To understand this vulnerability, first understand the online payment process. Here we reference the official flowchart of the cloud network:
The normal online payment process is from step 1 to Step 6!
This vulnerability occurs in the second step, bypassing Steps 3, 4, and 5, and directly submitting the returned information to the return page for successful payment!
We just saw it in the animation! It only has one submission page and one successful payment page on the website. It does not make payment through the gateway at all, so the money is not transferred to the Bank, and there is no impact on the bank security, it's just a lie!
Why! The problem lies in the payment interface files provided by the cloud network to merchants. Let's take a look at the interface files provided by the two cloud networks to merchants:
<%
'*************************************** ****
'File name: SendOrder. asp
'Main function: This demo program mainly completes the function of submitting Merchant Order Information to the cloud network payment gateway.
'Version: v1.6 (Build2005-05-24)
'Description: assume that the merchant's order system has been completed. This page mainly helps the merchant to submit the order information to the payment interface of cloud network payment @ network according to the format required by the cloud network payment gateway, make payment
'Copyright: Beijing cloud Network Technology Co., Ltd.
'*************************************** ****
'--- Order information ---
Dim c_mid: merchant ID, which can be obtained after the merchant is successfully applied for. You can obtain the ID in the email of successful merchant application.
Dim c_order 'The order number generated by the merchant's website. It cannot be repeated.
Dim c_name' name of the receiver in the Merchant Order
Dim c_address 'receiver address in the Merchant Order
Dim c_tel 'receiver's phone number in the merchant's order
Dim c_post 'consignee in Merchant Order zip code
Dim c_email 'receiver Email in the Merchant Order
Dim c_orderamount 'total Merchant Order amount
Dim c_ymd 'Merchant order generation date, format: "yyyymmdd", such as 20050102
Dim c_moneytype 'payment currency, 0 is RMB
Dim c_retflag 'specifies whether to return the file specified by the merchant after the Merchant Order is successfully paid. 0: No need to return 1: return required
Dim c_paygate: If you select a bank on the merchant's website, set this value. For specific values, see Appendix 1 of cloud payment @ network technical interface manual; if you select a bank for cloud network payment @, this option is null.
Dim c_returl 'If c_retflag is 1, this value indicates the path of the file returned after successful payment
Dim c_memo1 'Merchant parameter 1 to be forwarded in the payment result notification
Dim c_memo2 'Merchant's parameter 2 to be forwarded in the payment result notification
Dim c_signstr 'Merchant's MD5 Signature string for the order information
Dim c_pass 'payment key. log on to the merchant management background and go to account info> basic info> Security info> payment key entry
Dim policytype '0 normal notification method/1 server notification method, null value is normal notification method
When the international card payment is enabled for Dim c_language ', you can use this value to define the language of the page for the consumer to pay in the Bank. The value is: 0. The Bank page is displayed as Chinese/1. The Bank page is displayed as English.
C_mid = "000103"
C_order = "12345"
C_name = "James"
C_address = "XX, Chaoyang District, Beijing"
C_tel = "010-12345678"
C_post = "100001"
C_email = "zhangsan@test.com"
C_orderamunt = "0.01"
C_ymd= "20050102"
C_moneytype = "0"
C_retflag = "1"
C_paygate = ""
C_returl = "http://www.xxx.com/xxx/xxx.asp" 'This address is the page for merchants to receive cloud network payment result notifications, please submit the complete file name
C_memo1 = "ABCDE"
C_memo2 = "12345"
C_pass = "Test"
Policytype = "0"
C_language = "0"
SrcStr = c_mid & c_order & c_orderamount & c_ymd & c_moneytype & c_retflag &
C_returl & c_paygate & c_memo1 & c_memo2 & policytype & c_language & c_pass
'Note: If you want to specify the value of the payment method (c_paygate), you must first select the payment method and then encrypt the MD5 data based on the selected result. That is to say, at this time, this page should be split into two pages, which are completed in two steps.
