当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168177

漏洞标题:格林豪泰某处设计缺陷导致大数据撞库后用户身份证/手机号/开房信息等泄漏,可消耗用户格林币升级会员

相关厂商:格林豪泰酒店管理集团

漏洞作者: 祸斗

提交时间:2016-01-07 22:36

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

格林豪泰某处设计缺陷导致大数据撞库后用户身份证/手机号/开房信息等泄漏,可消耗用户格林币升级会员

详细说明:

http://998.com/Account/Sign这个地方登录位置,有验证码但是可绕过,用户名密码明文传输

1.png


2.png


测试可以撞库,大数据跑了跑,出来了很多,这里给出部分成功帐号证明:

27530105@qq.com	310715	770
zbq27@qq.com	jiguang26	771
xielu456@qq.com	byswdh741	772
364979739@qq.com	123098357	774
121306971@qq.com	leilei19871130	777
271086338@qq.com	38239199	777
315211257@qq.com	4088333	777
tyqsteven@vip.qq.com	19901124	778
lcwen@qq.com	wen123	778
644024961@qq.com	515610	778
180898834@qq.com	43652375	779
462590833@qq.com	06dongjun14	779
330438886@qq.com	dong123321	780
19871230@qq.com	yangyuxin	781
6385383@qq.com	870530	781
andy.tm@qq.com	19830522	781
liyaya6@qq.com	129416	781
1234@qq.com	123456	781
258537347@qq.com	l04260029	782
593499321@qq.com	668868	782
4961964@qq.com	135020	782
huangyongqi@vip.qq.com	hyq521	782
raydi@qq.com	tonyray	783
349597272@qq.com	64258070	783
59789766@qq.com	13951982350	783
736050018@qq.com	aaqqaa	783
495678424@qq.com	998877	783
317985478@qq.com	60696558	784
119286621@qq.com	987600	784
123456@qq.com	123456	784
511350076@qq.com	987536	785
179499642@qq.com	861229	785
369067703@qq.com	8764806	785
yhlinjun@qq.com	276951439	785
382558343@qq.com	xiaochuan	785
22006281@qq.com	22006281	785
28956087@qq.com	435513	785
1111@qq.com	11111111	786
908890812@qq.com	1992asz	786
11946858@qq.com	198165	786
102350551@qq.com	11259375	786
602873805@qq.com	871123	786
50970750@qq.com	dalin520	787
bristal@qq.com	55169997	787
yyond@qq.com	520609	787
271306791@qq.com	1236548	787
584010975@qq.com	521827	788
ws614@qq.com	560623	788
496105751@qq.com	198808109	789
371731815@qq.com	911207	789
912898658@qq.com	sh2000lq	789
87175282@qq.com	liguang	789
wangshuhao721@qq.com	408925547	789
liulian2266@qq.com	68734693	789
342356561@qq.com	5128299	790
305493454@qq.com	123456	792
523883503@qq.com	5605570	792
248731250@qq.com	87704821	792
344178309@qq.com	5201314	792
517562558@qq.com	89892344	792
502409617@qq.com	8422925	792
502409617@qq.com	8422925	792
caso@vip.qq.com	15074720	792
249884876@qq.com	6860577	792
362888907@qq.com	gaofeng	792
339034762@qq.com	yangdong123	792
115127390@qq.com	wy2311545	792
380102667@qq.com	mimabaohua	792
9085605@qq.com	26197709	793
iversoncl@qq.com	9132898961	793
wobushixiaogou@qq.com	tiantian1325	793
429428388@qq.com	88382776	794
326984450@qq.com	19870405	794
54981193@qq.com	19820926	794
epie@qq.com	1qaz2wsx	794
237511993@qq.com	498240	794
306966594@qq.com	88775150	794
296415580@qq.com	jiandanai	795
394149521@qq.com	88811925	795
469367739@qq.com	19891123	795
380871803@qq.com	wzl1988	795
349002735@qq.com	2262126	795
736880733@qq.com	jiang6110285	795
