CatRunner

1. # Cat Runner: Decorate Home - External Control of Assumed-Immutable Web Parameter
2. # Date: Jan 17, 2019
3. # Software Link: https://play.google.com/store/apps/details?id=com.solou.catendless.run&hl=en
4. # Version: 2.8.0 Android App
5. # Vendor: Ivy
6. # Exploit Author: Loc Phan Van
7. # Category: Mobile Apps
8. # Tested on: Android 8.1
9.  
10. # Description
11. # The application API does not sufficiently verify inputs that are assumed to be immutable but are actually
12. # externally controllable. The attackers can manipulate its parameters exchanged between client and server in
13. # order to modify application data, and gain benefits for their own account. In this case, the score parameter of # users can be changed externally.
14.  
15. #PoC
16.  
17. Request:
18.  
19. Post //index/commit HTTP/1.1
20. Content-type: application/x-www-form-urlencoded
21. X-Unity-Version: 5.6.4f1
22. User-agent: Dalvik/2.1.0 (Linuxl; U; Android 5.1.1; SN-G920V Build/LVY47X)
23. Host: card.matchJplay.com
24. Connection: close
25. Accept-Encoding: gzip, deflate
26. Content-Length: 89
27.  
28. uid=1aef329eb95be620abfa417d20112b2e&appid=2419&tag=Highschore&score=151414141&week201903
29.  
30. Response
31.  
32. HTTP/1.1 200 OK
33. Server: nginx/1.14.0
34. Date: Thu, 17 Jan 2019 03:49:55 GMT
35. Content-type: text/hmlt, charset-UTF-8
36. Connection: close
37. X-Powered-By: PHP/7.2.6
38. Content-Length: 28
39.  
40. {"status":1 ,"msg" : "success"}
41.  
42. References:
43. https://www.youtube.com/watch?v=u5iEeLZnYVg