A preliminary study on online payment vulnerability of cloud Network (graph)--vulnerability research

To understand this vulnerability, first of all, to understand the process of online payment, here is a reference to the official cloud Network flow chart:



The normal online payment process, is from the first step to the sixth step!
And this loophole appears in the second step, and then bypassing the third and fourth steps, fifth steps, and directly to the return information submitted to the payment of successful return page!
We just saw it in the animation! It has only one submission page and a Payment Success page on the site, not at all through the gateway to pay the operation, so the money has not entered the bank, there will be no impact on what the bank security, is purely deceptive!
Why is this! The problem is in the payment interface file provided to the merchant in Cloud network, let's take a look at the interface files provided to merchant by these two cloud networks:
〈%
'*******************************************
' FileName: sendorder.asp
' Main function: The demonstration program mainly completes the function of submitting the merchant order information to the Cloud net payment gateway.
' Version: v1.6 (build2005-05-24)
' Description: Assuming the merchant's order system has been completed, this page is mainly to help merchants in accordance with the cloud Network payment gateway requirements of the format of the order information submitted to the Cloud Network Payment @ Network payment interface, to pay the operation
' Copyright: Beijing Yun-Network Unlimited Network Technology Co., Ltd.
'*******************************************

'---order information---
Dim C_mid ' merchant number, which can be obtained after successful application of the merchant, may be obtained from the successful mail of the merchant.
Dim C_order ' Merchant website generates order number that cannot be duplicated
Name of consignee in Dim C_name ' merchant order
Dim c_address ' address of consignee in merchant order
Dim C_tel ' The consignee telephone in the merchant order
Dim C_post ' merchant order in the consignee zip code
Dim C_email ' The consignee email in the merchant order
Dim C_orderamount ' Merchant order total amount
Dim C_ymd ' Merchant order generation date, formatted as "YYYYMMDD", such as 20050102
Dim c_moneytype ' payment currency, 0 for RMB
Dim C_retflag ' Merchant order payment successful will need to return the merchant specified file, 0: Do not return 1: Need to return
Dim c_paygate ' If you select the bank on the merchant Web site, set this value, see the "Cloud Network payment @ Network Technology Interface Manual," Appendix I; If you come to cloud NET Payment @ Network Select Bank This is a null value.
Dim C_returl ' If C_retflag is 1 o'clock, the value represents the path to the file returned after successful payment
Dim C_memo1 ' merchant needs to forward the merchant parameter in the payment result notification a
Dim C_memo2 ' merchant needs to be forwarded in payment result notification of merchant parameter two
Dim c_signstr ' Merchant's string for MD5 signature of order information
Dim c_pass ' payment key, please login to merchant Admin background, payment key entry in Account information-〉 basic information-〉 security information
Dim notifytype ' 0 Normal notification mode/1 server notification method, null value is normal notification way
Dim C_language ' When an international card payment is enabled, you can use this value to define the page language of the consumer when the bank is paid, the value is: 0 The Bank page is displayed as the Chinese/1 bank page is displayed in English

C_mid = "000103"
C_order = "12345"
C_name = "John"
c_address = "xx, Chaoyang District, Peking City"
C_tel = "010-12345678"
C_post = "100001"
C_email = "Zhangsan@test.com"
C_orderamount = "0.01"
C_YMD = "20050102"
C_moneytype = "0"
C_retflag = "1"
C_paygate = ""
C_returl = "Http://www.xxx.com/xxx/xxx.asp" "the address for the merchant to receive notification of the results of the Cloud Network payment, please submit the full file name
C_memo1 = "ABCDE"
C_memo2 = "12345"
C_pass = "Test"
Notifytype = "0"
C_language = "0"

Srcstr = C_mid & C_order & C_orderamount & C_ymd & C_moneytype & C_retflag &

C_returl & c_paygate & c_memo1 & C_memo2 & Notifytype & C_language & C_pass
' Description: If you want to specify the value of the payment method (C_paygate), you need to let the user choose the payment method, and then according to the user's choice of results here for MD5 encryption, that is, at this time, this page should be split into two pages, divided into two steps to complete.

