携程安全支付日志可遍历下载导致大量用户银行卡信息泄露(包含持卡人姓名身份证、银行卡号、卡CVV码、6位卡Bin)

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-054302

漏洞标题：携程安全支付日志可遍历下载导致大量用户银行卡信息泄露(包含持卡人姓名身份证、银行卡号、卡CVV码、6位卡Bin)

漏洞作者：猪猪侠

提交时间：2014-03-22 18:18

修复时间：2014-09-26 12:38

公开时间：2014-09-26 12:38

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-03-22：细节已通知厂商并且等待厂商处理中
2014-03-22：厂商已经确认，细节仅向厂商公开
2014-04-01：细节向核心白帽子及相关领域专家公开
2014-04-11：细节向普通白帽子公开
2014-04-21：细节向实习白帽子公开
2014-09-26：细节向公众公开

简要描述：

携程将用于处理用户支付的服务接口开启了调试功能，使所有向银行验证持卡所有者接口传输的数据包均直接保存在本地服务器。
(类似IIS或Apache的访问日志，记录URL POST内容)。
同时因为保存支付日志的服务器未做校严格的基线安全配置，存在目录遍历漏洞，导致所有支付过程中的调试信息可被任意骇客读取。
其中泄露的信息包括用户的：
持卡人姓名
持卡人身份证
所持银行卡类别（比如，招商银行信用卡、中国银行信用卡）
所持银行卡卡号
所持银行卡CVV码
所持银行卡6位Bin(用于验证支付信息的6位数字)

详细说明：

#1 安全支付服务器目录可遍历
https://secure.ctrip.com/wapSecurity/
#2 支付日志保存位置
https://secure.ctrip.com/wapSecurity/log/
#3 .NET 相关类，逆向后可解密很多加密数据
https://secure.ctrip.com/w******ity/_bin_deployableAssemblies/System.Web.Mvc.dll
https://secure.ctrip.com/w*******ity/obj/Release/Ctrip.Wap.SecuritySite.dll

w:\source\******\Ctrip.Wap.SecuritySite.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.Wap.SecuritySite.pdb
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.Wap.CreditCard.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.Service.AccCash.CreditCard.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.SOA.Comm.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Interop.CTRIPDATALib.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.ServiceInterface.Customer.UserServiceContracts.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.Common.LogManagement.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Microsoft.Practices.EnterpriseLibrary.Logging.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Microsoft.Practices.EnterpriseLibrary.Common.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Microsoft.Practices.ObjectBuilder.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\bin\Ctrip.Wap.CreditCard.pdb
w:\source\tfs\******\Dev\1.2\SecuritySite\obj\Release\ResolveAssemblyReference.cache
w:\source\tfs\******\Dev\1.2\SecuritySite\obj\Release\Ctrip.Wap.SecuritySite.dll
w:\source\tfs\******\Dev\1.2\SecuritySite\obj\Release\Ctrip.Wap.SecuritySite.pdb

