0 x01: preface
Remember a small program mining process about EDUSRC Certificate University.
In the master of all the certificates of the inhuman station excavation, like me this chicken in the Web is difficult to touch the vulnerability, the Intranet also mo account, but can only turn to small programs.
0 x02: preparation
Nighthian Simulator 6.6.1.1 Andorid5
Burpsuite certificate
The Node + NPM environment
0 x03: in actual combat
First determine the target of a certificate station. The ownership under the name of the miniprogram can know that the miniprogram really belongs to the target asset. At the same time, it can also be found in the interaction package that it is interacting with its subdomain.
First, a wave of screening was conducted, and it was found that there were function points to display but login was required. Blasting a wave did not find the existence of weak password users, replacement mode.
Try to decompile the applet (when obtaining the wxapkg file, you can delete all the applet packages in its directory first, and then access the applet you want to test, both packages will be generated), for example, _2100734759_11. Wxapkg is the package that needs to be compiled
#node .. /wxappUnpacker-master/ wuwxapkg.js _459201295_105.wxapkg // Start compiling
You get some source code, you can try to find the account password, and you can trace a bunch of behavior to it
When turning over JS, turning over to a JS file is found to be a password change behavior
{success:200} {success:200} {success:200} {success:200} {success:200} {success:200}
Just at a loss when the JS down, see the user information loading words, should also be based on interface access to obtain personal information
Splicing access :xxxx.edu.cn/xxxx/user/a…
You can findpasswordThe value ofundefinedAt first I was mentally retardedEmpty passwordWhen you log in to the admin account and find that the password is incorrect, insert the string of undefined to log in.
The password field should have a password. Is it possible that the retrospective action is the function point of my last POST data is to change the password, after all, I didn’t send any data.
The last interface was sent fuzz by POST. Fuzz was intact and several dictionaries found that the password was not changed successfully.
WXML = mpassworx. WXML = newp = new password; confirmp = confirm new password Then the interface is constructed to modify the password
The parameter value is the data encrypted by MD5 (why do I know it is MD5? Because at the point where personal information is returned, I fuzz the worker number and student number and find that the user password is encrypted by MD5).
Discover from the originalundefinedBecomes what I passed inmd5Value, the password is successfully changed
Successfully log in to the system using the modified account password
At the same time, you can manage the conference room, laboratory, open a door, close a door, open an air conditioner, open an electric fan and so on
0x04 Actual Combat Case 2:
South god forever god!!
Is still a certificate station small procedures
** first register an account with your mobile phone number, **Tips: When you register a mobile phone number with your mobile phone, you will first get a verification code for registration. At the same time, when you plan to use the forgotten password function point to obtain the password, the verification code will not be sent. Later, it is found that the verification code obtained by registration can be used many times and will not expire
The dictionary that generates 0001-9999 pops out easily
How to obtain the mobile phone number of the administrator ~, first use the self-established registered account, into the system to detect each function point, find a packet with userID value, try to exceed the authority
The login timeout message is displayed when a user attempts to access another userID. If a token authentication exists, the user attempts to delete the token and then attempts to access another userID. The value of userID is returned if it exists, but is null if it does not.
Fuzz traverses the userID directly to get linkMobile, which is its mobile phone number.
Successfully obtain some administrator user mobile phone, directly in the forgotten password 4 pure digital burst to modify the password.
0 x05: after the speech
The vulnerabilities involved have all been submitted to edUSRC.
Network, such as diligent thought for diameter, information like the sea safety boat.
More network protection skills, more information security guarantee.
Related experimental exercises
Using BURP for brute force cracking (through the experiment to master the configuration method of BURP and the use of related modules, a virtual website using BurP brute force cracking to enable the website builder to analyze and avoid problems from the perspective of attackers, so as to strengthen website security.)