A sub-site of jixiang life (logical error, sensitive information leakage, SQL injection) vulnerability Packaging

A sub-site of jixiang life (logical error, sensitive information leakage, SQL injection) vulnerability Packaging

Auspicious Life Insurance System

Http://weixin.jxlife.com.cn/jxlife/jsp/traffic_mobile_index.jsp? FromUserName =
 

Question 1 # packet capture and replay can be used to send arbitrary messages
 

POST http://weixin.jxlife.com.cn/jxlife/jsp/getPhoneCode HTTP/1.1 Accept: application/json, text/javascript, */*; q = 0.01Content-Type: application/x-www-form-urlencoded; charset = UTF-8X-Requested-With: XMLHttpRequestReferer: http://weixin.jxlife.com.cn/jxlife/jsp/traffic_mobile_index.jsp? FromUserName = Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: weixin.jxlife.com. cnContent-Length: 22 Connection: Keep-AlivePragma: no-cacheCookie: 229667067 = 0; JSESSIONID = response; CNZZDATA1254189807 = response-% 7C1436270012AppntPhone = the phone number you specified

In about one minute, I used replay to send 11 messages to myself. Of course, there are more.
 

2 # system design defects. The text message verification code is directly returned to the user in plaintext, resulting in any risk.
 

I got a free insurance for myself with the 13888888888 number.
 

 

 

3 # SQL Injection
 

http://weixin.jxlife.com.cn/jxlife/jsp/trafficDetailQuery.page?ContNo=900004299434&way=&QAppntIDNo=110101198808085638&QAppntPhone=13888888888

 

Parameter: ContNo (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause

 

 

Table LRPOL
 

 

Time relationship, not one by one, slow

Solution:

SQL Injection: modify the program and query parameters.

Arbitrary text message sending: the background program determines the number of sent messages and the interval, and adds a blacklist.

Delete the front-end Verification Code Return Value