The idea and pit of a line 小程序 bid test

* Author: a mouse, this award belongs to FreeBuf original plan, reproduced without permission prohibited.

First, let's complain. Recently, I read the article in FB. In general, there are more and more concepts in the bottom layer. There are various kinds of difficult concepts to understand, and there is no courage to open it.

There are fewer and less valuable documents on the Web level. This has been reflected in the CTF recently. The PWN is the best in the world. The basic difficulty of the Web problem is the hodgepodge. Give a question together)

It may also be that there are more circles that can be profitable now, and various small-circle charges are sharing mechanisms (I feel that this mechanism is quite good, and technology is priceless.)

Ok, here it is. From now on, I started to get to the point.

The so-called bid test, the more holes you measure, the better, as with the security test 沈阳APP软件

Different from penetration. It seems to be a little round, for example, the banner leaked, the apache version leaked, this basic no harm can also be considered a loophole, but also can add points.

Nothing to say, start the test (the following may be a bit embarrassing, easy for everyone to see.), I tested directly with the phone.

第一个坑：

访问微信小程序显示访问超时？

Note 网站 uses https, you need to pass the certificate, the installation is fine.

After the whole good, I opened my heart and opened 小程序. I found that the TM data packet was encrypted. I started testing with a depressed mood. I found that there were only a few loopholes in the measurement, and it really hurts. Fortunately, under the study of my East Day, I went to the middle of the night and found the encryption method and key (it is said that I watched the animation until 12 o'clock)

xx

第二个坑：

如何获取微信小程序的加密方式？

微信小程序包实际存储在本地。只要它访问了微信小程序，它的包就会自动下载到本地。检查了半天的信息后，我终于将wxapkg包下载到本地了，然后下载了解包工具，就可以得到小程序的前端代码（最好不要使用nodejs解包方法）

使用前端代码，从JS中提取加密方法，密钥等非常简单。它是ECB加密。将数据包放入解码中，最后解码。我看到了解码的JSON字符串。我想最终能够衡量业务逻辑漏洞。所以第三个坑来了。

第三个坑

这个坑给了我一个晚上，因为这不是我的问题，它是解码网站的问题。 （这也是本文吐出的主要场所）首先附加两个解码网站：http://tool.chacuo.net/cryptaeshttp://www.seacha.com/tools/aes.html

从图中可以看出，加密数据由密钥解密，结果值相同。

然后看下面的图片：

确实，互相翻译和解密没有问题。

请看下面的图片：

看看这张照片，我可能遇到过形而上学。这还是ECB吗？

添加双引号有这么大的区别吗？然后看下面的图片：

看完这张照片之后，我吐了一点旧血，你甚至把我编码.我接过了。

The following principle, the 网站 in the left part of the above picture, will put the double quotes in the {a=b,c=”d”} I entered, first html after escaping, and then ECB encryption.

So here is a sentence, the above does not need to understand, remember: we will use this 网站 decryption.

There is also a point, if you feel 网站 is very troublesome, you can actually integrate the decryption into the burp, which can be convenient.

The article does not involve technology, only involves ideas, everyone is interested in doing things according to the idea, step on the pit yourself, after all, if I put all the steps on the map, step by step will limit the thinking of the big people.

By the way, the activities of the SRC have come out recently, and it’s okay to go to make money.

Any mistakes in the article, or knowledge of each other's discussions, can be commented on in the comments.

* Author: a mouse, this award belongs to FreeBuf original plan, reproduced without permission prohibited.

xx