漏洞证明：

#4 日志目录

2013-12-25 11:59:20	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:19
日志信息：信用卡验证结果（返回码：118412583；返回信息：)
==============================================================
2013-12-25 11:59:20	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:19
日志信息：信用卡验证结束，返回码：           118412583/返回信息：                                                                                                    (00ThisIsASpecialTokenForCTravelers       120         0  0  0  0  0  0  0           118412583                                                                                                    )
==============================================================
2013-12-25 11:59:20	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:19
日志信息：/耗时53.0053
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：准备验证信用卡.....
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：银行名称：中国工商银行－信用卡
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：调用服务-ServiceCode:00050001
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：用户编号：13303596678
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：持卡人：*莉
==============================================================
2013-12-25 11:59:21	SOA判断卡号是否合法:AccCash.CreditCard.CheckCreditCardRule-RequestXML:
<?xml version="1.0"?>
<Request>
  <Header UserID="34****" RequestType="AccCash.CreditCard.CheckCreditCardRule" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <CreditCardRuleCheckRequest>
    <CreditCardType>2</CreditCardType>
    <CreditCardNumber>CTRP0001A51E33EA931B2A78CC06E31A41C5F2F9D4CD73C17A55A0A91F5F0743</CreditCardNumber>
    <VerifyNo>CTRP0001A51E33EA931B2A78CC06E31A16F894C906744FD53DD026FA9F17078B</VerifyNo>
  </CreditCardRuleCheckRequest>
</Request>
2013-12-25 11:59:21	SOA判断卡号是否合法:AccCash.CreditCard.CheckCreditCardRule-ResponseXML:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="7b2de37d-cb91-48c2-88d8-faab9b7f8ec7" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <CreditCardRuleCheckResponse>
    <RetCode>0</RetCode>
    <CanPass>T</CanPass>
    <CreditCardType>2</CreditCardType>
  </CreditCardRuleCheckResponse>
</Response>
2013-12-25 11:59:21	SOA新增信用卡信息-RequestXml:
<?xml version="1.0"?>
<Request>
  <Header UserID="340101" RequestType="AccCash.CreditCard.ModifyMainInfo" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <ModifyCreditCardMainInfoRequest>
    <CardInfoId>0</CardInfoId>
    <CreditCardType>2</CreditCardType>
    <CardTypeName>中国工商银行－信用卡</CardTypeName>
    <CreditCardNumber>CTRP0001A51E33EA931B2A78CC06E31A41C5F2F9D4CD73C17A55A0A91F5F0743</CreditCardNumber>
    <CCardNoCode>A552A4645C8AA3D69E6C4B1B1E191CEA</CCardNoCode>
    <CValidityCode>9C0E545EC5666717A30DF88D6F33B15C</CValidityCode>
    <CardBin>427030</CardBin>
    <Validity>CTRP0001A51E33EA931B2A78CC06E31A2EF34729EFAF427C13716F425849EFB4</Validity>
    <CardHolder>*莉</CardHolder>
    <IdCardType>1</IdCardType>
    <IdNumber>142725198110110***</IdNumber>
    <VerifyNo>CTRP0001A51E33EA931B2A78CC06E31A16F894C906744FD53DD026FA9F17078B</VerifyNo>
    <Eid>mobile</Eid>
  </ModifyCreditCardMainInfoRequest>
</Request>
2013-12-25 11:59:21	SOA新增信用卡信息-ResponseXml:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="9592be7d-03a5-4baf-aa1e-0317ce2f4b3f" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <ModifyCreditCardMainInfoResponse>
    <RetCode>0</RetCode>
    <Lid>123362***</Lid>
    <CardInfoId>1204568***</CardInfoId>
  </ModifyCreditCardMainInfoResponse>
</Response>
2013-12-25 11:59:21	SOA读取用户使用过的卡后四位信息-RequestXML:
<?xml version="1.0"?>
<Request>
  <Header UserID="340101" RequestType="AccCash.CreditCard.GetPayUsedListInfoWithoutCardInfoID" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <GetPayUsedListInfoWithoutCardInfoIDRequest>
    <Uid>13303596678</Uid>
    <CreditCardType>-2147483648</CreditCardType>
  </GetPayUsedListInfoWithoutCardInfoIDRequest>
</Request>
2013-12-25 11:59:21	SOA读取用户使用过的卡后四位信息-ResponseXML:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="ad8877b2-37e0-497c-8119-ec914d9fd823" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <GetPayUsedListInfoWithoutCardInfoIDResponse>
    <PayUsedListItems />
  </GetPayUsedListInfoWithoutCardInfoIDResponse>
</Response>
2013-12-25 11:59:21	SOA新建或更新银行卡后四位绑定支付-RequestXml:
<?xml version="1.0"?>
<Request>
  <Header UserID="340101" RequestType="AccCash.CreditCard.ModifyPayUsedList" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <ModifyCreditCardPayUsedListRequest>
    <ID>0</ID>
    <Uid>13303596678</Uid>
    <CreditCardType>2</CreditCardType>
    <Active>T</Active>
    <CardInfoId>120456809</CardInfoId>
    <CNLast4Code>C0DB17C6772E2A26CB133AD3BA389CCE</CNLast4Code>
    <CreateDate>2013-12-25T00:00:00+08:00</CreateDate>
    <OnlyCheckLast4>T</OnlyCheckLast4>
  </ModifyCreditCardPayUsedListRequest>
</Request>
2013-12-25 11:59:21	SOA新建或更新银行卡后四位绑定支付-ResponseXml:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="3fcd7079-bf83-4b00-b7fe-c7d1ca4676c9" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <ModifyCreditCardPayUsedListResponse>
    <RetCode>0</RetCode>
