The shooting range reappears, learns the principles, maintains safety, and is not allowed to rise to reality! ! ! !
This is a shooting range, and the current website has such loopholes.
Quick payment principle
There are two ways to access the payment result on the merchant website.
One is to perform jump notification through the browser,
One is server-side asynchronous notification
browser jump
Based on the browser accessed by the user, if the user directly closes the page after the bank page payment is successful, without waiting for the bank to jump to the payment result page, then the merchant website will not receive the notification of the payment result, making it difficult to process the payment result. Moreover, the data on the browser side is easily tampered with and reduces security.
Server-side asynchronous notification
In this method, the payment company server background directly sends parameters to the asynchronous notification URL specified by the user, using POST or GET. In the program corresponding to the URL of the merchant website receiving different parameters, it is necessary to verify the signature of the payment result returned by the payment company, and perform payment logic processing after success, such as verifying whether the amount and order information are consistent with when the payment was initiated. If the verification is normal, the order will be processed. Perform status processing or perform account entry for users on the website, etc.
Payment loophole?
Compared with other vulnerabilities, payment vulnerabilities should be the most popular, such as buying a mobile phone for a penny (but everyone must be measured in penetration testing)
Payment loopholes do not require code audits, students can rest assured.
Payment loopholes are logical loopholes, and mining such loopholes requires divergent (QiPa) thinking, and often has the effect of getting twice the result with half the effort. Simply put, it is not playing cards according to common sense.
Modify the price paid (https://www.uedbox.com/post/22477/)
Three steps of payment - any one of the three steps of ordering, ordering and payment can be used to modify the price test. If there is a verification mechanism in the first two steps, then you can capture the package and try to modify the amount in the last step of payment. If not The last step is to do a good test, then the problem will exist, you can try a small number or a negative number for the modified amount value.
Modify payment status (https://www.uedbox.com/post/24090/)
Order completed - not completed (dumbly confused) Order A - 0001 Completed - Order B - 0002 Unfinished payment Try to give the order number of order B to order A In fact, it is not limited to payment: http:/ /woo.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0156253
Modify order quantity (https://www.uedbox.com/post/23143/)
Modify the attached value
Coupons Coupons are basically discounts. Generally, consumption with coupons usually appears in the second step: confirm the purchase information. In this step page, you can select the relevant coupons, and then directly modify the amount greater than or equal to the product The price is ok, or directly modify it to a negative value to try, and finally pay, if this is not verified, then problems will arise, and the direct payment is successful
How to mine payment loopholes
How to mine to find critical packets
There may be three or four data packets for a payment operation, and we need to select the data packets.
Analysis data packet The payment data packet will contain a lot of sensitive information (account number, amount, balance, discount), and try to analyze each parameter in the data packet. Don't play cards according to routines, think more about places that developers haven't thought of, try it on PC, wap, and app.
defense method
The defensive method backend checks every value, including payment status.
Check the price and quantity parameters, such as the product quantity can only be a positive integer, and limit the purchase quantity to check with the third-party payment platform to see if the actual payment amount is consistent with the order amount.
MD5 encryption, decryption, digital signature and verification are performed on the payment parameters, which can effectively avoid data modification, and the amount of various problems in the replay attack exceeds the threshold (yu) value, and manual review is performed
What is a payment loophole?
Payment loopholes are a kind of logical loopholes, which are related to the payment business. All logical loopholes in the payment business are payment loopholes.
Are Payment Vulnerabilities Harmful?
The payment business is generally linked to funds. If there is a payment loophole in Alipay, I can continue to swipe money. What do you think of the harm?
Are Payment Vulnerabilities Common?
Payment loopholes are relatively common, especially some small shopping malls, small websites, and illegal websites are prone to some payment loopholes
Is there legal liability for paying for vulnerability testing?
Pay for the vulnerability test with a small amount, generally controlled within 10 yuan, the amount should not be too large, and submit it quickly after the test is successful, do not keep it.
The principle of fast payment?
