This article is only for technical discussion and learning. Any direct or indirect consequences and losses caused by using the information provided in this article are the responsibility of the user himself, and the author of the article does not assume any responsibility for this.
It is only for the use of tests on authorized targets, and the author of the test for unauthorized targets is not responsible, and the user shall bear all the responsibilities.
Article text
foreword
In the process of this SRC vulnerability mining process, it is really relatively dead. This operation is a breakthrough I finally found by reading the WeChat applet development documentation. I haven't seen any sharing with this vulnerability so far. If you think it's good to share it today, please pay attention!
combat
After a lot of analysis, to be honest, I didn’t find a hole. I feel a little lost. I found a login point here. If it was you, what would you think?
This function point is to scan the code to log in through the WeChat applet, first click on the personal login to grab a package and try it out
Catch this interface data packet and return a large string of encrypted data, with a face covered in circles. The literal meaning of this interface is to obtain the accesstoken of WeChat
Now the system has too many function points that use the WeChat applet to scan the code to log in, so I decided to take a good look at the development documentation, and I may not be able to dig a lot of holes in the future. Through the development documentation, I learned that accesstoken is the lifeblood of the WeChat applet call
Through the captured data packets, we know that the above personal login function point is to obtain the accesstoken first, and then call the accesstoken to generate the QR code. Here you can directly get the accesstoken of the WeChat applet, which is equivalent to getting the accesstoken without knowing the appid and APPsecret. Here are some additional knowledge points. According to the applet development manual, if you get the appid and secret, you can get the accesstoken directly
https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=APPSECRET
Use the accesstoken to upload a picture on the online developer tool platform to prove that the accesstoken is the accesstoken of the WeChat applet as follows: upload successfully:
In the future, you can call the interfaces of many WeChat applets according to the developer documentation, which is very harmful. There is also a WeChat developer document that stipulates that the accesstoken can only be obtained 2,000 times a day, and the interface accesstoken can be continuously obtained through this interface, resulting in a crash. As long as the function points and small programs that use the accesstoken are used in the future, they will not be available in order not to affect the business. At 12 o'clock in the morning, a test was carried out to reproduce Burp's continuous request, and the accesstoken could not be obtained in less than a minute to try to log in, and the QR code could no longer be obtained, and many contents need to be logged in to be viewed, which is harmful It’s very big. In the end, the 2k bounty was successfully obtained, so I can go to the string hahaha