We calculate the exact address of any user by phone number or email address
With this instruction, you can easily calculate the exact address (street, house number, apartment number) of any person who uses the services of the Internet provider InterZet (or DomRU).
On December 8, 2017, a new version of the application for iOS was released. It updated the design, corrected minor flaws, etc. etc. Having downloaded the application on the phone, I ran into a problem: I could not go through the authentication procedure. I tried to enter in the login field and the contract number, and phone number, and mail - nothing helped, all attempts ended in a fiasco.
The problem was observed only in the application, the site worked (and it works) flawlessly - it lets me go completely. The error message is not very informative. What went wrong?
In order to establish why our patient does not want to live, we use the mitmproxy program. It will allow us to see the communication between the application and the server.
Let's try to authenticate to get a client request and server response.
')
Judging by the answer, an invalid timestamp is transmitted:
Take a look at the request:
The timestamp of the request is transmitted in the “timestamp $ c” field. I do not understand why trust the client in such matters?
The developers did not take into account the fact that people use different time formats; The timestamp is formed incorrectly if there is a 12-hour format (as in my case), so the request cannot be verified on the server. We change the time display format in the phone settings to 24 hours and successfully pass authentication. The only difference is that there is no AM / PM in the 24-hour timestamp format.
The correct query looks like this:
Calculated by phone number or email address
While analyzing the traffic of the application at the authentication stage, I came across one very interesting flaw in the system. Incorrect behavior of the "recover password" function. She gives very interesting information.
The request is as follows:
We are interested in the parameter " param_values_arr $ c ".
Sample answer:
We see the exact address of our apartment, we understand that this is a fiasco, and also we smile and wave!
PS : everything works correctly on the site, it seems, the address is closed with asterisks :)
By the way, judging by the errors that the server issues in the absence of a user in the database, the debug mode is enabled on the server. I do not understand why?
How to repeat?
Each city, I suspect, has its own database and URL. Below is an example for the city of St. Petersburg.
Simple query via cURL:
We change habr@example.com to the required phone number or email address.
UPDATE: the problem is fixed, now the address is closed with asterisks.
All information is provided for informational purposes only. I am not responsible for any possible harm or damage caused by the materials of this article.
Prehistory
On December 8, 2017, a new version of the application for iOS was released. It updated the design, corrected minor flaws, etc. etc. Having downloaded the application on the phone, I ran into a problem: I could not go through the authentication procedure. I tried to enter in the login field and the contract number, and phone number, and mail - nothing helped, all attempts ended in a fiasco.
The problem was observed only in the application, the site worked (and it works) flawlessly - it lets me go completely. The error message is not very informative. What went wrong?
Application traffic analysis
In order to establish why our patient does not want to live, we use the mitmproxy program. It will allow us to see the communication between the application and the server.
Let's try to authenticate to get a client request and server response.
')
Judging by the answer, an invalid timestamp is transmitted:
Take a look at the request:
The timestamp of the request is transmitted in the “timestamp $ c” field. I do not understand why trust the client in such matters?
Solution to the problem
The developers did not take into account the fact that people use different time formats; The timestamp is formed incorrectly if there is a 12-hour format (as in my case), so the request cannot be verified on the server. We change the time display format in the phone settings to 24 hours and successfully pass authentication. The only difference is that there is no AM / PM in the 24-hour timestamp format.
The correct query looks like this:
Calculated by phone number or email address
While analyzing the traffic of the application at the authentication stage, I came across one very interesting flaw in the system. Incorrect behavior of the "recover password" function. She gives very interesting information.
The request is as follows:
We are interested in the parameter " param_values_arr $ c ".
- If you transmit the contract number of the Interzet / DomRU service user, we will receive the contact details associated with the contract: telephone number, e-mail address.
- If you send him a phone number or email address, then in the answer we will see the exact address of the user.
Sample answer:
We see the exact address of our apartment, we understand that this is a fiasco, and also we smile and wave!
PS : everything works correctly on the site, it seems, the address is closed with asterisks :)
By the way, judging by the errors that the server issues in the absence of a user in the database, the debug mode is enabled on the server. I do not understand why?
<debug> <![CDATA[debug$n=24: exception: ORA-20001: debug=2 backtrace: ORA-06512: at "EXCELLENT3.WEBCAB_XML_PROC", line 6264 ORA-06512: at line 1 ORA-06512: at "EXCELLENT3.WEB_CABINET", line 1064 ]]> </debug> How to repeat?
Each city, I suspect, has its own database and URL. Below is an example for the city of St. Petersburg.
Simple query via cURL:
curl "https://spb.db.ertelecom.ru/cgi-bin/ppo/es_webface/web_cabinet.get_info\ ?param_names_arr%24c=client_contact\ ¶m_values_arr%24c=habr@example.com\ ¶ms=get_agr_list_contact_xml" We change habr@example.com to the required phone number or email address.
UPDATE: the problem is fixed, now the address is closed with asterisks.
All information is provided for informational purposes only. I am not responsible for any possible harm or damage caused by the materials of this article.
Source: https://habr.com/ru/post/344348/
All Articles