'--- Perform MD5 encryption on the order information
C_signstr = MD5 (srcStr) %> 〉 <Table width = "85%" border = "0" align = "center" cellpadding = "0" cellspacing = "0"> "〉 <Tr> 〉 <Td align = "center"> "〉 <Form name = "payForm1" action = "https://www.cncard.net/purchase/getorder.asp" method = "POST"> "〉 <Input type = "hidden" name = "c_mid" value = "<%= c_mid %>"> 〉"〉 <Input type = "hidden" name = "c_order" value = "<%= c_order %>"> 〉"〉 <Input type = "hidden" name = "c_name" value = "<%= c_name %>"> 〉"〉 <Input type = "hidden" name = "c_address" value = "<%= c_address %>"> 〉"〉 <Input type = "hidden" name = "c_tel" value = "<%= c_tel %>"> 〉"〉 <Input type = "hidden" name = "c_post" value = "<%= c_post %>"> 〉"〉 <Input type = "hidden" name = "c_email" value = "<%= c_email %>"> 〉"〉 <Input type = "hidden" name = "c_orderamount" value = "<%= c_orderamount %>"> 〉"〉 <Input type = "hidden" name = "c_ymd" value = "<%= c_ymd %>"> 〉"〉 <Input type = "hidden" name = "c_moneytype" value = "<%= c_moneytype %>"> 〉"〉 <Input type = "hidden" name = "c_retflag" value = "<%= c_retflag %>"> 〉"〉 <Input type = "hidden" name = "c_paygate" value = "<%= c_paygate %>"> 〉"〉 <Input type = "hidden" name = "c_returl" value = "<%= c_returl %>"> 〉"〉 <Input type = "hidden" name = "c_memo1" value = "<%= c_memo1 %>"> 〉"〉 <Input type = "hidden" name = "c_memo2" value = "<%= c_memo2 %>"> 〉"〉 <Input type = "hidden" name = "c_language" value = "<%= c_language %>"> 〉"〉 <Input type = "hidden" name = "yytype" value = "<%= policytype %>"> 〉"〉 <Input type = "hidden" name = "c_signstr" value = "<%= c_signstr %>"> 〉"〉 <Input type = "submit" name = "submit" value = "Click-> cloud payment @ net"> "〉 </Form> 〉 </Td> 〉 </Tr> 〉 </Table> 〉 |
This is some key code on the page for submitting order information to cloud network gateway! Note this variable: c_signstr,
And the generation method is to generate a verification signature after several messages of the order are connected and then encrypted using md5! This signature is a key
But from the following submission form, we can see that they are all submitted in plain text! Of course, it should use plain text. If it is encrypted, there will be problems later!
Next we will look at the page code for obtaining the successful information returned by the bank after the order is successful:
<%
'*************************************** ****
'File name: getpaypolicy. asp
'Main function: This demo program is mainly used to receive the payment notification information of the cloud network payment gateway, verify the information validity, and determine the payment result.
'Version: v1.6 (Build2005-05-24)
'Note:
'1. Do not use page redirection statements such as response. redirect on this page.
'2. Directly output the order processing result in the form of HTML code on this page. Cloud payment gateway will use technical means to obtain your output result
'3. If this page contains images, styles, or links, include the path or address with a domain name, such as "〉
'Copyright: Beijing cloud Network Technology Co., Ltd.
'*************************************** ****
'--- Obtain the payment notification information (hereinafter referred to as the notification information) sent by the cloud network payment gateway to the merchant)
C_mid = request ("c_mid") 'merchant ID, which can be obtained after successfully applying for a merchant. You can obtain the ID in the email that successfully applies for a merchant.
C_order = request ("c_order") 'order number provided by the merchant
C_orderamount = request ("c_orderamount") 'total amount of orders provided by the merchant, in Yuan, two digits after the decimal point, for example: 13.05
C_ymd = request ("c_ymd") 'date on which the order was generated by the merchant, in the format of "yyyymmdd", such as 20050102
C_transnum = request ("c_transnum") 'transaction serial number of the Order provided by Alibaba Cloud payment gateway for future query and verification;
C_succmark = request ("c_succmark") 'indicates the transaction success. Y-success N-Failure
C_moneytype = request ("c_moneytype") 'payment currency, 0 is RMB
C_cause = request ("c_cause") 'If the order payment fails, this value indicates the cause of failure.
C_memo1 = request ("c_memo1") 'parameter 1 of the merchant that needs to be forwarded in the payment result notification
C_memo2 = request ("c_memo2") 'parameter 2 of the merchant that needs to be forwarded in the payment result notification
C_signstr = request ("c_signstr") 'the MD5 encrypted string of the information on the cloud payment gateway.
'--- Verify information integrity ---
IF c_mid = "" or c_order = "" or c_orderamount = "" or c_ymd = "" or c_moneytype = "" or
C_transnum = "" or c_succmark = "" or c_signstr = "" THEN
Response. write "incorrect payment information"
Response. end
END IF
'--- Splice the received notification information into a string as the source string for MD5 encryption. Note that the order of the strings cannot be changed.
