Experience Sharing: Selection of vulnerabilities in the first quarter of the mining Alliance

Experience Sharing: Selection of vulnerabilities in the first quarter of the mining Alliance


0 × 00 Preface

On September 6, March 10-28, the competition for the "dig holes Alliance" team competition was in full swing. Here, xiaobian carefully sorted out the outstanding vulnerabilities in this league competition. I hope you will have some gains. We believe that after this security test and vulnerability repair, the vendor's security has also been improved.

0 × 01 password retrieval Bypass

China Insurance mall any user login bypass vulbox-2016-016879

Password Reset is usually divided into multiple steps. Conscience vendors usually verify the SMS verification code again in the last step, so they may think of cracking the SMS verification code. If the brute-force cracking restriction is implemented, will it be completely secure?

China Insurance mall encountered a similar problem in Password Reset: In the password reset process, by modifying the response package, bypass the text message verification page

 

In the last step, enter the new password:

 

Enter the new password and click Next to capture the request package.

 

We can see that the text message verification code will still be transmitted in the request packet, so the server end verification fails. The server cannot be cheated, but do not discard the browser. We still modify the status code to true, and the browser is cheated.

 

Usually the password is automatically logged on after the password is reset, so you can try to refresh the page

 

In the end, we lied to the browser and the browser lied to the server.

0 × 02 condition Bypass

Bypass the limitations of Zhaoxing handheld life app, in exchange for a large number of commodity vulbox-2016-017284

Bonus hunting is a common problem nowadays. For example, you can only give coupons or even free tickets for the first time you register, or you can only kill them in a promotional activity. each user has only one chance. Most econnoisseurs use a large number of mobile phone numbers to obtain discounts. However, there are simpler methods to achieve this by exploiting vendor vulnerabilities.

 

In a bank app, ultra-low points can be used to kill goods in seconds, and each person has only one chance.

 

Click buy now

 

Capture packets, enable large threads, and replay data concurrently.

 

A batch of valid coupons can be obtained. However, white hats do not use any tools or capture packets for replay. They just use the Qilin arm to "buy now" and then "return" to repeat this operation, that is to say, if you get so many coupons, we can see that the cost of such bonus hunting is very low, and only one Qilin arm is required.

0 × 03 login Bypass

Sunshine insurance APP login bypass, leakage of user information vulbox-2016-017702

There may be many problems at the login site. If an injection occurs, it will lead to universal login in an insurance APP, and fill in any mobile phone number at the login site

 

Return after normal submission

 

Submit again, capture packets and splice SQL statements

 

Universal Login

 

0 × 04 Account Modification Bypass

Yi Long loan Main Station logical vulnerability can change others' account setting vulbox-2016-016600 under certain conditions

Financial applications usually have a payment password to prevent the loss of assets when the user's account is leaked. At the same time, sensitive personal information is also coded. Therefore, even if the user's account is obtained, the user cannot obtain sensitive information or perform sensitive operations after logon. A P2P financial website provides various protection measures, but there are still security risks. First, I coded my sensitive information.

 

However, you only need to click Modify information to view all personal information.

 

After obtaining the user's sensitive information, the next step is to perform some sensitive operations, such as transfer withdrawal. At this time, you need to know the payment password, so as to embark on the way to retrieve the payment password.

 

The Credential number has been obtained through the above vulnerability, and then the mailbox verification is taken into account, and then the mailbox is bound, prompting failure

 

Assume that you can only bind a user-authenticated email address, so you must modify the email address in the personal information area first.

 

Then the binding is successful.

 

The payment password can be successfully reset.

0 × 05 reset any User Password

Web treasure resets any user password vulbox-2016-016589

When the password is reset, the server returns a sessionid.

 

In the last step of resetting the password, the Cookie contains the sessionid and the body does not contain the username field. It is assumed that sessionid is the ciphertext of the user identity, or the ID field bound to the user on the server.

 

According to this conjecture, first enter another user's mobile phone number, enter the password reset, and obtain the sessionid corresponding to the mobile phone number. Then, use your mobile phone number to reset the password. In the last step, replace the sessionid in the Cookie and reset the password of another user.

0 × 06 unauthorized

Guolian Securities unauthorized, leading to a large number of User Password Leak vulbox-2016-016610

First, find the user information unauthorized access page through a variety of tips

A column of HTTPPassword is found, and the username and password hash fields are taken out through the script. Then John is used to crack the field, and a large number of user passwords can be obtained successfully. Paste two ciphertext messages to obtain this encryption algorithm: (Gn0hLj/3RI66QBciXeOT) (G60/bu2yEvEGqfe/gA/c)