本篇文章记录 2015年初时利用微信网页版红包 H5 接口实现的通用型平台抢红包神器,不同于目前市面上的抢红包外挂(模拟点击、HookAPI等)方式,当然该漏洞在15年3月便已经修复。
我们在使用网页版微信时无法点击领取红包,但是通过控制台查看网络包发现红包地址在 Response 中:
https://wxapp.tenpay.com/app/v1.0/receive.cgi?showwxpaytitle=1&sendid=1000033901********10153974107&channelid=1&msgtype=1&ver=2&sign=aefc0f0fadb6f09993fb071bf3****************9b4d8020f07c351c4bb6489d60d65f7f9fb2622f977fa613cbe443f6c7279f03fff2aff18859674c978656ed45388e3f606eae42a0f8ef9014f1***********21e055163c935
https://wxapp.tenpay.com/app/v1.0/receive.cgi?showwxpaytitle=1&sendid=1000033901********10153974107&channelid=1&msgtype=1&ver=2&sign=aefc0f0fadb6f09993fb071bf3****************9b4d8020f07c351c4bb6489d60d65f7f9fb2622f977fa613cbe443f6c7279f03fff2aff18859674c978656ed45388e3f606eae42a0f8ef9014f1***********21e055163c935
当群组或者用户给我们发红包时可以在返回内容中可以看到红包的 URL 地址(手机端老版本的微信是使用 H5 的接口领取红包,而无法自动判断用户发来的消息是否为红包,网页版本微信解决了判断是否为红包消息的问题,并且能获取 URL)。
直接在浏览器访问获取到的红包 URL,提示来源错误。任何 HTTP 请求重放都是简单的,之后使用 Mitmproxy 获取手机抢红包时的 Cookie,User-Agent 等 Header 头,然后进行重放包是可以成功领取红包的。
流水线:
自动化:
效果图:
wechat_web_hook.js:
s:
/ * HookJS @ evi1m0, fyth, erevus. * Datetime @ 2015 /
$._ajax = $.ajax;
function check(c){ var AddMsgList = c.AddMsgList; if (AddMsgList) { AddMsgList.forEach(function(elem, index){ var str = ''; str = elem.Url || ''; var bingo = /https:////wxapp.tenpay.com/.test(str); if(bingo) { str = str.replace(/amp;/g, '') console.log(str); $.post('http://localhost:1234/wechat', {url: str}) } }); } }
function a(e, n){ e. s = e.success; e.success = function(data) { try{ check(data, this); this. s.apply(this, arguments); } catch(e){
} } c = $._ajax(e, n); return c;
} $.ajax = a;
s: /* * HookJS @ evi1m0, fyth, erevus. * Datetime @ 2015 */ $._ajax = $.ajax; function check(c){ var AddMsgList = c.AddMsgList; if (AddMsgList) { AddMsgList.forEach(function(elem, index){ var str = ''; str = elem.Url || ''; var bingo = /https:////wxapp.tenpay.com/.test(str); if(bingo) { str = str.replace(/amp;/g, '') console.log(str); $.post('http://localhost:1234/wechat', {url: str}) } }); } } function a(e, n){ e._s = e.success; e.success = function(data) { try{ check(data, this); this._s.apply(this, arguments); } catch(e){ } } c = $._ajax(e, n); return c; } $.ajax = a;
views.py:
from django.shortcuts import render from django.http import HttpResponse
import re import sys import json import time import base64 import urllib import urllib2 import requests
def index(request): url = 'http://www.baidu.com' req = urllib2.urlopen(url) content = req.read() return HttpResponse(content)
def open(request, url): url = urllib.unquote(url).replace('amp;', '') print url cookie = "test NULL" return HttpResponse(_money(url, cookie))
def money(url, cookie): headers fake = {'User-Agent': ("Mozilla/5.0 (Linux; U; Android 4.2.2; zh-cn; Galaxy Nexus - 4.2.2 - with Google Apps" "- API 17 - 720x1280 1 Build/JDQ39E) AppleWebKit/534.30 (KHTML, like Gecko)" "Version/4.0 Mobile Safari/534.30 MicroMessenger/5.3.0.80_r701542.440"), 'X-Requested-With': 'com.tencent.mm', 'Cookie': cookie, }
