Bug 曝光台 Smzdm RESTful API Bug | 什么值得买 RESTful API Bug

LawisChen · May 17, 2020 · 1853 hits

Recently, we found RESTful API bugs in some popular mobile applications by a fuzzing test tool:

Smzdm - version: 9.5.26


近期,我们利用某模糊测试工具发现了几家大厂App接口存在如下bug:

什么值得买 - 版本: 9.5.26

Appendix 附录

  • Bug ID 5

    {
    "appName": "Smzdm",
    "method": "POST",
    "url": "https://browserkernel.baidu.com/integration.php",
    "status_code": 502,
    "request": {
    "method": "POST",
    "url": "https://browserkernel.baidu.com/integration.php",
    "httpVersion": "HTTP/1.1",
    "cookies": [],
    "headers": [
    {
    "name": "Content-length",
    "value": "3453"
    },
    {
    "name": "accept-encoding",
    "value": "gzip,deflate"
    },
    {
    "name": "Content-Type",
    "value": "application/x-www-form-urlencoded"
    },
    {
    "name": "User-Agent",
    "value": "Dalvik/2.1.0 (Linux; U; Android 6.0; HUAWEI MT7-CL00 Build/HuaweiMT7-CL00)"
    },
    {
    "name": "Host",
    "value": "browserkernel.baidu.com"
    },
    {
    "name": "Connection",
    "value": "Keep-Alive"
    }
    ],
    "queryString": [],
    "headersSize": 300,
    "bodySize": 3453,
    "postData": {
    "mimeType": "application/x-www-form-urlencoded",
    "text": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver=9.20.2.16&sdk=9.20.2.16&app=com.baidu.searchbox&appversion=11.15.0.12&\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType=SPDYANDOVERSEAS_PROXY&SdkVer=9.20.2.16&mianliu=true\",\"last_modified\":1547541420}]",
    "params": [
    {
    "name": "[{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/evilpage\\/evilpage_whiteblack_list.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1561708951},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/stopwords.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/diting20.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1568725149},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/sailor\\/monitorconfig?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1557217912},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/diting_max_force_checked_list.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1572351763},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/traffic\\/page_traffic_config.json?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/fakeBaidu26.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/phoenix_opt.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1563966326},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingPlus.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1572608394},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/newpac31\\/videoproxy.conf.txt\",\"last_modified\":1547541420},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
    "value": "SPDYANDOVERSEAS_PROXY"
    },
    {
    "name": "SdkVer",
    "value": "9.20.2.16\",\"last_modified\":1562745518},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/evilPage16.pb?zeus_ver=9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1568203355},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/ditingMax.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1573129057},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilter.js?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1569469246},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/magicfilterv2_white_list.dat?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1568980277},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock_quick_filter.js?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1562932245},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/adblock\\/adblock.pb?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1572869396},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/ml_model\\/magicFilter30.conf_v1?zeus_ver",
    "value": "9.20.2.16"
    },
    {
    "name": "sdk",
    "value": "9.20.2.16"
    },
    {
    "name": "app",
    "value": "com.baidu.searchbox"
    },
    {
    "name": "appversion",
    "value": "11.15.0.12"
    },
    {
    "name": "\",\"last_modified\":1567071596},{\"request_url\":\"https:\\/\\/browserkernel.baidu.com\\/pac-version2.0\\/spdy.conf.txt?ProxyType",
    "value": "SPDYANDOVERSEAS_PROXY"
    },
    {
    "name": "SdkVer",
    "value": "9.20.2.16"
    },
    {
    "name": "mianliu",
    "value": "true\",\"last_modified\":1547541420}]"
    }
    ]
    }
    },
    "response_data": {
    "status": 502,
    "statusText": "Bad Gateway",
    "httpVersion": "HTTP/1.1",
    "cookies": [],
    "headers": [
    {
    "name": "Connection",
    "value": "keep-alive"
    },
    {
    "name": "Content-Length",
    "value": "537"
    },
    {
    "name": "Content-Type",
    "value": "text/html"
    },
    {
    "name": "Date",
    "value": "Fri, 08 Nov 2019 19:16:57 GMT"
    },
    {
    "name": "Etag",
    "value": "\"57d255e7-219\""
    },
    {
    "name": "Server",
    "value": "nginx"
    }
    ],
    "content": {
    "size": 537,
    "compression": 0,
    "mimeType": "text/html",
    "text": "<!DOCTYPE html>\n<html>\n<head>\n<title>Error</title>\n<style>\n body {\n width: 35em;\n margin: 0 auto;\n font-family: Tahoma, Verdana, Arial, sans-serif;\n }\n</style>\n</head>\n<body>\n<h1>An error occurred.</h1>\n<p>Sorry, the page you are looking for is currently unavailable.<br/>\nPlease try again later.</p>\n<p>If you are the system administrator of this resource then you should check\nthe <a href=\"http://nginx.org/r/error_log\">error log</a> for details.</p>\n<p><em>Faithfully yours, nginx.</em></p>\n</body>\n</html>\n"
    },
    "redirectURL": "",
    "headersSize": 199,
    "bodySize": 537
    }
    }
No Reply at the moment.
需要 Sign In 后方可回复, 如果你还没有账号请点击这里 Sign Up