某连锁品牌的敏感信息爬取泄露

某连锁品牌的敏感信息爬取泄露

image

写在前面

以下都是情节模拟,并非具体情况,请细加甄别

不用我说这个某连锁品牌你也应该知道是什么情况,DDD,只能说得很简略了

image

我得到的指示是,看看是否有什么地方,能够获取到所有门店的规模,具体地址,营业状态,以及是否有什么商业信息的暴露等

事前踩点

ok,先看看他们的 APP 吧,每个门店的信息都会有一个页面展示,门店头图会展示门店的营业状态,然后在门店详情页的详情页里会展示营业职照,还是没水印的加盟商执照?!

好的,那我现在只要看看他们的这部分信息是从那个接口调用返回的,再看看门店id这种字段是不是递增可遍历的就好

然后我就发现了,不仅门店id是递增可遍历的,还有接口主动返回所有门店概况,还有接口可以直接传路径得到门店所属企业及其他敏感信息!

这还是个没有加固没做任何限制请求都是 GET 请求的 APP,我哭死!

image

相关请求

获取所有门店列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
GET /xxx/xxxx/x/public/stadiumList HTTP/2
Host: api.xxxxx.com
Cookie: acw_tc=0xxxx9(无意义)
Phone: 1xxxxxxxxx1(无意义)
Accept: */*
User-Id: xxxxx5
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Html5Plus/1.0 (Immersed/20) uni-app
Accept-Language: zh-CN,zh-Hans;q=0.9

HTTP/2 200 OK
Date: xxx, xx Oct 2025 06:04:59 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 75961
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin, Authorization, Token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Server: R/1.0

[{"id":xxxx,"name":"1\uxxx9","ads":"\uxxxa","gps":"xxx.109246,xx.703893"},
{"id":xxxx,"name":"2\uxxx7","ads":"\uxxxa","gps":"xx.146952,xx.714365"},
......]

获取门店基础信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
GET /xxx/xxxx/xxxx/public/getStadiumInfo HTTP/2
Host: api.xxxxx.com
Cookie: acw_tc=0xxxxx9(无意义)
Phone: 1xxxxxxxxx1(无意义)
Accept: */*
User-Id: xxxxx5
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Html5Plus/1.0 (Immersed/20) uni-app
Accept-Language: zh-CN,zh-Hans;q=0.9

HTTP/2 200 OK
Date: xxx, xx Oct 2025 06:04:06 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1611
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin, Authorization, Token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Server: R/1.0

{"id":xxxx,"brand_id":xxxx,"name":"505\uxxx7","pic":"https:\/\/src-alpha.oss-cn-hangzhou.aliyuncs.com\/xxx\/xxx\/xxxx\/xxxx\/0xxxxxxxxxc","province":"\uxxx1","city":"\uxxx2","county":"\uxxxa","address":"\uxxxe","tel":"4xxxxxxxx2","business_hours":"09:00-22:00","longitude":xxx.175879,"latitude":xx.32727,"intro":null,"aerobics_count":0,"wx_url":null,"area":0,"unmanned":1,"guide":"","plan":"","exxxxxxx_info":"{\"\uxxx0\":[],\"\uxxx0\":[],\"\uxxx0\":[]}","service_info":"[{\"id\":1,\"name\":\"\uxxx6\"},{\"id\":2,\"name\":\"\uxxxd\"},{\"id\":3,\"name\":\"\uxxxa\"},{\"id\":4,\"name\":\"\uxxxa\"},{\"id\":5,\"name\":\"\uxxxa\"}]","fxxxxx_info":"[{\"id\":1,\"name\":\"\uxxx4\"},{\"id\":2,\"name\":\"\uxxx4\"},{\"id\":3,\"name\":\"\uxxxc\"},{\"id\":4,\"name\":\"\uxxx4\"},{\"id\":5,\"name\":\"\uxxxI\"},{\"id\":6,\"name\":\"\uxxxa\"},{\"id\":7,\"name\":\"\uxxxa\"},{\"id\":8,\"name\":\"\uxxx4\"},{\"id\":9,\"name\":\"\uxxx0\"},{\"id\":10,\"name\":\"\uxxx4\"}]","business_license":"https://src-alpha.oss-cn-hangzhou.aliyuncs.com/xxx/xxx/xxxx/xxxx/exxxxxxxxo","trending":null,"featured":null,"brand_info":{"id":xxxx,"name":"\uxxxx7","logo_url":"https:\/\/src-alpha.oss-cn-hangzhou.aliyuncs.com\/xxx\/xxx\/xxxx?v=1xxxxxxxx0","intro":"26\uxxxxb","qrcode_show_url":null}}

返回签约公司信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
GET /xxxxxx/xxx/xxxx/public/get?key=xxxxx_xxx_company_name HTTP/2
Host: api.xxxxx.com
Cookie: acw_tc=0xxxxxxxxx1(无意义)
Phone: 1xxxxxxxxx1(无意义)
Accept: */*
User-Id: xxxxx5
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_0_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 Html5Plus/1.0 (Immersed/20) uni-app
Accept-Language: zh-CN,zh-Hans;q=0.9
Accept-Encoding: gzip, deflate, br

HTTP/2 200 OK
Date: xxx, xx Oct 2025 01:11:11 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 42
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin, Authorization, Token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Server: R/1.0

xxxxxxxxxx有限公司

感觉要罄竹难书了,不继续写了,贴一个营业执照示意,当然,我没把这么细节的东西都反馈

image

写在后面

虽然这些东西都是该连锁品牌直接展示在 APP 上的,但实际上是非常不安全的,如果被不好意者批量爬取,可能会造成大量敏感信息泄露

这个任务很快也就不由我处理了(毕竟又要漂了),内容也就都被我删除了,只留在博客做经历证明和留档了,不做违法用途

image