当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168177

漏洞标题:格林豪泰某处设计缺陷导致大数据撞库后用户身份证/手机号/开房信息等泄漏,可消耗用户格林币升级会员

相关厂商:格林豪泰酒店管理集团

漏洞作者: 祸斗

提交时间:2016-01-07 22:36

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-07: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

格林豪泰某处设计缺陷导致大数据撞库后用户身份证/手机号/开房信息等泄漏,可消耗用户格林币升级会员

详细说明:

http://998.com/Account/Sign这个地方登录位置,有验证码但是可绕过,用户名密码明文传输

1.png


2.png


测试可以撞库,大数据跑了跑,出来了很多,这里给出部分成功帐号证明:

27530105@qq.com	310715	770
zbq27@qq.com jiguang26 771
xielu456@qq.com byswdh741 772
364979739@qq.com 123098357 774
121306971@qq.com leilei19871130 777
271086338@qq.com 38239199 777
315211257@qq.com 4088333 777
tyqsteven@vip.qq.com 19901124 778
lcwen@qq.com wen123 778
644024961@qq.com 515610 778
180898834@qq.com 43652375 779
462590833@qq.com 06dongjun14 779
330438886@qq.com dong123321 780
19871230@qq.com yangyuxin 781
6385383@qq.com 870530 781
andy.tm@qq.com 19830522 781
liyaya6@qq.com 129416 781
1234@qq.com 123456 781
258537347@qq.com l04260029 782
593499321@qq.com 668868 782
4961964@qq.com 135020 782
huangyongqi@vip.qq.com hyq521 782
raydi@qq.com tonyray 783
349597272@qq.com 64258070 783
59789766@qq.com 13951982350 783
736050018@qq.com aaqqaa 783
495678424@qq.com 998877 783
317985478@qq.com 60696558 784
119286621@qq.com 987600 784
123456@qq.com 123456 784
511350076@qq.com 987536 785
179499642@qq.com 861229 785
369067703@qq.com 8764806 785
yhlinjun@qq.com 276951439 785
382558343@qq.com xiaochuan 785
22006281@qq.com 22006281 785
28956087@qq.com 435513 785
1111@qq.com 11111111 786
908890812@qq.com 1992asz 786
11946858@qq.com 198165 786
102350551@qq.com 11259375 786
602873805@qq.com 871123 786
50970750@qq.com dalin520 787
bristal@qq.com 55169997 787
yyond@qq.com 520609 787
271306791@qq.com 1236548 787
584010975@qq.com 521827 788
ws614@qq.com 560623 788
496105751@qq.com 198808109 789
371731815@qq.com 911207 789
912898658@qq.com sh2000lq 789
87175282@qq.com liguang 789
wangshuhao721@qq.com 408925547 789
liulian2266@qq.com 68734693 789
342356561@qq.com 5128299 790
305493454@qq.com 123456 792
523883503@qq.com 5605570 792
248731250@qq.com 87704821 792
344178309@qq.com 5201314 792
517562558@qq.com 89892344 792
502409617@qq.com 8422925 792
502409617@qq.com 8422925 792
caso@vip.qq.com 15074720 792
249884876@qq.com 6860577 792
362888907@qq.com gaofeng 792
339034762@qq.com yangdong123 792
115127390@qq.com wy2311545 792
380102667@qq.com mimabaohua 792
9085605@qq.com 26197709 793
iversoncl@qq.com 9132898961 793
wobushixiaogou@qq.com tiantian1325 793
429428388@qq.com 88382776 794
326984450@qq.com 19870405 794
54981193@qq.com 19820926 794
epie@qq.com 1qaz2wsx 794
237511993@qq.com 498240 794
306966594@qq.com 88775150 794
296415580@qq.com jiandanai 795
394149521@qq.com 88811925 795
469367739@qq.com 19891123 795
380871803@qq.com wzl1988 795
349002735@qq.com 2262126 795
736880733@qq.com jiang6110285 795
313235812@qq.com wang59835 795
380871803@qq.com wzl1988 795
138520116@qq.com 520520 795
373152581@qq.com 3344521 795
284725033@qq.com 15944350846 795
284725033@qq.com 15944350846 795
531841032@qq.com qwert789 795
405791629@qq.com 49331211 795
158293711@qq.com 810912 795
452711077@qq.com 198477 795
334590777@qq.com 1qaz1q 795
3756642@qq.com 321654 796
zhangluchen@qq.com woshitiancai 797
95550029@qq.com 6225065 797
7982189@qq.com devil86010 797
zhangluchen@qq.com woshitiancai 797
weiwu_my@qq.com 12345zxcvb 798
234744820@qq.com 667292 798
252579889@qq.com 861130 798
390615836@qq.com 13245768 798
411637660@qq.com 66369386 799
594812050@qq.com 5201314aa 799
231699923@qq.com 783728 799
782050523@qq.com 120488 799
bingya1111@qq.com 123456789 799
247229525@qq.com 584520 800
ynbnwlw@qq.com 1231010 800
huzhidso@qq.com yayaya 800
616525992@qq.com 904094 800
liaoxianwei0105@qq.com 13537446 801
1287822@qq.com jijiji 801
27061300@qq.com 8887113 801
56146207@qq.com woaizhuzhu 801
77803914@qq.com 77803914 801
724389764@qq.com 839200 801
18018459@qq.com 828500 801
20101512@qq.com 841123 801
294223594@qq.com 140605 801
450400962@qq.com 8219525 801
503183443@qq.com 63781200 801
344206979@qq.com wang123qi 802
qiongyusg@qq.com wangyufeng 802
397562024@qq.com 397562024 802
15470847@qq.com 15470847 802
407296362@qq.com 407296362 802
123384768@qq.com jaytaba 802
287125267@qq.com 8286889 803
170202229@qq.com 6912940 803
570606721@qq.com 2101117 803
545490421@qq.com 1990225 803
1108168@qq.com jackal 803
335455183@qq.com 335455183 803
475778036@qq.com wangwei915 803
clarke777@qq.com 5329580 803
415127170@qq.com 5626228 803
297020523@qq.com 963258963 803
251577286@qq.com 421988 803
279625942@qq.com 871206 804
34891393@qq.com 34891393 804
417456623@qq.com 520687 804
405390649@qq.com 1d0b7d9b 804
chilitao@qq.com 814117 804
312358520@qq.com 349478121 805
375590859@qq.com xuan9826 805
546622151@qq.com 1360lhy 805
269096787@qq.com hyk187192 806
279749857@qq.com sfglkwfn 806
swellwang@qq.com 107331 806
50366108@qq.com 138919 807
325015236@qq.com 19871106 807
lmisme@qq.com qunima 808
415188219@qq.com guoshuai 808
610049634@qq.com stefanie0723 809
262945677@qq.com 262945677 810
274054532@qq.com mengbd520 810
276072197@qq.com 8621068 810
274054532@qq.com mengbd520 810
414033717@qq.com 118511 810
53411230@qq.com 53411230 811
349348702@qq.com 511521 811
584154721@qq.com 198719 811
349348702@qq.com 511521 811
sistian@qq.com ss051212 811
287332858@qq.com 880317 811
112649776@qq.com 112649776 812
424352380@qq.com 233757 812
27517421@qq.com win256 812
199734142@qq.com dayezi1y1 812
14305654@qq.com windows 812
404282573@qq.com 4994651 813
404282573@qq.com 4994651 813
375245237@qq.com zclovett 813
whatme321@qq.com 887900 813
18988582@qq.com 198543 813
lqsun@vip.qq.com 1253000 814
xiaoxi08@vip.qq.com 800258 816