'---MD5 encryption of order information

C_signstr = MD5 (SRCSTR) %〉 〈table width= "85%" border= "0" align= "center" cellpadding= "0" cellspacing= "0" 〈tr〉 〈TD align= "Center" 〈form name= "PayForm1" action= "https://www.cncard.net/purchase/getorder.asp" method= "POST" 〈input type= "hidden" name= "C_mid" value= "〈%=c_mid%〉" 〈input type= "hidden" name= "C_order" value= "〈%=c_order%〉" 〈input type= "hidden" name= "C_name" value= "〈%=c_name%〉" 〈input type= "hidden" name= "c_address" value= "〈%=c_address%〉" 〈input type= "hidden" name= "C_tel" value= "〈%=c_tel%〉" 〈input type= "hidden" name= "C_post" value= "〈%=c_post%〉" 〈input type= "hidden" name= "C_email" value= "〈%=c_email%〉" 〈input type= "hidden" name= "C_orderamount" value= "〈%=c_orderamount%〉" 〈input type= "hidden" name= "C_ymd" value= "〈%=c_ymd%〉" 〈input type= "hidden" name= "C_moneytype" value= "〈%=c_moneytype%〉" 〈input type= "hidden" name= "C_retflag" value= "〈%=c_retflag%〉" 〈input type= "hidden" name= "C_paygate" value= "〈%=c_paygate%〉" 〈input type= "hidden" name= "C_returl" value= "〈%=c_returl%〉" 〈input type= "hidden" name= "C_memo1" value= "〈%=c_memo1%〉" 〈input type= "hidden" name= "C_memo2" value= "〈%=c_memo2%〉" 〈input type= "hidden" name= "C_language" value= "〈%=c_language%〉" 〈input type= "hidden" name= "Notifytype" value= "〈%=notifytype%〉" 〈input type= "hidden" name= "C_signstr" value= "〈%=c_signstr%〉" 〈input type= "Submit" name= "Submit" value= "Click-〉 Cloud Net Payment @ NET" 〈/form〉 〈/td〉 〈/tr〉 〈/table〉

This is the cloud Network gateway to submit order information on the page of some key code! Take note of this variable: C_SIGNSTR,
And the way he generates, is the order of several information connected to the MD5 after encryption to generate the verification signature! And this signature is a key
But as you can see from the following submission form, they are all submitted in plaintext! Of course to use plaintext, if encrypted, in the back of the problem!

Let's look at the page code for the successful return of the bank after the order is successful:
〈%
'*******************************************
' FileName: getpaynotify.asp
' Main function: The demonstration program mainly completes receiving the payment notification information of cloud NET payment gateway, verifies the information validity, and judges the payment result function.
' Version: v1.6 (build2005-05-24)
Description
' 1. This page please do not use the statements such as Response.Redirect and so on page turn
' 2. Please output the order Processing results as HTML code in this page, the Cloud Network payment gateway will use technical means to obtain your output results
' 3. If this page contains pictures, styles or links, please include the path or address including the domain name, such as 〈img src= "Http://www.anqn.com/pic/15/a2005-12-21-580a.gif"
' Copyright: Beijing Yun-Network Unlimited Network Technology Co., Ltd.
'*******************************************

'---obtain payment notification information sent to merchant by Cloud Network payment Gateway (hereinafter referred to as notification information)
C_mid = Request ("C_mid") ' Merchant number, which can be obtained after successful application of the merchant, may be obtained from the successful mail of the merchant.
C_order = Request ("C_order") ' The order number provided by the merchant
C_orderamount = Request ("C_orderamount") ' The total amount of orders provided by the merchant, in Yuan, reserved two digits after the decimal point, such as: 13.05
C_YMD = Request ("C_ymd") ' The merchant transmits the order generation date, the format is "YYYYMMDD", such as 20050102
C_transnum = Request ("C_transnum") ' Cloud Net payment gateway provides the transaction flow number of the order, for future inquiries, check use;
C_succmark = Request ("C_succmark") ' Trade success sign, Y-Success N-Failed
C_moneytype = Request ("C_moneytype") ' payment currency, 0 for RMB
C_cause = Request ("C_cause") ' If the order payment fails, the value represents the reason for the failure
C_memo1 = Request ("C_memo1") ' Merchant's parameters that are required to be forwarded in the payment result notification
C_memo2 = Request ("C_memo2") ' Merchant parameter two to be forwarded in payment result notification
C_SIGNSTR = Request ("C_signstr") ' Cloud net payment Gateway MD5 encrypted string of information already on

'---Verify information integrity---
IF c_mid= "" or c_order= "" or c_orderamount= "" or c_ymd= "" or c_moneytype= "" or

C_transnum= "" or c_succmark= "" or c_signstr= "" THEN
Response.Write "Payment information is wrong"
Response.End
End IF

