A brief talk on the logic loophole of app exploit
Author: Can
Contact information: [Email protected]
If there is no special description in the article, the examples are mine.
Reproduced please indicate the source, this article only for personal experience summary, not all methods introduced, but some of the most common methods. If there is any mistake, please point out.
About 0x00
This article mainly introduces the application of vulnerability mining in the logic of vulnerability, including any user password reset, payment vulnerability, any user is not authorized to log in.
0x01 arbitrary user password reset body
First, let's take a look at any user password reset.
Method One: The password recovered credentials are too weak, 4-bit or 6-bit pure digits, and the aging is too long, resulting in the explosion to reset the user password.
Here we look at an example that the manufacturer has fixed.
The verification code is a 4-bit pure number, we use burpsuite blasting.
Can see the success bursting out. 4-bit digital 0~9 There are 9999 possible, we thread set 10, within five minutes can burst out the voucher.
Method Two: The verification code is transmitted in the packet.
There are two possibilities, one in the return packet, and one in the packet that gets the verification code. Let's take a look at two examples.
First: The verification code is returned in the package
When you enter your phone number and click Next, we grab the packet and intercept the return packet.
Second: The verification code is in the packet that obtains the verification code
The six-digit number behind the Checkcode is the verification code, which I saw once.
Method Three: After entering the voucher, replace the phone number when resetting the password.
See an example:
This app resets the password into two steps, the first step is to enter the phone number to get the verification code and fill in, correct then jump to the next step, and then enter a new password. After entering the new password, we grab the bag and replace it with the phone number and reset it.
Method Four: Modify the contents of the return package and change the error to correct.
Specifically, consider an example:
I entered a good phone number to get the verification code, enter a random number. Then grab the bag.
Intercept return package modification 1 to 0
Method Five: Get the verification code when the phone number is plaintext, modify it for yourself to achieve spoofing authentication.
This method because I have not encountered in the Mining app vulnerability, so I can't find the app instance, but there is a Web instance, here also posted, thinking methods are the same. Web Instance Author: centrifugal
Change to your own, you can receive the verification code.
0x02 Payment Vulnerability Text
Method One: Modify the amount
Take a look at an example, confirm the payment time to grab the packet, intercept the return packet.
Hey, put the bag can be a penny to buy a plane cup ^_^
Method Two: Change the amount to a negative number.
This method I have not encountered at present, so unworthy instances, operation is the same.
0x03 any user is not authorized to log in
Method One: Grab the packet at login, modify UID
0X04 Summary
The above bug fix method: Retrieve password credential enough complex and not guessing, at the same time pay attention to above logic problem, cannot exist ultra vires, or important voucher appear in place that should not appear.
A brief talk on the logic loophole of app exploit