Title: A free job in the payment logic loophole of a certain SQ mall

One day, I dug edu to find autism, and then thought about fofa to see if there are any fun sites.

Good guy, there is such a mall. I forgive me for being ignorant. So I wanted to go in and study

First, we conducted a preliminary information collection

Basically, they are all pseudo-static, and there is no discovery that you can clearly judge the language of the website backend language. After clicking on the search box,

It can be found that this address does not help us determine the type of the site, but we should also try SQL injection

Then I was directly called by Ban IP, so I simply gave up on continuing research on this place and continued to search for other functional points. When we click on the order query

You can find that Url has changed

Jump to the login registration page. Since you have come, register one to see if there is any other business. You can't leave it alone. Hahaha

If you try to hit Xs at the nickname, you will find that you will be banned. So let’s put it aside and find out if there are any business logic loopholes. Try to buy some products. I have always heard of payment loopholes before, but my brother has never really encountered it. Try your luck.

Click to buy, and I found that a strange parameter appeared in the cookie.

Let's take the urldecode to see what it is

Then let's guess, you can see that the price should be in front and the number of purchases should be in the back. Let's change it first

Coding back, covering the package

Because it is in a cookie, the cookies in every data transmitted in the past must be changed

It can be found that our unit price has changed to 1, the quantity has changed to 10, and the total amount has changed to 10. Record the corresponding relationship between the parameters.

Submit an order, modify the value in the cookie, and then continue, the page jumps to the Alipay payment page

Click on Alipay and find that the price has indeed changed

That's right, a product worth 75 yuan is only 17 yuan to pay, but it doesn't matter whether the merchant ships it or not.

Unexpected surprise Then, I found that there was a parameter that had not been tested before, so let's try it

user_zheko, it should mean discount, so I will modify it and verify it

It is known that 100 is no discount, so what if I change it to 0? The column where the address cannot be popped up

After changing to 1, I really enjoyed a discount, hahahaha

It can be found that you only have to pay 14 yuan, and you can continue to pay the fee with a 10% discount. Then there is a 7 yuan postage merchant who does not have free shipping. Then you can pay 21 yuan to bring the booster home. It’s exciting to think about it!

Summary at the end of the article: 1. Digging a hole is just one sentence, digging the world with careful rules! 2. When facing logical loopholes, you must pay attention to the parameters when each page is redirected interactively, and guess as much as possible what the function of each parameter passed is. If Burp is inconvenient to watch, you can also see it, and you can see it according to your preferences and habits. You must test carefully and don't miss some small points, maybe you will be surprised

3. I didn’t find any order inquiry to exceed the authority. I didn’t expect that the payment point was actually controllable at the front end. Hehehe

Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486060idx=1sn=a4b977e9e3bbfe7b2c9ec479942e615cchksm=ce67a0f5f91029e30c854eb2f71173efe925a38294fd39017708abcf4deea5c2b25dee518ebfscene=21#wechat_redirect