313235812@qq.com	wang59835	795
380871803@qq.com	wzl1988	795
138520116@qq.com	520520	795
373152581@qq.com	3344521	795
284725033@qq.com	15944350846	795
284725033@qq.com	15944350846	795
531841032@qq.com	qwert789	795
405791629@qq.com	49331211	795
158293711@qq.com	810912	795
452711077@qq.com	198477	795
334590777@qq.com	1qaz1q	795
3756642@qq.com	321654	796
zhangluchen@qq.com	woshitiancai	797
95550029@qq.com	6225065	797
7982189@qq.com	devil86010	797
zhangluchen@qq.com	woshitiancai	797
weiwu_my@qq.com	12345zxcvb	798
234744820@qq.com	667292	798
252579889@qq.com	861130	798
390615836@qq.com	13245768	798
411637660@qq.com	66369386	799
594812050@qq.com	5201314aa	799
231699923@qq.com	783728	799
782050523@qq.com	120488	799
bingya1111@qq.com	123456789	799
247229525@qq.com	584520	800
ynbnwlw@qq.com	1231010	800
huzhidso@qq.com	yayaya	800
616525992@qq.com	904094	800
liaoxianwei0105@qq.com	13537446	801
1287822@qq.com	jijiji	801
27061300@qq.com	8887113	801
56146207@qq.com	woaizhuzhu	801
77803914@qq.com	77803914	801
724389764@qq.com	839200	801
18018459@qq.com	828500	801
20101512@qq.com	841123	801
294223594@qq.com	140605	801
450400962@qq.com	8219525	801
503183443@qq.com	63781200	801
344206979@qq.com	wang123qi	802
qiongyusg@qq.com	wangyufeng	802
397562024@qq.com	397562024	802
15470847@qq.com	15470847	802
407296362@qq.com	407296362	802
123384768@qq.com	jaytaba	802
287125267@qq.com	8286889	803
170202229@qq.com	6912940	803
570606721@qq.com	2101117	803
545490421@qq.com	1990225	803
1108168@qq.com	jackal	803
335455183@qq.com	335455183	803
475778036@qq.com	wangwei915	803
clarke777@qq.com	5329580	803
415127170@qq.com	5626228	803
297020523@qq.com	963258963	803
251577286@qq.com	421988	803
279625942@qq.com	871206	804
34891393@qq.com	34891393	804
417456623@qq.com	520687	804
405390649@qq.com	1d0b7d9b	804
chilitao@qq.com	814117	804
312358520@qq.com	349478121	805
375590859@qq.com	xuan9826	805
546622151@qq.com	1360lhy	805
269096787@qq.com	hyk187192	806
279749857@qq.com	sfglkwfn	806
swellwang@qq.com	107331	806
50366108@qq.com	138919	807
325015236@qq.com	19871106	807
lmisme@qq.com	qunima	808
415188219@qq.com	guoshuai	808
610049634@qq.com	stefanie0723	809
262945677@qq.com	262945677	810
274054532@qq.com	mengbd520	810
276072197@qq.com	8621068	810
274054532@qq.com	mengbd520	810
414033717@qq.com	118511	810
53411230@qq.com	53411230	811
349348702@qq.com	511521	811
584154721@qq.com	198719	811
349348702@qq.com	511521	811
sistian@qq.com	ss051212	811
287332858@qq.com	880317	811
112649776@qq.com	112649776	812
424352380@qq.com	233757	812
27517421@qq.com	win256	812
199734142@qq.com	dayezi1y1	812
14305654@qq.com	windows	812
404282573@qq.com	4994651	813
404282573@qq.com	4994651	813
375245237@qq.com	zclovett	813
whatme321@qq.com	887900	813
18988582@qq.com	198543	813
lqsun@vip.qq.com	1253000	814
xiaoxi08@vip.qq.com	800258	816


