Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how Python building agents cooperate with burp to achieve automatic free water use, many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

0x01 preface this article is just a test of a campus hot water service app, in fact, I did not do anything bad, did not spread the relevant technology, the sensitive part of the following article will code, and the relevant manufacturers are already working on vulnerability repair, just take a look. After the article will provide "Python easy to build proxy server" key code, the code is simple and open source, I also added some comments. The final exp is only for this app, interested friends can have a look. The following content contains personal opinions, light spray. If there is any misleading, please point out.

0x02 uses fd to analyze and practice

To test this app, first understand the operation process of app.

After logging in, the main interface of app is as follows

The logic is simple and the steps are as follows:

1.app uses Bluetooth to connect to the water meter.

two。 First deduct your balance of 10 yuan and transfer it to the withholding money (less than 10 yuan to deduct all)

3. The water meter shows 10 yuan, that is, your withholding money (I only have 6 yuan, all will show 6 yuan), and the water meter gives water.

4. Water consumption, the amount on the water meter decreases with water consumption.

5. If you stop using water, the amount shown on the water meter is the balance and will be returned to the balance

This analysis is not enough. Let's use fiddler to see what app requests from the server's HTTP.

How to grab the phone bag look here, speak better than me, I will not say much: how to use Fiddler to grab the package of Android applications

Screenshot of HTTP data request when app starts:

I asked for it five times, but I didn't find anything wrong. To know what these requests are for, you can look at the content of the requested get and post, as well as the response content of the website. From the "Message= not found version" in the lower right corner of fiddler in the screenshot, you can guess that this http request may be a request to check for updates.

We use "fiddler", as we all know, many uses are to change the amount, there is no water, the amount has not changed, let's try water now.

Click the "Click to start using Water" button to see the app screenshot and fiddler's http request.

App deducted 6 yuan and transferred it to the withholding money. The water meter shows 6.00 yuan.

Pretend to have a water meter photo. Jpg

Look at the fiddler screenshot, there are a total of 4 http requests, pay attention to the red box, "00A3AAAF" is the order number of this water, which will be used later.

Looking at these http requests, it is found that there is no exchange of information about the amount with the server.

Let's move on to the next step, stop using water and let it return the balance.

App screenshot, and screenshot of the amount captured by fiddler:

You can see that the order number in the red box is used in the checkout and return amount, and there is no need to change it. The value of bal is obviously the refund amount. Change it to 6, which is my withholding money. Successful refund of all withholding money! (the balance returned by two http requests in this app is the same, both of which need to be changed to 6, and the other time the screenshot will not be posted)

Click to confirm the checkout and the balance can be changed back to 6 yuan. This "confirm checkout" button is actually a refresh command.

0x03 Python+burp is easy to build proxy server.

Fd has been used to exploit vulnerabilities before, but it needs to be changed manually every time, and it will be faster if you write a script. I happened to see the code of "Python build proxy server" on a same-sex dating network and wanted to see if I could automate Exp with a slight change in this code.

Post the original code:

I wrote comments on the key part, and the code is not clear whether the format will be messy. I'll post it in the form of an attachment at the end of the article.

This time, it is used with burpsuite: line 90 (penultimate line) writes the agent set by the phone wifi when changing the package with fiddler, as well as the port number, which is used to listen for http requests made by the phone. Line 44 writes the address of burpsuite listening, and all http requests obtained from the phone will be forwarded to burpsuite,burpsuite settings. I will also post them:

Once set up, you can implement the proxy service as long as you run the code. Although you want the agent to connect directly to the burp, this provides an environment where you can use PY code to do a certain amount of man-in-the-middle operations.

Realization of automatic exp by 0x04

PS: you don't have to look at it when you see it. Because app and Bluetooth water meters are not available, most of the following contents cannot be understood.

The proxy has been implemented before, so now it's time to change the code into a vulnerability exploitation tool for vulnerability app.

Because this is not a general-purpose vulnerability, vulnerability exploitation tools can only target this app, so the following content does not have practical information, interested can read on.

Idea: through this agent, replace the amount returned in the "checkout" request after stopping the use of water with the amount of withholding money, that is, return all the amount.

One more thing: the more thorough the analysis of app's http request, the simpler the exp is likely to write and the clearer the train of thought.

There are many ways to exploit vulnerabilities. I will follow my own ideas below.

From the previous fd test, we can know that "water use" and "checkout return amount" are two separate http request parts. According to common sense, "checkout" must be after "water use", then we can immediately request a fake "checkout" http request from the server after app executes "water use", because the fake "checkout" request is only for the PC to skip app and interact with the server. Therefore, the water supply of the Bluetooth water meter will not be affected after the checkout. A premise of this way of thinking is that the "checkout" request can be successfully forged, and if it cannot be forged, it can also be intercepted and changed when the "checkout" request is issued, so that in theory there will be no problem.

Falsifying "checkout" needs to be done after "water use", so how to judge the "water" request?

Using if to judge the characteristics of the data is simple and clear. Because it is only judgment, not interception, you only need to add if judgment at the end of the conn_destnation function, that is, after the execution of destnation.send (), and start falsifying "checkout" if it is "water use". Because the order number is required for checkout, you can use the re module regular expression to match the characteristics of the "water" request, as shown in the screenshot:

The order number happens to be included in URL, which is very convenient.

Using if to judge that it is not empty, you can forge the "checkout" of the order number you have just obtained.

Falsifying the "checkout" request requires a certificate similar to cookies, which is stored in header and can directly use the header of the "water" request.

But! I found that a series of operations such as using water, checkout, checking balance and so on are the vouchers in header that never expire. If you re-log in, you will be given new vouchers, but the old vouchers can still be used! So you can be lazy and directly post a header to use.

With the voucher, you can do whatever you want. in addition to the order number, you need to know the withholding amount. As mentioned earlier, the withholding amount is generally 10 yuan, but sometimes the balance is less than 10 yuan, so for the sake of program compatibility, you also need to get the withholding money. Now that you have the voucher to do whatever you want, you can forge the next request that allows the server to return withholding money.

See the figure above: with the credential, and what the server returns is in the form of json, use the eval of Python directly, and then get the corresponding key value.

Then there is the execution of a fake "checkout" request:

After reading the above, do you have any further understanding of how Python building agents cooperate with burp to achieve automatic free water use? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.