Lenovo employee information leakage vulnerability in shengxin sunshine Consulting Company

Lenovo employee information leakage vulnerability in shengxin sunshine Consulting Company

The login system customized by shengxin sunshine consulting company for Lenovo has design defects, which can leak information of all Lenovo employees.

(1) learn about this company. It is a Sino-US Joint Venture psychological consulting company. Its customers are all big companies: Baidu, Lenovo, Haier, and CNPC...
 

 

The following are the contact information about Beijing shengxin sunshine Consulting Co., Ltd.

Email Address: [email protected], [email protected], [email protected], [email protected]

Tel: 010-65188558 010-65180308

24-hour free hotline: Phone number: 400-650-6605 landline number: 800-810-6605

(2) Visit the heart of sunshine Lenovo custom home: http://www.eapchina.net/lenovo/
 

(3) Vulnerability Analysis

According to the prompt: account is: eight employees employee ID (usually the first three 0, such as 00012345) password: 000000

Traverse the eight-digit characters starting with 000000 and use to log on to the system to access the personal information of all Lenovo employees.

Request Message for Logon with username 00012345 and password 000000
 

From the perspective of request packets, there is no problem

(4) use Burp Suite to traverse all octal characters starting with 000

Proof of vulnerability:

(5) Based on this, you can obtain a large number of personal information of Lenovo employees. The following is part of the information. The second column is the employee ID. Remove the values of the first two employees after 00.
 

(7) use one of them to log on and Query personal information.
 

 

In this way, you can view information about any employee of Lenovo...

Solution:

1. Do not disclose the initial password whenever possible.

2. Try to set different initial passwords for different users