    <ID>20510902</ID>
  </ModifyCreditCardPayUsedListResponse>
</Response>
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：信用卡验证结果（返回码：120456809；返回信息：)
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：信用卡验证结束，返回码：           120456809/返回信息：                                                                                                    (00ThisIsASpecialTokenForCTravelers       120         0  0  0  0  0  0  0           120456809                                                                                                    )
==============================================================
2013-12-25 11:59:21	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
Query：??name=MzAwMSAgICAgICAgIDEzMzAzNTk2Njc4MzIyNzA2NzQ0MDAwNTI0NjkyNTEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1LjIxIDExMC44NzM2OSAzNC42MjMzODg5MDgyMDAwNTAwMDEgICAgICAgMTUx1tC5%5B%5DrmkyczS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyIDQyNzAzMDAwMTEzMzY0NzUgICAgICAgICAwNzgyMDE0MDIgINXFwPIgICAgICAgICAgICAgICAgMTQyNzI1MTk4MTEwMTEwNDI1ICBUMTMzMDM1OTY2NzggICAgICAgICAxIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:20
日志信息：/耗时118.0118
==============================================================
2013-12-25 11:59:24	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:23
日志信息：准备验证信用卡.....
==============================================================
2013-12-25 11:59:24	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:23
日志信息：银行名称：深圳发展银行/平安银?
==============================================================
2013-12-25 11:59:24	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:23
日志信息：调用服务-ServiceCode:00050001
==============================================================
2013-12-25 11:59:24	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:23
日志信息：用户编号：18070562288
==============================================================
2013-12-25 11:59:24	URL AbsoluteUri + Query：https://secure.ctrip.com/wapSecurity/ClientPay.aspx?name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
Query：??name=MTIwMSAgICAgICAgIDE4MDcwNTYyMjg4MTIxNTEwMDM5MDAwNDA5NDYxNDhUaGlzSXNBU3BlY2lhbFRva2VuRm9yQ1RyYXZlbGVycyAgICAgICAgICAgICAgICAgNS4xICAgICAgICAgICAgICAgICAgICA4MDkxMDAwNTAwMDEgICAgICAgMTM3ye7b2rei1bnS%5B%5DNDQL8a9sLLS%5B%5DNDQo63QxdPDv6ggICAgICAgICAgICAgICAgICAgICAyMjcyNjIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGMTgwNzA1NjIyODggICAgICAgICAwIA==
URLRefer OriginalString：
日志时间：2013-12-25 11:59:23
日志信息：持卡人：
==============================================================
2013-12-25 11:59:24	SOA判断是否曾用卡-RequestXml:
<?xml version="1.0"?>
<Request>
  <Header UserID="340101" RequestType="AccCash.CreditCard.IsPayUsedCard" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <IsPayUsedListRequest>
    <Uid>18070562288</Uid>
    <CreditCardType>22</CreditCardType>
    <CNLast4Code>9773D3352E206FEF3DF91B8757D63B67</CNLast4Code>
  </IsPayUsedListRequest>
</Request>
2013-12-25 11:59:24	SOA判断是否曾用卡-ResponseXml:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="d487f26a-4410-417d-a4b0-3a05225e5800" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <IsPayUsedListResponse>
    <IsPayUseCard>T</IsPayUseCard>
    <CardInfoID>118412583</CardInfoID>
  </IsPayUsedListResponse>
</Response>
2013-12-25 11:59:24	SOA获取信用卡信息-RequestXml:
<?xml version="1.0"?>
<Request>
  <Header UserID="340101" RequestType="AccCash.CreditCard.GetCreditCardInfo" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <GetCreditCardInfoRequest>
    <CardInfoId>118412583</CardInfoId>
  </GetCreditCardInfoRequest>
</Request>
2013-12-25 11:59:24	SOA获取信用卡信息-ResponseXml:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="9e118e08-4fe1-4efd-b53a-e9f7e04d31a3" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <GetCreditCardInfoResponse>
    <CreditCardItems>
      <CreditCardInfoResponseItem>
        <CardInfoId>1184125**</CardInfoId>
        <CreditCardType>22</CreditCardType>
        <CardTypeName>深圳发展银行/平安银行－信用卡</CardTypeName>
        <CreditCardNumber>CTRP0001AF138BE8731FA32A4BFA279F763CA289A9E5C6971CD4175350A*****</CreditCardNumber>
        <CCardNoCode>B4FB0144E930CE7ED6D7F1C2D23*****</CCardNoCode>
        <CValidityCode>53A4B48D6E946FAA59C35643D77*****</CValidityCode>
        <CardBin>4835**</CardBin>
        <Validity>CTRP0001AF138BE8731FA32A4BFA279F54DF6171BA6F0E6A54F26A258AB95234</Validity>
        <CardHolder />
        <IdCardType>1</IdCardType>
        <IdNumber>362101198208030658</IdNumber>
        <VerifyNo>CTRP0001AF138BE8731FA32A4BFA279FE1EA8F5043DB70F5B557E4677C1830AF</VerifyNo>
        <CurrencyType>U</CurrencyType>
        <VM_Type>U</VM_Type>
        <IsForeignCard>F</IsForeignCard>
        <LocalCardType>U</LocalCardType>
        <AgreementCode />
        <Nationality />
        <StateName />
        <BillingAddress />
        <ZipCode />
        <Nationalityofisuue />
        <BankOfCardIssue />
        <CreateDate>2013-12-02T19:36:55</CreateDate>
        <CardRiskNoPreCode>CD15A161237CE012D84A194B64A981BC</CardRiskNoPreCode>
        <CardRiskNoLastCode>9773D3352E206FEF3DF91B8757D63B67</CardRiskNoLastCode>