'---will get the notification information into a string, as a source string ready for MD5 encryption, it should be noted that in the spelling, the sequence can not be changed
Dim C_pass ' Merchant's payment key, login merchant admin backstage (https://www.cncard.net/admin/), can find the value in Admin homepage
C_pass = "Test"

Srcstr = C_mid & C_order & C_orderamount & C_ymd & C_transnum & C_succmark

& C_moneytype & C_memo1 & C_memo2 & C_pass

'---to MD5 the payment notification information
R_signstr = MD5 (SRCSTR)

'---Verify that the results of MD5 encryption for the notification information are consistent with the MD5 encryption results provided by the Cloud Network payment gateway
IF R_signstr〈〉c_signstr THEN
Response.Write "Signature Verification failed"
Response.End
End IF

'---check merchant number
Dim Merchantid ' Merchant's own number
IF Merchantid〈〉c_mid THEN
Response.Write "The merchant number submitted is incorrect"
Response.End
End IF

'---Verify the order information returned by the notification information in the Merchant order system
Dim Conn ' Merchant system data Link
Sql= "SELECT top 1 data column from Merchant order form where merchant order number =" & C_order
Set Rs=server. CreateObject ("Adodb.recordset")
Rs.Open Sql,conn
IF rs.eof THEN
Response.Write "The order information was not found"
Response.End
End IF

'---Verify that the order amount recorded in the Merchant Order system is the same as the amount in the Cloud Payment gateway notification information
Dim R_orderamount ' Merchant's own system record order Amount
R_orderamount=rs ("Order Amount") ' Merchant obtains the value from its own order system
IF ccur (R_orderamount) 〈〉ccur (c_orderamount) THEN
Response.Write "Payment amount is wrong"
Response.End
End IF

'---Verify that the order generation date recorded in the Merchant Order system and the order generation date in the Cloud Payment gateway notification information are consistent
Dim R_ymd ' Merchant's own system record order generation date
R_ymd=rs ("Order generation Date") ' Merchant obtains this value from its own order system
IF R_ymd〈〉c_ymd THEN
Response.Write "Order Time is wrong"
Response.End
End IF

'---Verify that the parameters that are recorded in the merchant system that are forwarded in the payment result notification are consistent with the parameters provided in the Cloud Network payment gateway notification information
Dim R_memo1 ' Merchant's own system records the parameters that need to be forwarded in the payment result notification
R_memo1 = rs ("forwarding parameter One")
Dim R_memo2 ' Merchant's own system records need to be forwarded in the payment result notification
R_memo2 = rs ("forwarding parameter Two")
IF R_memo1〈〉c_memo1 or R_memo2〈〉c_memo2 THEN
Response.Write "Argument submitted incorrectly"
Response.End
End IF

'---Verify that the returned payment results are in the correct format
IF c_succmark〈〉 "Y" and c_succmark〈〉 "N" THEN
Response.Write "Argument submitted incorrectly"
Response.End
End IF

'---According to the return of the payment results, the merchant to carry out their own shipments and other operations
IF c_succmark= "Y" THEN
' According to the Merchant's own business rules, carry out series of operations such as delivery
End IF
%〉

We can see the way he validates the signature by linking the bank feedback and submitting the information on the submission page,
Let's see how the signature is validated:
'---will get the notification information into a string, as a source string ready for MD5 encryption, it should be noted that in the spelling, the sequence can not be changed
Dim C_pass ' Merchant's payment key, login merchant admin backstage (https://www.cncard.net/admin/), can find the value in Admin homepage
C_pass = "Test"

Srcstr = C_mid & C_order & C_orderamount & C_ymd & C_transnum

& c_succmark & c_moneytype & c_memo1 & c_memo2  & c_pass

   '---MD5 encryption of payment notification information
    r_signstr  =  MD5 (SRCSTR)

   '---Verify that the results of the MD5 encryption of the notification information are consistent with the MD5 encryption results provided by the Cloud Network payment gateway
     If r_signstr〈〉c_signstr then
      response.write  Signature Verification failed
The       response.end
    end if
is encrypted and later validated by the information that is submitted. And the merchant's payment key, we can get to the submission page! And here he program needs to add up!
We don't need to, all we need is to make r_signstr equal to c_signstr  to fix it! I won't tell you how to cheat!
As for other deceptions, there is no encryption, all plaintext! It's easy to pass!  
PS: The author also sent out a different online payment vulnerability animation, I do not see it deleted. Do you believe in this animation? I don't believe it!