登录之后可以查看用户的身份证,手机号,开房信息之类的,其他的不多说,这里说下身份证,这么重要的东西,已经打码了,但是。。。这里设计缺陷,你这打码和不打有啥区别。。。

3.png


5.png


6.png


还可以消耗用户格林币升级会员享受优惠~

7.png


还有就是这里出来的帐号,因为是998.com主站域,所以是通用的,还可以登录格林商城,又是一波信息泄漏~

漏洞证明:

27530105@qq.com	310715	770
zbq27@qq.com	jiguang26	771
xielu456@qq.com	byswdh741	772
364979739@qq.com	123098357	774
121306971@qq.com	leilei19871130	777
271086338@qq.com	38239199	777
315211257@qq.com	4088333	777
tyqsteven@vip.qq.com	19901124	778
lcwen@qq.com	wen123	778
644024961@qq.com	515610	778
180898834@qq.com	43652375	779
462590833@qq.com	06dongjun14	779
330438886@qq.com	dong123321	780
19871230@qq.com	yangyuxin	781
6385383@qq.com	870530	781
andy.tm@qq.com	19830522	781
liyaya6@qq.com	129416	781
1234@qq.com	123456	781
258537347@qq.com	l04260029	782
593499321@qq.com	668868	782
4961964@qq.com	135020	782
huangyongqi@vip.qq.com	hyq521	782
raydi@qq.com	tonyray	783
349597272@qq.com	64258070	783
59789766@qq.com	13951982350	783
736050018@qq.com	aaqqaa	783
495678424@qq.com	998877	783
317985478@qq.com	60696558	784
119286621@qq.com	987600	784
123456@qq.com	123456	784
511350076@qq.com	987536	785
179499642@qq.com	861229	785
369067703@qq.com	8764806	785
yhlinjun@qq.com	276951439	785
382558343@qq.com	xiaochuan	785
22006281@qq.com	22006281	785
28956087@qq.com	435513	785
1111@qq.com	11111111	786
908890812@qq.com	1992asz	786
11946858@qq.com	198165	786
102350551@qq.com	11259375	786
602873805@qq.com	871123	786
50970750@qq.com	dalin520	787
bristal@qq.com	55169997	787
yyond@qq.com	520609	787
271306791@qq.com	1236548	787
584010975@qq.com	521827	788
ws614@qq.com	560623	788
496105751@qq.com	198808109	789
371731815@qq.com	911207	789
912898658@qq.com	sh2000lq	789
87175282@qq.com	liguang	789
wangshuhao721@qq.com	408925547	789
liulian2266@qq.com	68734693	789
342356561@qq.com	5128299	790
305493454@qq.com	123456	792
523883503@qq.com	5605570	792
248731250@qq.com	87704821	792
344178309@qq.com	5201314	792
517562558@qq.com	89892344	792
502409617@qq.com	8422925	792
502409617@qq.com	8422925	792
caso@vip.qq.com	15074720	792
249884876@qq.com	6860577	792
362888907@qq.com	gaofeng	792
339034762@qq.com	yangdong123	792
115127390@qq.com	wy2311545	792
380102667@qq.com	mimabaohua	792
9085605@qq.com	26197709	793
iversoncl@qq.com	9132898961	793
wobushixiaogou@qq.com	tiantian1325	793
429428388@qq.com	88382776	794
326984450@qq.com	19870405	794
54981193@qq.com	19820926	794
epie@qq.com	1qaz2wsx	794
237511993@qq.com	498240	794
306966594@qq.com	88775150	794
296415580@qq.com	jiandanai	795
394149521@qq.com	88811925	795
469367739@qq.com	19891123	795
380871803@qq.com	wzl1988	795
349002735@qq.com	2262126	795
736880733@qq.com	jiang6110285	795
313235812@qq.com	wang59835	795
380871803@qq.com	wzl1988	795
138520116@qq.com	520520	795
373152581@qq.com	3344521	795
284725033@qq.com	15944350846	795
284725033@qq.com	15944350846	795
