Micro-fuze black technology: mobile browser directly arouses the research of micro-fuze scheme

As a traffic dad, Wechat will be happy if it can flow from Wechat to its own platform!!!
One way of micro fuse flow is to open a web site through a mobile browser, then start the micro-message, and jump to the micro-message page.
Share the following research programs:

Links are short links to microblogs: http://t.cn/RTqAzl8.
Put it in the browser to access and parse out the complete address: http://r.jpwx.kim/wb/0e7d51958ac79557b5ecafc582ab62d0.html.
Open the Web debugger to see, the page in addition to Baidu statistical code, the core code is as follows:

if (!/(iPhone|iPad|iPod|iOS)/i.test(navigator.userAgent) && / baiduboxapp/i.test(navigator.userAgent)) {
   window.location.replace('bdbox://utils?action=sendIntent&minver=7.4┬Âms=%7B%22intent%22%3A%22weixin%3A%2F%2Fdl%2Fbusiness%2F%3Fticket%3Dt59a2235a3662135bfb0e8f7edccc22c5%23wechat_redirect%23wechat_redirect%23Intent%3Bend%22%7D');
} else {
   window.location.replace('weixin://dl/business/?ticket=t59a2235a3662135bfb0e8f7edccc22c5#wechat_redirect#wechat_redirect');
}
setTimeout(function() {
   document.getElementById("loading").style.display = "none";
},3000);

The logic of the above code is to determine that it is not an Apple device, and to access UA containing baiduboxapp characters, modify the page connection as follows:

bdbox://utils?action=sendIntent&minver=7.4&params=%7B%22intent%22%3A%22weixin%3A%2F%2Fdl%2Fbusiness%2F%3Fticket%3Dt59a2235a3662135bfb0e8f7edccc22c5%23wechat_redirect%23wechat_redirect%23Intent%3Bend%22%7D

Otherwise, modify the page connection to:

weixin://dl/business/?ticket=t59a2235a3662135bfb0e8f7edccc22c5#wechat_redirect#wechat_redirect

Because it is mainly to study the wake-up of Weixin, not baiduboxapp, but weixin://dl/business, which is a temporary session interface for the third party public number of Weixin. This is an internal hidden interface. The link shows that there is a ticket parameter in the short chain. If the page is refreshed several times, the ticket parameter will change, but the connection that arouses the page will not change.
Now the key point is how to generate legitimate ticket parameters based on your own page.

When you think about how to generate ticket s, you will naturally think about how Wechat parses this parameter to see if you can deduce the generated logic from the parsed logic.
Find the client's colleagues, decompile the Android Wechat client, found that the logic in the client is very simple, get the short chain, pass it directly to the Wechat server, the server returns the real access address.

https://open.weixin.qq.com/sns/webview?url=http%3A%2F%2Fun.m.jd.com%2Fcgi-bin%2Fapp%2Fappjmp%3Fto%3Dp.imtt.qq.com%252fh%253fd%253d7%2526b%253dtrade%2526type%253dsite%2526id%253d4061%2526u%253d%252568%252574%252574%252570%25253a%25252f%25252fvip.3.js.cn%252Fyyzs87.php%253Fticket%253D6148523063446f764c3364344c6d707764336775636d566b4c3364344c7a426c4e3251314d546b314f47466a4e7a6b314e5464694e57566a59575a6a4e546779595749324d6d51774c6d68306257772f644430784e54457a4d4451334d7a4d7a%2526from%253dshare%2526bid%253d13276%2526pid%253d1226104-1438221658%2526_wv%253d1027%2526sid%253dfavewofji%2526type%253d3%2526rnd%253d0.8738031948450953&appid=wxae3e8056daea8727&ts=1513047962&nonce=rjWsn6jYHv&sig=1c3d50cc9b948b2736398e1c1c66c32a&key=ad88abc27c4d295460ca3b05b7ed7a9a723ec81fbdb1e45386946920883a470f9b6e90cd75da4f05b8394a798f4b9446e673410a32c660224c93802cc47f427aa043de1c15cde5463ce4ad0ee5fecdd0&uin=MzY5MDEwNDExNQ%3D%3D&scene=0&version=26050839&pass_ticket=hKkz2FEs91MHFXEbW0vcmXwsfnKdDGqmvpQ1GG0cIYlqNFr5OcrssuH8DwD%2FSFmW 

Later, Weixin built-in webview browser accesses this address and resolves the final landing page http://uatv2.tcwx.i-mybest.com/qrimg/mmj2.html.

ticket parsing access addresses are all on the server side, and nothing can be analyzed.
You can only see if there is any useful information from the links returned by the Wechat server.
There were several transitions from https://open.weixin.qqq.com/sns/webview*** to http://uatv2.tcwx.i-mybest.com/qrimg/mmj2.html.

Okay, so the whole process is through.

Spell a link test by yourself and jump to Wechat through Jingdong's link:
http://un.m.jd.com/cgi-bin/app/appjmp?to=p.imtt.qq.com%2Fh%3Fd%3D7%26b%3Dtrade%26type%3Dsite%26id%3D4061%26u%3Dhttp%3A%2F%2Fwww.baidu.com

Now the key problem is the generation of Jingdong Development Platform. weixin://dl/business/?ticket= When connecting, there is a whitelist mechanism. Several kinds of connections have been tried, which can not be verified by whitelist. Find a consultation of Jingdong Cloud Service Platform, the answer is to arouse the interface of Weixin. Now it has been maliciously invoked. There is a great security risk. The mechanism of white list and black list has been established in Jingdong to crack down on malicious invocation, and the white list will not be accepted or disclosed.

Follow-up

When searching for relevant content, we also found 510,000 calendars, strangers and China Merchants Bank. weixin://dl/business/?ticket= Connected services. Considering that since Jingdong's interface is given by hand Q, that hand Q itself must also have interface authority, and there should be other cooperation customers like Jingdong will have authority, like the previous companies. The latter operation gave several connections, and the addresses resolved were http://app.game.qq.com Under the domain name, confirm the previous conjecture.

Tags: PHP network Mobile iOS

Posted on Tue, 13 Aug 2019 23:20:55 -0700 by jplock