        <PhoneNo />
      </CreditCardInfoResponseItem>
    </CreditCardItems>
  </GetCreditCardInfoResponse>
</Response>
2013-12-25 11:59:24	验证信用卡CVV码
2013-12-25 11:59:24	SOA开始验证信用卡CVV码-RequestXML:
<?xml version="1.0"?>
<Request>
  <Header UserID="340101" RequestType="AccCash.CreditCard.GetCreditCardRuleInfo" AsyncRequest="false" Timeout="0" MessagePriority="3" />
  <GetCreditCardRuleInfoRequest>
    <CreditCardType>22</CreditCardType>
    <CCRID>-2147483648</CCRID>
  </GetCreditCardRuleInfoRequest>
</Request>
2013-12-25 11:59:24	SOA开始验证信用卡CVV码-ResponseXML:
<?xml version="1.0"?>
<Response>
  <Header ServerIP="192.168.86.164" ShouldRecordPerformanceTime="false" UserID="340101" RequestID="010fc333-e310-42e8-af88-cc4546c8e8b4" ResultCode="Success" AssemblyVersion="1.0.2.6" RequestBodySize="0" SerializeMode="Xml" RouteStep="1" Environment="pro" />
  <GetCreditCardRuleInfoResponse>
    <CardRuleItem>
      <CCRID>985</CCRID>
      <CardType>深圳平安银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>信用卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>356868</CardRule>
      <R_Star>3568680000000</R_Star>
      <R_End>3568689999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>524</CCRID>
      <CardType>深圳平安银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>平安BB熊JCB双币卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>356869</CardRule>
      <R_Star>3568690000000</R_Star>
      <R_End>3568699999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>U</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>912</CCRID>
      <CardType>深圳市发展银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>VISA普卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>435744</CardRule>
      <R_Star>4357440000000</R_Star>
      <R_End>4357449999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>913</CCRID>
      <CardType>深圳市发展银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>VISA金卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>435745</CardRule>
      <R_Star>4357450000000</R_Star>
      <R_End>4357459999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>914</CCRID>
      <CardType>深圳市发展银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>双币白金卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>483536</CardRule>
      <R_Star>4835360000000</R_Star>
      <R_End>4835369999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>416</CCRID>
      <CardType>深圳市商业银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>平安万里通信用卡(master金卡)</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>526855</CardRule>
      <R_Star>5268550000000</R_Star>
      <R_End>5268559999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>415</CCRID>
      <CardType>深圳市商业银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>平安万里通信用卡(master普卡)</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>528020</CardRule>
      <R_Star>5280200000000</R_Star>
      <R_End>5280209999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>563</CCRID>
      <CardType>深圳平安银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>Master白金卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>531659</CardRule>
      <R_Star>5316590000000</R_Star>
      <R_End>5316599999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>U</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>413</CCRID>
      <CardType>深圳市商业银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>平安万里通信用卡(银联标准卡金卡)</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>622155</CardRule>
      <R_Star>6221550000000</R_Star>
      <R_End>6221559999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>414</CCRID>
      <CardType>深圳市商业银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>平安万里通信用卡(银联标准卡普卡)</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>622156</CardRule>
      <R_Star>6221560000000</R_Star>
      <R_End>6221569999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>562</CCRID>
      <CardType>深圳平安银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>银联白金卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>622157</CardRule>
      <R_Star>6221570000000</R_Star>
      <R_End>6221579999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>U</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>910</CCRID>
      <CardType>深圳市发展银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>银联标准卡金卡</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>622525</CardRule>
      <R_Star>6225250000000</R_Star>
      <R_End>6225259999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>
      <CCRID>906</CCRID>
      <CardType>深圳市发展银行</CardType>
      <CardTypeId>22</CardTypeId>
      <CardName>发展信用卡(银联金卡)</CardName>
      <CardClass>信用卡</CardClass>
      <CardRule>622525</CardRule>
      <R_Star>6225250000000</R_Star>
      <R_End>6225259999999</R_End>
      <CardLen>16</CardLen>
      <BCanUse>T</BCanUse>
      <City>0</City>
      <BVerifyNo>T</BVerifyNo>
      <CurrenyType>U </CurrenyType>
      <ModifiedFlag>I</ModifiedFlag>
    </CardRuleItem>
    <CardRuleItem>

