GreenTree Inn SMS Verification Vulnerability and order query without permission Control
GreenTree Inn mobile website http://m.998.com/
1. SMS Verification Vulnerability
Registration page http://m.998.com/Api/Account/SendMobileCheckMsg.ashx
The text message verification code is directly included in the returned results of the request for sending the verification code. The result is that you can use another person's mobile phone number to register an account. Similarly, in the login page of the non-member order query http://m.998.com/phone_order.html, the verification code is similar. This is done to allow the front-end to verify the text message verification code. The front-end verification is still very easy to eliminate, and the text message verification code is useless.
2. You have no permission to query orders.
Non-member order query page logon is useless at all, because the query interface has no permission control at all. Http://m.998.com/Api/User/GetOrderList.ashx? CardNo = 0 & phone = 18000000000 & orderListType = 1 & page = 1 & pageSize = 10
The member's order query interface page does not have permission control. You can query the page by passing a card number.
Http://m.998.com/Api/User/GetOrderList.ashx? CardNo = 100001450000 & phone = & orderListType = 2 & page = 1 & pageSize = 10
I tried a few non-member order queries for the captured mobile phone verification code, but I was too lazy to try again.
Several member order queries are found:
There are mobile phone and bank fields, but the account found is empty. It seems that no sensitive information is sent directly.
Solution:
Call the IT department.