png


QQ20150809-11@2x.png


大量物流明细

QQ20150809-12@2x.png


可影响海信全国管理系统

QQ20150809-19@2x.png


QQ20150809-14@2x.png


QQ20150809-15@2x.png


QQ20150809-16@2x.png


QQ20150809-17@2x.png


QQ20150809-18@2x.png


不逐一列举

QQ20150809-20@2x.png


漏洞证明:

已证明

修复方案:

权限&安全意识 赶快修复吧

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-08-10 13:17

厂商回复:

非常感谢您的提醒,我们已通知相关人员进行处理

最新状态:

暂无


漏洞评价:

评论