531841032@qq.com	qwert789	795
405791629@qq.com	49331211	795
158293711@qq.com	810912	795
452711077@qq.com	198477	795
334590777@qq.com	1qaz1q	795
3756642@qq.com	321654	796
zhangluchen@qq.com	woshitiancai	797
95550029@qq.com	6225065	797
7982189@qq.com	devil86010	797
zhangluchen@qq.com	woshitiancai	797
weiwu_my@qq.com	12345zxcvb	798
234744820@qq.com	667292	798
252579889@qq.com	861130	798
390615836@qq.com	13245768	798
411637660@qq.com	66369386	799
594812050@qq.com	5201314aa	799
231699923@qq.com	783728	799
782050523@qq.com	120488	799
bingya1111@qq.com	123456789	799
247229525@qq.com	584520	800
ynbnwlw@qq.com	1231010	800
huzhidso@qq.com	yayaya	800
616525992@qq.com	904094	800
liaoxianwei0105@qq.com	13537446	801
1287822@qq.com	jijiji	801
27061300@qq.com	8887113	801
56146207@qq.com	woaizhuzhu	801
77803914@qq.com	77803914	801
724389764@qq.com	839200	801
18018459@qq.com	828500	801
20101512@qq.com	841123	801
294223594@qq.com	140605	801
450400962@qq.com	8219525	801
503183443@qq.com	63781200	801
344206979@qq.com	wang123qi	802
qiongyusg@qq.com	wangyufeng	802
397562024@qq.com	397562024	802
15470847@qq.com	15470847	802
407296362@qq.com	407296362	802
123384768@qq.com	jaytaba	802
287125267@qq.com	8286889	803
170202229@qq.com	6912940	803
570606721@qq.com	2101117	803
545490421@qq.com	1990225	803
1108168@qq.com	jackal	803
335455183@qq.com	335455183	803
475778036@qq.com	wangwei915	803
clarke777@qq.com	5329580	803
415127170@qq.com	5626228	803
297020523@qq.com	963258963	803
251577286@qq.com	421988	803
279625942@qq.com	871206	804
34891393@qq.com	34891393	804
417456623@qq.com	520687	804
405390649@qq.com	1d0b7d9b	804
chilitao@qq.com	814117	804
312358520@qq.com	349478121	805
375590859@qq.com	xuan9826	805
546622151@qq.com	1360lhy	805
269096787@qq.com	hyk187192	806
279749857@qq.com	sfglkwfn	806
swellwang@qq.com	107331	806
50366108@qq.com	138919	807
325015236@qq.com	19871106	807
lmisme@qq.com	qunima	808
415188219@qq.com	guoshuai	808
610049634@qq.com	stefanie0723	809
262945677@qq.com	262945677	810
274054532@qq.com	mengbd520	810
276072197@qq.com	8621068	810
274054532@qq.com	mengbd520	810
414033717@qq.com	118511	810
53411230@qq.com	53411230	811
349348702@qq.com	511521	811
584154721@qq.com	198719	811
349348702@qq.com	511521	811
sistian@qq.com	ss051212	811
287332858@qq.com	880317	811
112649776@qq.com	112649776	812
424352380@qq.com	233757	812
27517421@qq.com	win256	812
199734142@qq.com	dayezi1y1	812
14305654@qq.com	windows	812
404282573@qq.com	4994651	813
404282573@qq.com	4994651	813
375245237@qq.com	zclovett	813
whatme321@qq.com	887900	813
18988582@qq.com	198543	813
lqsun@vip.qq.com	1253000	814
xiaoxi08@vip.qq.com	800258	816

修复方案:

信息泄漏这么严重如果被人大数据撞库后发布到网上去。。。好好修一下验证码+打码吧

版权声明:转载请注明来源 祸斗@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-08 16:51

厂商回复:

感谢对格林的关注,该问题已进行处理。

最新状态:

暂无

漏洞评价:

评价