Title: The latest WeChat mini program packet capture and testing cases in 2023

Most of the online mini-programs use Android emulators to capture packets. Here we use the method of catching packets of BurpSuite+Proxifer+WeChat client.

Environmental Preparation

Burp2023.9.2

Proxifier4.5

Proxifier is a very powerful socks5 client, which allows working network programs that do not support the use of proxy servers and can pass HTTPS or socks or proxy chains. It is a paid software, free trial for 31 days, here is a cracked version link

Link: https://pan.baidu.com/s/14QElyGxDpMBGTuCFTPl4tQ?pwd=7o50

Extraction code: 7o50

Just install the next one, just open it after installation

Click to register, write your name casually, copy a registration code casually, click OK

Proxifier configuration

Open the proxifier and click profile to add a proxy server

Address 127.0.0.1, port customization, here is 8888, protocol selection https

Continue to add a proxy rule

When we open the mini program with WeChat, there will be an extra WeChatAppEx in the process

This program is the process of WeChat mini program

Add rules

Applications selects the applet process application (you can enter it manually here), and Action selects the newly created proxy server.

Burp configuration

Just edit the proxy listener and the proxy server in the proxifier to listen for 127.0.0.1:8888

At this time, WeChat opens a mini program and you can see that the traffic of WeChatAppEx first passes through the proxifier, and then uses 127.0.0.1:8888 to burp

Now you can test packets in burp like you usually test your web site

Mini program decompilation

You can find the location where the WeChat file is saved in the settings of WeChat

The Applet in the directory is the storage address of the mini program cache file

The more mini programs you usually use, the more corresponding files there will be. If you can't find the mini program package you want to test, you can find it according to the modification date, or simply delete all cached files, and then reopen the mini program you want to test.

At this time, what we want to test the cache folder corresponding to the applet is

Click inside to unlock the package we want to solve

This is an encrypted package. When the user searches or scans the QR code of the applet in WeChat, the WeChat backend will package the relevant information of the applet into a .wxapkg file and send it to the user's device. This file format is actually a compressed package, which contains all the applet's code, resources, configuration files and other contents, as well as a specific description file app.json.

Since it is an encrypted package, let's decrypt it first. Below is the link to the decryption tool of the boss

Link: https://pan.baidu.com/s/1BzfvBVwD4vLpakX9PAyrsg?pwd=qz3z

Extraction code: qz3z

Select the encrypted package

After decryption is successful, in the wxpack directory of the tool directory

Next decompile

First install nodejs, download link https://nodejs.org/zh-cn/download/, just install it and continue to the next step. After installing, add environment variables

After adding the environment variable, the cmd input command will be echoed.

Next, use the decompilation tool wxappUnpacker

Original link https://github.com/system-cpu/wxappUnpacker

Network disk link: https://pan.baidu.com/s/19O2KDqWn2Zyars8AREJ1LQ?pwd=22qj

Extraction code: 22qj

Come to the tool directory

Install

Installation dependencies

npm install esprima

npm install css-tree

npm install cssbeautify

npm install vm2

npm install uglify-es

npm install js-beautify

Execute the above commands one by one

Execute the above commands one by one

Next decompile

Execute the command

node wuWxapkg.js path to the applet after decryption

After execution, a directory will be generated in the directory of the decompiled package.

It's the file you get after decompilation

Download WeChat Developer Tools

Official website download link

https://servicewechat.com/wxa-dev-logic/download_redirect?type=win32_x64from=mpwikidownload_version=1062308310version_type=1

Open after installation

Click on the add sign

Select the decompiled directory, and the backend service does not use cloud service. Click OK

You can view the js code of the applet

test

Click to send verification code function

It is the /api/shop/ipad/login/sms path

Find the code for sending function in the code

Only /login/sms found

Now the path access rules are basically confirmed. After splicing the interface to /api/shop/ipad, find other interfaces to splice it without authorization.

Find a path to the home page

Directly send packets to return 404

Package after splicing /api/shop/ipad

It can be confirmed that the path is correct, but there is no unauthorized. This path does not exist, which does not completely mean that all interfaces do not exist. Perhaps there are several interfaces that are missing and not authenticated, which will cause unauthorized, information leakage, etc.

Getshell accidentally

Continue to look at the interface that just sent the verification code to see if there is any SMS bombing or something like that

Access the /login/sms interface and receive mobile parameters in post

Construction package

Enter a non-existent mobile phone number and display the mobile phone number incorrectly

It is also an error in entering a real one. It is possible that only the account number that exists in the system will be valid.

You can use single quotes when you see the parameters

Oh, add a single quote

Oh waiver +1

You can tell the .net used by looking at the return packet. I personally think that this framework is injected a lot, and I try to use the manual bet without echoing it. SQLmap is a shuttle, https plus the --force-ssl parameter

Successfully ran out SQL injection, and it was stack injection, try --os-shell

Reprinted from the original link: https://forum.butian.net/share/2477