登录之后可以查看用户的身份证,手机号,开房信息之类的,其他的不多说,这里说下身份证,这么重要的东西,已经打码了,但是。。。这里设计缺陷,你这打码和不打有啥区别。。。

3.png


5.png


6.png


还可以消耗用户格林币升级会员享受优惠~

7.png


还有就是这里出来的帐号,因为是998.com主站域,所以是通用的,还可以登录格林商城,又是一波信息泄漏~

漏洞证明:

27530105@qq.com	310715	770
zbq27@qq.com jiguang26 771
xielu456@qq.com byswdh741 772
364979739@qq.com 123098357 774
121306971@qq.com leilei19871130 777
271086338@qq.com 38239199 777
315211257@qq.com 4088333 777
tyqsteven@vip.qq.com 19901124 778
lcwen@qq.com wen123 778
644024961@qq.com 515610 778
180898834@qq.com 43652375 779
462590833@qq.com 06dongjun14 779
330438886@qq.com dong123321 780
19871230@qq.com yangyuxin 781
6385383@qq.com 870530 781
andy.tm@qq.com 19830522 781
liyaya6@qq.com 129416 781
1234@qq.com 123456 781
258537347@qq.com l04260029 782
593499321@qq.com 668868 782
4961964@qq.com 135020 782
huangyongqi@vip.qq.com hyq521 782
raydi@qq.com tonyray 783
349597272@qq.com 64258070 783
59789766@qq.com 13951982350 783
736050018@qq.com aaqqaa 783
495678424@qq.com 998877 783
317985478@qq.com 60696558 784
119286621@qq.com 987600 784
123456@qq.com 123456 784
511350076@qq.com 987536 785
179499642@qq.com 861229 785
369067703@qq.com 8764806 785
yhlinjun@qq.com 276951439 785
382558343@qq.com xiaochuan 785
22006281@qq.com 22006281 785
28956087@qq.com 435513 785
1111@qq.com 11111111 786
908890812@qq.com 1992asz 786
11946858@qq.com 198165 786
102350551@qq.com 11259375 786
602873805@qq.com 871123 786
50970750@qq.com dalin520 787
bristal@qq.com 55169997 787
yyond@qq.com 520609 787
271306791@qq.com 1236548 787
584010975@qq.com 521827 788
ws614@qq.com 560623 788
496105751@qq.com 198808109 789
371731815@qq.com 911207 789
912898658@qq.com sh2000lq 789
87175282@qq.com liguang 789
wangshuhao721@qq.com 408925547 789
liulian2266@qq.com 68734693 789
342356561@qq.com 5128299 790
305493454@qq.com 123456 792
523883503@qq.com 5605570 792
248731250@qq.com 87704821 792
344178309@qq.com 5201314 792
517562558@qq.com 89892344 792
502409617@qq.com 8422925 792
502409617@qq.com 8422925 792
caso@vip.qq.com 15074720 792
249884876@qq.com 6860577 792
362888907@qq.com gaofeng 792
339034762@qq.com yangdong123 792
115127390@qq.com wy2311545 792
380102667@qq.com mimabaohua 792
9085605@qq.com 26197709 793
iversoncl@qq.com 9132898961 793
wobushixiaogou@qq.com tiantian1325 793
429428388@qq.com 88382776 794
326984450@qq.com 19870405 794
54981193@qq.com 19820926 794
epie@qq.com 1qaz2wsx 794
237511993@qq.com 498240 794
306966594@qq.com 88775150 794
296415580@qq.com jiandanai 795
394149521@qq.com 88811925 795
469367739@qq.com 19891123 795
380871803@qq.com wzl1988 795
349002735@qq.com 2262126 795
736880733@qq.com jiang6110285 795
313235812@qq.com wang59835 795
380871803@qq.com wzl1988 795
138520116@qq.com 520520 795
373152581@qq.com 3344521 795
284725033@qq.com 15944350846 795
284725033@qq.com 15944350846 795