Dim c_pass 'Merchant's payment key, login merchant management background (https://www.cncard.net/admin/), can find this value on the Management Home Page
C_pass = "Test"
SrcStr = c_mid & c_order & c_orderamount & c_ymd & c_transnum & c_succmark
& C_moneytype & c_memo1 & c_memo2 & c_pass
'--- Perform MD5 encryption on the payment notification information
R_signstr = MD5 (srcStr)
'--- Check whether the MD5 encryption result of the merchant's website on the notification information is consistent with the MD5 encryption result provided by cloud payment gateway.
IF r_signstr <> c_signstr THEN
Response. write "Signature Verification Failed"
Response. end
END IF
'--- Verify the merchant ID
Dim MerchantID 'merchant's ID
IF MerchantID <> c_mid THEN
Response. write "Incorrect merchant Id submitted"
Response. end
END IF
'--- Check whether the order information returned by the notification is in the merchant's Order System
Dim conn' data link of the merchant System
SQL = "select top 1 data column from Merchant Order table where Merchant Order Number =" & c_order
Set rs = server. CreateObject ("adodb. recordset ")
Rs. open SQL, conn
IF rs. eof THEN
Response. write "this order information not found"
Response. end
END IF
'--- Check whether the order amount recorded in the merchant's order system is consistent with the amount in the cloud payment gateway Notification Information
Dim r_orderamount 'order amount recorded by the merchant's System
R_orderamount = rs ("order amount") 'Merchant obtains this value from his/her Order System
IF ccur (r_orderamount) <> ccur (c_orderamount) THEN
Response. write "incorrect payment amount"
Response. end
END IF
'--- Check whether the order generation date recorded in the merchant's order system is consistent with the order generation date in the cloud payment gateway Notification Information
Dim r_ymd: Order generation date recorded by the merchant's System
R_ymd = rs ("Order generation date") 'Merchant obtains this value from his/her Order System
IF r_ymd <> c_ymd THEN
Response. write "Incorrect order time"
Response. end
END IF
'--- Check whether the parameters to be forwarded in the payment result Notification recorded in the merchant system are consistent with those provided in the cloud network payment gateway Notification Information
Dim r_memo1 'parameter 1 to be forwarded in the payment result Notification recorded by the merchant's System
R_memo1 = rs ("forwarding parameter 1 ")
Dim r_memo2 'parameters that must be forwarded in the payment result Notification recorded by the merchant's System
R_memo2 = rs ("forwarding parameter 2 ")
IF r_memo1 <> c_memo1 or r_memo2 <> c_memo2 THEN
Response. write "Incorrect Parameter submission"
Response. end
END IF
'--- Check whether the format of the returned payment result is correct
IF c_succmark <> "Y" and c_succmark <> "N" THEN
Response. write "Incorrect Parameter submission"
Response. end
END IF
'--- Based on the returned payment result, the merchant will perform his/her own shipping and other operations
IF c_succmark = "Y" THEN
'Perform shipping and other operations according to the merchant's own business rules
END IF
%> 〉
We can see that his signature verification method is to link the bank feedback information and the information submitted on the submit page,
First, let's look at how the signature is verified:
'--- Splice the received notification information into a string as the source string for MD5 encryption. Note that the order of the strings cannot be changed.
Dim c_pass 'Merchant's payment key, login merchant management background (https://www.cncard.net/admin/), can find this value on the Management Home Page
C_pass = "Test"
SrcStr = c_mid & c_order & c_orderamount & c_ymd & c_transnum
& C_succmark & c_moneytype & c_memo1 & c_memo2 & c_pass
'--- Perform MD5 encryption on the payment notification information
R_signstr = MD5 (srcStr)
'--- Check whether the MD5 encryption result of the merchant's website on the notification information is consistent with the MD5 encryption result provided by cloud payment gateway.
IF r_signstr <> c_signstr THEN
Response. write "Signature Verification Failed"
Response. end
END IF
The information is encrypted and verified after submission, and the Merchant's payment key can be obtained on the submission page! Here, his program needs to be added!
We don't need it anymore. All we need is to make r_signstr equal to c_signstr to fix it! I will not talk about the deception method!
As for other spoofing methods, there is no encryption. All are in plain text! It's easy to go!
Ps: At that time, the author also sent an animation about the online payment vulnerability. I deleted it when I did not read it. Do you believe in this animation? I don't believe it!