There is a hidden danger in VIP orders of chengtong Network Disk (400gb.com). One-click VIP activation + System Administrator (but it seems that there is no permission)
When you make a payment for the VIP service, the City Network Disk uses a relatively safe order id for payment, which is relatively safer than the amount directly used for transmission.
However, for the Order id, like most manufacturers, it uses simple 1, 2, 3, 4 ,......, n-1, n format. Therefore, for this id format, you can traverse it 《White hat Professionals talk about web SecurityThis story is in it...
Read the textbook on your own ..--
After a simple look, there are a total of 9 different packages for chengtong Network Disk
The first is 2
The problem is found here. The first one is not 1, but 2, indicating that id = 1 is deleted or another scheme is not displayed.
Then, change the purchase link:
Http://home.400gb.com/mydisk.php? Item = vip & action = pay & viptype = 1
Submit. The order exists properly ..
After finding out, this is still a magic order ..
A vip is activated for free, and the title becomes system administrator .....
It can be seen that viptype = 1 is a non-public plan used by the Administrator.
However, since viptype can be traversed, the package = 1 will be disclosed.
(In addition, you can delete other people's files without authorization. Please test it yourself.
If you need help, please note !)
Solution:
Viptype = 1. You can change it to the specified user in the background.
Tested by: imlonghao and wooyun
You can try to change viptype to a random parameter that is not easily traversed.
Viptype = r14718y4
Viptype = hg894h0g
Viptype = g3d289dg
Etc.