声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途给予盈利等目的,否则后果自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!
文章有疑问的,可以公众号发消息问我,或者留言。我每天都会看的。
字数 729,阅读大约需 4 分钟
前言
一些公司的web、小程序、android APK和IOS,如果涉及到地图或定位功能,不可避免的需要引入地图服务商的API key。
这个洞,有的企业会收,有的不会收。因为这个API 泄露的危害,就只有地图工具的资源消耗。
地图API key介绍
顾名思义,我们有了这个key之后,就可以像高德地图或百度地图之类的,发起请求,查看当前的坐标位于什么地方,或者在指定地区有哪些银行。
请求链接参考:https://restapi.amap.com/v3/direction/walking?origin=116.434307,39.90909&destination=116.434446,39.90816&key={self.amap_key}
key在哪?
常见于前端或者客户端的代码中,比如web和小程序的js代码,APK和iOS的配置文件中。
怎么找到key?
利用fofa或者hunter寻找
FOFA语法批量检索
(body="webapi.amap.com" || body="api.map.baidu.com" || body="apis.map.qq.com" || body="map.qq.com/api/js?v=") && is_domain=true
检索技巧
-
• 参考资料:高级检索骚技巧汇总 https://xz.aliyun.com/news/14952
APK中
jadx打开APK,查看AndroidManifest.xml搜索关键词 map
com.baidu.lbsapi.API_KEY
扫描工具
FindSomething
项目地址:https://github.com/momosecurity/FindSomething
最近,谷歌商店已经把FindSomething停用了,使用chrome开发者模式加载源码。在Yakit中配置,结合之前的文章
-
• 在Yakit “浏览器”中添加本地插件
安装插件
之后,就可以从浏览器中,在js代码中寻找敏感信息,比如地图apk key。
检测
脚本在文章最后
修复建议
-
• 腾讯的key配置建议 https://lbs.qq.com/faq/serverFaq/webServiceKey
-
1. 隐藏密钥和避免硬编码 -
2. 设置白名单域访问
具体参考:常见地图key泄露与修复 https://mp.weixin.qq.com/s/0MB3cwHxyGZYi_pXhUxV7Q
测试脚本
import requestsclassMapAPICaller:def__init__(self, key):self.amap_key = keyself.baidu_key = keyself.tencent_key = keydefamap_walking_direction(self): url = f"https://restapi.amap.com/v3/direction/walking?origin=116.434307,39.90909&destination=116.434446,39.90816&key={self.amap_key}"try: response = requests.get(url) response.raise_for_status()return response.json()except requests.RequestException as e:print(f"请求出错: {e}")returnNonedefamap_jsapi_regeo(self): url = f"https://restapi.amap.com/v3/geocode/regeo?key={self.amap_key}&s=rsv3&location=116.434446,39.90816&callback=jsonp_258885_&platform=JS"try: response = requests.get(url) response.raise_for_status()return response.textexcept requests.RequestException as e:print(f"请求出错: {e}")returnNonedefamap_miniprogram_regeo(self): url = f"https://restapi.amap.com/v3/geocode/regeo?key={self.amap_key}&location=117.19674%2C39.14784&extensions=all&s=rsx&platform=WXJS&appname=c589cf63f592ac13bcab35f8cd18f495&sdkversion=1.2.0&logversion=2.0"try: response = requests.get(url) response.raise_for_status()return response.json()except requests.RequestException as e:print(f"请求出错: {e}")returnNonedefbaidu_webapi_search(self): url = f"https://api.map.baidu.com/place/v2/search?query=ATM机&tag=银行®ion=北京&output=json&ak={self.baidu_key}"try: response = requests.get(url) response.raise_for_status()return response.json()except requests.RequestException as e:print(f"请求出错: {e}")returnNonedefbaidu_webapi_ios_search(self): url = f"https://api.map.baidu.com/place/v2/search?query=ATM机&tag=银行®ion=北京&output=json&ak={self.baidu_key}=iPhone7%2C2&mcode=com.didapinche.taxi&os=12.5.6"try: response = requests.get(url) response.raise_for_status()return response.json()except requests.RequestException as e:print(f"请求出错: {e}")returnNonedeftencent_webapi_search(self): url = f"https://apis.map.qq.com/ws/place/v1/search?keyword=酒店&boundary=nearby(39.908491,116.374328,1000)&key={self.tencent_key}"try: response = requests.get(url) response.raise_for_status()return response.json()except requests.RequestException as e:print(f"请求出错: {e}")returnNonedefbatch_call(self): results = {"高德webapi": self.amap_walking_direction(),"高德jsapi": self.amap_jsapi_regeo(),"高德小程序定位": self.amap_miniprogram_regeo(),"百度webapi": self.baidu_webapi_search(),"百度webapiIOS版": self.baidu_webapi_ios_search(),"腾讯webapi": self.tencent_webapi_search() }return resultsdefprint_key_and_value_length(json_data):ifisinstance(json_data, dict):for key, value in json_data.items():print(f"Key: {key}, Value length: {value}")if __name__ == '__main__': key = "key的值" result = MapAPICaller(key).batch_call() print_key_and_value_length(result)
参考资料
-
• 地图apikey泄漏利用方式 https://www.cnblogs.com/l1l1l1/p/18006433 -
• 常见地图key泄露与修复 https://mp.weixin.qq.com/s/0MB3cwHxyGZYi_pXhUxV7Q -
• 实战-关于KEY泄露API接口利用 https://zone.huoxian.cn/d/2909-keyapi -
• 高德地图API调用和数据解析 https://blog.csdn.net/cyylucky/article/details/100535921 -
• https://lbsyun.baidu.com/faq/api?title=androidsdk -
• https://lbsyun.baidu.com/faq/api?title=androidsdk/guide/create-project/ak
原文始发于微信公众号(sec0nd安全):地图apikey泄露与利用方式(附利用脚本)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论