Discussion on public SMS interface Security

A long time ago, this kind of stuff was written by the author. The combination of theory and practice is a good article.

/Empty heart

Websites send text messages to users, which is already a popular element. Almost all major portal websites have the function of sending text messages to users. Websites generally send text messages in active and passive ways. The active method is to ask the user to enter his/her mobile phone number and then send it. The passive method is to send a text message to a website and then reply to the website.
A friend has used text message service before. After all, the text message interface is not free. Although the cost is very low, a large number of text messages may make some people feel bad for a while. In order to save costs, in order to prevent users from sending malicious content text messages (such as fraud and non-Green Dam), websites will adopt defense measures such as adding verification codes and disallowing users to control text message content. However, there will always be many omissions.

Catch a typical example:
A large portal website provides a function to send "mobile games" to users' mobile phones.
 
See what content has been submitted to the webpage.

 

SHELL code

1. POST http: // mobile. ***** .com.cn/sa/appdown.php HTTP/1.0
2. User-Agent: Opera/9.64 (Windows NT 5.1; U; Edition IBIS; zh-cn) Presto/2.1.1 Paros/3.2.13
3. Host: mobile. **** .com.cn
4. Accept: text/html, application/xml;Q=0. 9, application/xhtml + xml, image/png, image/jpeg, image/gif, image/x-xbitmap ,*/*;Q=0. 1
5. Accept-Language: zh-CN, zh;Q=0. 9, en;Q=0. 8
6. Accept-Charset: iso-8859-1, UTF-8, UTF-16 ,*;Q=0. 1
7. Accept-Encoding: identity ,*;Q=0
8. Referer: http: // mobile. ***** .com.cn/sa/game_content.html?F=12053
9. Cookie :****_ NEWS_CUSTOMIZE_city= % DDE ;****GLOBAL=27. 6401122;ULV=124618208;Vjuids=-1de8654069555;Vjlast=1246458586; VISITED_TEL_RBT _ ***** = 13333333333; VISITED_RID_RBT _****
10. = 11;User_mobile=13333333333;User_aid_27=114;Apache=12467562. 6912
11. Cookie2: $Version=1
12. Proxy-Connection: Keep-Alive
13. Content-Length: 141
14. Content-Type: application/x-www-form-urlencoded
16. Model=MOT-L6Smodel=71Phonenum=13333333333Game_num=102177Game_id=837Game_name= % C8 % fd % b9 % fa % c3 % cd % bd % AB % bb % aa % d3 % e9 % b0 % e6X=47Y=10

 

After sending the message, the mobile phone receives the following content:
Three Kingdoms VIP Edition
Http: // XXXXXX (a URL)

Submit the package again, receive another text message, and submit the package again.
This function does notLimit sending times.
From the text message content, the character "The Three Kingdoms fierce Huawei entertainment edition" is the value of "game_name" in the http package after URLencode. Change the value in the package and send it again. If you receive the text message, it will be changed accordingly.
Since we can influence some of the content in the text message, we can send any message to the user. Here we send a MMS Message.
This feature has the unlimited sending frequency vulnerability and some content customization vulnerability.
We can make a text bomb for custom content.
 
Tools are extremely dangerous and will not be provided for research purposes.
Check the received text message:
 
I don't know what the consequences will be if I use this platform for text message fraud? It seems to be very popular recently. You can send a text message "you have won the prize. We are the *** SMS platform. Please send the money to XXX. Before remittance, please go to the *** website to check whether the text message numbers are consistent to avoid being cheated ". After all, this is the text message platform of the portal website. Even if it doesn't matter the cost and money of text messages, you need to consider the user's impression.
The vulnerability has been fixed.

Take another typical example:
GOOGLE's weather forecast text message reminder subscription function. SMS verification code is sent to the user. after entering the verification code, the user can subscribe to the weather forecast.
 
Take a look at the package:
The first packet sending request (if there is no COOKIE in the packet, the setcookie package will be returned ).

 

SHELL code

1. GET http://www.google.com/sms/alerts/register HTTP/1.1
2. Accept :*/*
3. Accept-Language: zh-cn
4. Referer: http://www.google.com/sms/alerts
5. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;
6. . Net clr 2.0.50727;. net clr 3.0.04506.648;. net clr 3.5.21022) Paros/3.2.13
7. Host: www.google.com
8. Proxy-Connection: Keep-Alive

 

Request the verification code first.
Returns a JSON array with an ID and setcookie.