Quick payment is actually jumping to the payment page, then you pay, and then the merchant gets the payment result (in the early days, the payment relied on the browser to jump, and later it was mostly asynchronous transmission (after the payment is successful, the payment provider and the merchant have their own Contact channel, do not rely on customer browser jump))
Does Payment Vulnerability Require a Code Audit?
No, and generally you don't have the target source code to audit
What is the core idea of payment vulnerability mining?
Not only payment loopholes, but in logic loopholes, divergent thinking is required, and more operations that others would not think of, such as payment loopholes, buying a few items, and then there is a negative number in the quantity, and then the final price becomes 0
Common payment loopholes:
Modify payment price, modify payment status, modify order quantity, modify preferential price, preferential price and usage restrictions, unauthorized payment, unlimited trial
What is the specific operation of modifying the payment price?
Modify the payment price, mainly by capturing the package. For example, you buy a computer with a price of 6999, and then you find that there is a parameter of 6999 in the data package, and then I changed it to 6.999, and then jumped to the payment page. I paid 6.999. This computer is bought, and the amount can also be changed to a negative number
How to modify the payment status?
For example, you buy a product worth 1000 yuan, and then buy another product worth 10 yuan. The two order numbers are different. Then you capture the package, change the order number of the data packet sent by the 1000 yuan payment to 10 yuan, and then pay 10 yuan. , found that the product was bought
What is the specific operation for modifying the order quantity?
The operation of the order quantity is generally a negative number. Buy one expensive and several cheap products, and then the price of the expensive product is -1, so the price of the expensive product is a negative number, such as -8999, and then I will buy it again Several commodities add up to 8999, so when calculating the total amount, it is -8999+8999 == 0, so I bought it for 0 yuan
What is the specific operation for modifying the coupon price and usage restrictions?
The starting point here is not the product itself, but the coupons, such as changing the price of coupons, such as using N coupons
What is the specific operation of unauthorized payment?
Unauthorized payment, modify the user ID number of the payment amount, and deduct money from other users
Does the payment loophole only exist on the WEB side?
It’s all there, not only on the WEB, but also on payment. This requires an open mind. The last time I went out to eat a barbecue, I scanned the QR code and ordered an XSS
What if the password is passed in?
The first thing you see is don’t panic. Encryption does not mean that loopholes are eliminated. First, see if you can find an encryption method, then buy things with different prices, and buy things with the same price, and compare the data packets.
How to defend against payment loopholes?
The backend detects all parameters passed, if the amount is large, it is manually reviewed, the amount is not involved in the parameters passed, and the parameters are encrypted
How to prevent unauthorized payment loopholes?
Do a good job of authority control
What about the range payment loophole?
You can modify the payment price or modify the payment quantity
What's at the heart of payment loopholes and other logic loopholes?
Control parameters
Are there any magical cases?
In the past, eLong seemed to have a payment loophole, as long as the credit card account number had the validity period of the credit card, it could be used for direct consumption.
How to improve your mining of payment loopholes?
Stones from other hills, can learn.
Alright, alright, let’s go into the shooting range and have a look, and fill in the holes that were left behind
I have to say, this page is really much better than the old version, those who don’t know think I’m fishing
But after a little bit, you will find that many pages cannot be opened, after all, it is a shooting range, understandable
And every page that can be opened, you can see the recommended clothes of the young lady, no need to guess, the person who developed this shooting range is a boy~
After capturing the package, just change the quantity to -1
I have reached this step only to find that I have not registered and logged in
After registering and logging in, I found that the shopping cart was emptied, and I had to change the package again
After the payment is successful, enter the personal center, and find that the flag still does not appear, how strange! !
I went shopping again, and saw the option of returning the goods where it was waiting to be shipped. I was wondering if the money returned was like a white wolf with empty gloves, so I chose to refund
Again, this is a shooting range reenactment and cannot rise to life
I've met people I know who have gone in! ! !
Shooting range reproduction
Shooting range reproduction
Shooting range reproduction
Shooting range reproduction
Shooting range reproduction
Let's just say, if you really know this technology, will you still read this article? Those who don't know what it is. I don’t even understand the basics, how to maintain national security! ! !