修复方案：

#1 支付调试信息尽量不保存为文本
#2 避免目录遍历
#3 避免日志被下载

版权声明：转载请注明来源猪猪侠@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：20

确认时间：2014-03-22 23:22

厂商回复：

携程技术人员已经确认该漏洞，并在两小时内及时修复，对于乌云平台发现的漏洞信息表示感谢。该漏洞受影响的用户为近期的部份交易客户，目前并没有用户受到该漏洞的影响而造成相应财产损失的情况发现。携程旅行网始终对信息安全非常重视，对于此次漏洞事件如果有新的进展将持续通报。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-054302

漏洞标题：携程安全支付日志可遍历下载导致大量用户银行卡信息泄露(包含持卡人姓名身份证、银行卡号、卡CVV码、6位卡Bin)

相关厂商：携程旅行网

漏洞作者：猪猪侠

提交时间：2014-03-22 18:18

修复时间：2014-09-26 12:38

公开时间：2014-09-26 12:38

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源猪猪侠@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-054302

漏洞标题：携程安全支付日志可遍历下载 导致大量用户银行卡信息泄露(包含持卡人姓名身份证、银行卡号、卡CVV码、6位卡Bin)

相关厂商：携程旅行网

漏洞作者： 猪猪侠

提交时间：2014-03-22 18:18

修复时间：2014-09-26 12:38

公开时间：2014-09-26 12:38

漏洞类型：敏感信息泄露

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-054302"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 猪猪侠@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞标题：携程安全支付日志可遍历下载导致大量用户银行卡信息泄露(包含持卡人姓名身份证、银行卡号、卡CVV码、6位卡Bin)

漏洞作者：猪猪侠

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源猪猪侠@乌云