Palm reading app account password retrieval bypass/account information leakage/use others' accounts to buy books for themselves and other issues

Palm reading app account password retrieval bypass/account information leakage/use others' accounts to buy books for themselves and other issues

I wanted to read a book quietly, but the book was charged. Then I detected various vulnerabilities ....

 

Originally, I wanted to test the text message recharge service. Later, I checked it carefully as a mobile text message interface. It didn't matter if I had to read it.



Download the app (Android and ios)



# The pages in the following URLs can be normally displayed in Google Chrome



Problem 1: Information Leakage



Previously, WooYun: the problem that the mobile client may leak user information has not been solved yet.

The problem is/zybook/u/p/



In the new Android app (mobile phone),/zybook3/app/In the ios app (iPad) calls/zybook4/ipad/



Ios versions have obvious vulnerabilities (without the sign parameter) and interfaces.

Http://ah2.zhangyue.com/zybook4/app/ipad.php? Ca = User. findPwd & pk = 1U1 & usr = i4 & p1 = 150130195131672345 & p2 = 111010 & p3 = 636021 & p4 = 501621 & p5 = 1001 & p6 = AAAAAAAAAAAAAAAAAAAA & p7 = AAAAAAAAAAAAAAA & p9 = 0 & p11 = 584 & p12 = & p15 = 150115 & p16 = iPad4, 7 & p19 = palmreader_iphone_3.6.0 & p21-3 & p22 = iPhone_ OS, 8.0 & p23 = IMM76D. ZSLPQ



Usr is the user id.



This interface can be viewed as arbitrary (this is actually quite vague, for example, the i9 account cannot be logged on here, But i2, i3, etc. can be logged on with my newly registered account)



Take i1 as an Example



Check (why I didn't take the home page as an example because there is still a new vulnerability in the password retrieval)

Http://ah2.zhangyue.com/zybook4/app/ipad.php? Ca = User. findPwd & pk = 1U1 & usr = i1 & p1 = 150130195131672345 & p2 = 111010 & p3 = 636021 & p4 = 501621 & p5 = 1001 & p6 = AAAAAAAAAAAAAAAAAAAA & p7 = AAAAAAAAAAAAAAA & p9 = 0 & p11 = 584 & p12 = & p15 = 150115 & p16 = iPad4, 7 & p19 = palmreader_iphone_3.6.0 & p21-3 & p22 = iPhone_ OS, 8.0 & p23 = IMM76D. ZSLPQ



Click this page again



Http://ah2.zhangyue.com/zybook4/app/ipad.php? Ca = User. editPwd & pk = 1U1 & usr = i1 & rgt = 7 & p1 = 150130195131672345 & p2 = 111010 & p3 = 636021 & p4 = 501621 & p5 = 1001 & p6 = aaaaaaaaaaaaaaaa & p7 = AAAAAAAAAAAAAAA & p9 = 0 & p11 = 584 & p12 = & p15 = 150115 & p16 = iPad4 % 2C7 & p19 = palmreader_iphone_3.6.0 & p21-3 & p22 = iPhone_ OS % 2C8. 0 & p23 = IMM76D. ZSLPQ



Check the source code. The bound mobile phone number is leaked in the doSubmit () function (the default mobile phone number is displayed by code)


 

The mobile phone number 15332051457 is displayed here. It should be the bound i1.



In theory, you can write a script or run burp to get the mobile phone numbers bound to all customers (unverified )..



In fact, the mobile phone number is not leaked, but binding the mobile phone number leads to other problems.



Problem 2: unbound mobile phone account password modification (retrieval)



In the last question, we can get the account bound to the mobile phone and the account not bound to the mobile phone. Here, we tested the account that has not been bound to a mobile phone. At first we tested i2 and successfully changed the password to our setting. However, there is a defect that we must bind a mobile phone.



Here we use i1111111 as an example.



Click "Change Password". (If a new mobile phone number is used to retrieve the password, a new mobile phone number will be registered for another account)



Http://ah2.zhangyue.com/zybook4/app/ipad.php? Ca = User. editPwd & pk = 1U1 & usr = i1111111 & rgt = 7 & p1 = 150130195131672345 & p2 = 111010 & p3 = 636021 & p4 = 501621 & p5 = 1001 & p6 = aaaaaaaaaaaaaaaa & p7 = AAAAAAAAAAAAAAA & p9 = 0 & p11 = 584 & p12 = & p15 = 150115 & p16 = iPad4 % 2C7 & p19 = palmreader_iphone_3.6.0 & p21-3 & p22 = iPhone_ OS % 2C8. 0 & p23 = IMM76D. ZSLPQ



Use a new mobile phone number, click get verification code, and then change the password after receiving the verification code. If the verification code is successful, json data will appear in the url.



Because there is no mobile phone number, only i2 is bound to my mobile phone.


 

Question 3: Use another person's account to buy books



I have tested that many accounts have an i9 account and cannot view the password to retrieve it. Through http://ah2.zhangyue.com/zybook/u/p/user.php? Usr = i9

We can see that the balance is RMB 1196.13.



This vulnerability exists in both Android and ios clients. It is tested on ios clients.



Normally, you can use an account to log on. You can use i2 here. You can purchase a book that is more than your account. The price of "architecture and design analysis of large-scale distributed systems" is 3000.



Normal


 

This is a sad story.



When you click "large-scale distributed system architecture and design analysis", replace usr = i2 in the url with usr = i9.



Click to purchase


 

During the purchase process, you must always replace usr = i2 with usr = i9.



The purchase is successful. The book is successfully downloaded to your local device.


 

In order to prevent me from being fake, we will release the last page of this book (normally we can try to read some of it)



Other problems



Http://ah2.zhangyue.com/info.php



Delete this operation. Missed


It seems that the api information is leaked because the client has a function to view nearby users (to view what others have recently read.
 

Solution:

Api Control