531841032@qq.com qwert789 795
405791629@qq.com 49331211 795
158293711@qq.com 810912 795
452711077@qq.com 198477 795
334590777@qq.com 1qaz1q 795
3756642@qq.com 321654 796
zhangluchen@qq.com woshitiancai 797
95550029@qq.com 6225065 797
7982189@qq.com devil86010 797
zhangluchen@qq.com woshitiancai 797
weiwu_my@qq.com 12345zxcvb 798
234744820@qq.com 667292 798
252579889@qq.com 861130 798
390615836@qq.com 13245768 798
411637660@qq.com 66369386 799
594812050@qq.com 5201314aa 799
231699923@qq.com 783728 799
782050523@qq.com 120488 799
bingya1111@qq.com 123456789 799
247229525@qq.com 584520 800
ynbnwlw@qq.com 1231010 800
huzhidso@qq.com yayaya 800
616525992@qq.com 904094 800
liaoxianwei0105@qq.com 13537446 801
1287822@qq.com jijiji 801
27061300@qq.com 8887113 801
56146207@qq.com woaizhuzhu 801
77803914@qq.com 77803914 801
724389764@qq.com 839200 801
18018459@qq.com 828500 801
20101512@qq.com 841123 801
294223594@qq.com 140605 801
450400962@qq.com 8219525 801
503183443@qq.com 63781200 801
344206979@qq.com wang123qi 802
qiongyusg@qq.com wangyufeng 802
397562024@qq.com 397562024 802
15470847@qq.com 15470847 802
407296362@qq.com 407296362 802
123384768@qq.com jaytaba 802
287125267@qq.com 8286889 803
170202229@qq.com 6912940 803
570606721@qq.com 2101117 803
545490421@qq.com 1990225 803
1108168@qq.com jackal 803
335455183@qq.com 335455183 803
475778036@qq.com wangwei915 803
clarke777@qq.com 5329580 803
415127170@qq.com 5626228 803
297020523@qq.com 963258963 803
251577286@qq.com 421988 803
279625942@qq.com 871206 804
34891393@qq.com 34891393 804
417456623@qq.com 520687 804
405390649@qq.com 1d0b7d9b 804
chilitao@qq.com 814117 804
312358520@qq.com 349478121 805
375590859@qq.com xuan9826 805
546622151@qq.com 1360lhy 805
269096787@qq.com hyk187192 806
279749857@qq.com sfglkwfn 806
swellwang@qq.com 107331 806
50366108@qq.com 138919 807
325015236@qq.com 19871106 807
lmisme@qq.com qunima 808
415188219@qq.com guoshuai 808
610049634@qq.com stefanie0723 809
262945677@qq.com 262945677 810
274054532@qq.com mengbd520 810
276072197@qq.com 8621068 810
274054532@qq.com mengbd520 810
414033717@qq.com 118511 810
53411230@qq.com 53411230 811
349348702@qq.com 511521 811
584154721@qq.com 198719 811
349348702@qq.com 511521 811
sistian@qq.com ss051212 811
287332858@qq.com 880317 811
112649776@qq.com 112649776 812
424352380@qq.com 233757 812
27517421@qq.com win256 812
199734142@qq.com dayezi1y1 812
14305654@qq.com windows 812
404282573@qq.com 4994651 813
404282573@qq.com 4994651 813
375245237@qq.com zclovett 813
whatme321@qq.com 887900 813
18988582@qq.com 198543 813
lqsun@vip.qq.com 1253000 814
xiaoxi08@vip.qq.com 800258 816

修复方案:

信息泄漏这么严重如果被人大数据撞库后发布到网上去。。。好好修一下验证码+打码吧

版权声明:转载请注明来源 祸斗@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2016-01-08 16:51

厂商回复:

感谢对格林的关注,该问题已进行处理。

最新状态:

暂无