try: req_key_content = requests.get(url, headers=headers_fake).content except Exception,e: print e try: g_sendld = re.findall('g_sendId: "(.*?)",', req_key_content) g_sendnick = re.findall('g_sendNick: "(.*?)",', req_key_content) g_detailtoke = re.findall('g_detailToke: "(.*?)",', req_key_content) g_detailtoke = (g_detailtoke[0]) except Exception, e: print '[-] Error: %s' % str(e) return False sign_key = (str(url.split('&')[-1:]).split('=')[1])[:-2] receive_url = ("https://wxapp.tenpay.com/app/v1.0/wxhb_open.cgi?msg_type=&send_id=%s&channel_id=&detailToke=%s&scene=" "&us=&sign=%s&attention=0&hb_version=v2&ver=2&isappinstalled=0&clientversion=25030050&devicetype=android" "-17") receive_url = receive_url % (g_sendld[0], g_detailtoke[:-4]+'%3D', sign_key) # LOLLLLLLLLLLLLLLLLLLLLLLLLL time.sleep(1) receive_content = requests.get(receive_url, headers=headers_fake).content try: return_json_data = json.loads(receive_content) if return_json_data['retmsg'] == 'ok': money_count = return_json_data['amount'] * 0.01 print '[+] Success: %s$' % money_count return money_count else: print '[-] Status: %s' % return_json_data['retmsg'] except Exception, e: print str(e)
#!/usr/bin/env python # author : evi1m0, rains # datetime: 201502 fromdjango.shortcutsimportrender fromdjango.httpimportHttpResponse importre importsys importjson importtime importbase64 importurllib importurllib2 importrequests defindex(request): url = 'http://www.baidu.com' req = urllib2.urlopen(url) content = req.read() return HttpResponse(content) defopen(request, url): url = urllib.unquote(url).replace('amp;', '') printurl cookie = "test NULL" return HttpResponse(_money(url, cookie)) def_money(url, cookie): headers_fake = {'User-Agent': ("Mozilla/5.0 (Linux; U; Android 4.2.2; zh-cn; Galaxy Nexus - 4.2.2 - with Google Apps" "- API 17 - 720x1280 1 Build/JDQ39E) AppleWebKit/534.30 (KHTML, like Gecko)" "Version/4.0 Mobile Safari/534.30 MicroMessenger/5.3.0.80_r701542.440"), 'X-Requested-With': 'com.tencent.mm', 'Cookie': cookie, } try: req_key_content = requests.get(url, headers=headers_fake).content exceptException,e: print e try: g_sendld = re.findall('g_sendId: "(.*?)",', req_key_content) g_sendnick = re.findall('g_sendNick: "(.*?)",', req_key_content) g_detailtoke = re.findall('g_detailToke: "(.*?)",', req_key_content) g_detailtoke = (g_detailtoke[0]) exceptException, e: print '[-] Error: %s' % str(e) return False sign_key = (str(url.split('&')[-1:]).split('=')[1])[:-2] receive_url = ("https://wxapp.tenpay.com/app/v1.0/wxhb_open.cgi?msg_type=&send_id=%s&channel_id=&detailToke=%s&scene=" "&us=&sign=%s&attention=0&hb_version=v2&ver=2&isappinstalled=0&clientversion=25030050&devicetype=android" "-17") receive_url = receive_url % (g_sendld[0], g_detailtoke[:-4]+'%3D', sign_key) # LOLLLLLLLLLLLLLLLLLLLLLLLLL time.sleep(1) receive_content = requests.get(receive_url, headers=headers_fake).content try: return_json_data = json.loads(receive_content) if return_json_data['retmsg'] == 'ok': money_count = return_json_data['amount'] * 0.01 print '[+] Success: %s$' % money_count return money_count else: print '[-] Status: %s' % return_json_data['retmsg'] exceptException, e: printstr(e)
文中部分代码和图片因时间无法全面提供,修复后不再传输红包地址:
如果你要问现在还有没有新的方法,嗯是有的。