Discuss the loopholes of a group buying website

Foreword:

Last September, my colleague bought a hot pot set meal on a group buying website, and then he bought it almost every day. During New Year's Day, the group buying website launched the "VIP members receive red envelopes for 0 yuan" activity. Who doesn't like receiving red envelopes? So I got involved in that.

So I decisively went in to register, click to buy, entered the shopping cart and clicked to confirm the order, eh? Why does the alert say "This event is limited to VIP members only"? My first reaction was to look at the source code of the page (since the event has ended and I can’t enter the purchase page, I have to use pseudo code to express it here):

//确认订单按钮的点击事件function btn_click(){     
    ajax获取当前用户的类型    
        如果不是VIP，alert("本活动仅限VIP会员参与");     
            否则 form1.submit();
            }

Then I typed in the address bar ：javascript:form1.submit(); Enter! Enter the payment page, then click OK, okay? Purchase successful! I got a 5 yuan red envelope!

So awesome! ! ! I registered a new account and repeated the above steps, and successfully received a 5 yuan red envelope.

I immediately left a message to customer service to explain this bug, but they haven’t replied to me till today, haha.

The key point of this vulnerability is that the developer forgot to determine whether the current user is a VIP member in the background code of form1.submit() and only relied on javascript verification.

The front-end verification is of no use, you can completely bypass it, the back-end verification is the most important! !

With what I gained in the morning, I continued to look for loopholes in other group buying websites on the night of the 1st, and sure enough, I found a more serious one.

The group buying website also held a New Year's Day lottery to smash golden eggs. It is also free to participate. After purchasing, I found that I had to invite friends to participate in the event to have the chance to smash golden eggs. Inviting a friend will give you one more chance, as shown in the picture :

As soon as I clicked on the golden egg, the alert said "There are no more lottery opportunities, go and invite your friends!", um, it's javascript again? Take a look at the code first:

#This is the click event of the golden egg. There is a page lottery1.php accessed using AJAX, and the chance variable to be passed should be It is the opportunity for the current user to smash eggs.

(Learning video sharing: Introduction to Programming)

I tried to access lottery1.php?chance=1 directly, and the error string was returned, lottery1.php?chance= 0 also returns error, lottery1.php?chance=-1, also

returns error, doesn’t it have any effect? I refreshed the Golden Egg Smashing page, wow! !

I passed -1 and it caused an overflow? I tried smashing a few and got vouchers every time! ! So awesome. Then I tried to use the voucher to place an order, and I was able to successfully save a few dollars.

But you can only use one voucher for one order, haha ​​(of course I canceled the test order in the end, and I still Not that evil, wakaka)

I contacted customer service immediately, but it was off duty, QQ was not online, and the phone call could not be reached, so I had to leave a message.

What to do next? Smash the eggs! As for the 4.2 billion golden egg, write a piece of JS and it will be smashed automatically! So far, a total of 3588 golden eggs have been smashed, of which at least more than 2000 were smashed by me. Wow Kaka

got a lot of vouchers:

185 pages in total, haha, quite spectacular! ! !

On the 2nd, when I re-checked the code of the group purchase website, I found a more serious problem:

There is such a method in JS

At first glance, it seems to be related to money. Pass in the user ID and the amount of money and try to see what effect it has.

How to get the user ID? Don't worry, there is:

This 96204 is the ID of my current account. After visiting it, it returned "Offline recharge successful", wow, so awesome? There is no permission verification on the recharge page?

Checked the account balance, and sure enough the recharge was successful:

I have a balance of 20,000, wow! ! This vulnerability is too fatal. Leave a message to customer service immediately. Just after I left the message, their developer called me to discuss with me

The vulnerability issue of Smashing the Golden Egg was just right to tell him the newly discovered vulnerability together. Developers have a hard life. During New Year's Day, after 10 o'clock in the evening, he still had to change the code.

After the correction, he said that the boss might give me some gifts. I’m really looking forward to it, haha.

Finally, he cleared my account balance, and I shouted in my heart: No, I want it, my 20,000 yuan~~~~~~~~

To summarize : The front-end verification is unreliable, and the back-end must be verified if necessary; access permissions must be added to the management page; the data passed to the back-end must be

verified for legality; unnecessary parameters passed If you don't pass it, for example, for the egg-breaking one, I just don't understand why the egg-breaking opportunities owned by the current user should be passed to the

background. Can't it be read directly from the database? The user ID should not appear in clear text. In addition, we must guard against XSS cross-site scripting attacks (usually by judging the host header)

My website: http://i.goto327.top:85/

Related recommendations:Website Security

The above is the detailed content of Discuss the loopholes of a group buying website. For more information, please follow other related articles on the PHP Chinese website!