yy最新支付接口分析

打了两把csgo闲着没事干 无聊打开了某傻逼的网站看见他买的yb充值通道里面放了后门而且还不是全开源的 这我就得给他杠上了

先贴上他的代码

调用了他自己的接口随时可以偷钱

调用了这个通道就会在运行目录生成一个404.php的木马

这人不仅素质不行 人品也不行

https://turnover.yy.com/charge_currency/charge?subappid=0&sid=0&ssid=0&currency=4&payMethod=Wap&payChannel=Zfb&amount=600&configId=0&returnUrl=https%3A%2F%2Fweb.yy.com%2Fyy_wallet%2Fpay_ext_ZXh0UGFn.html%3Faccount%3D2861011413%26accountType%3D1%26i%3D1%26orderId%3D%24%7BorderId%7D&userAccount=2861011413&userAccountType=1&seq=1722054059490&chargeToken=XUrFnKrP4c5PZcEX&appid=44&usedChannel=10013&expand=%7B%22turnoverOS%22%3A%22iOS%22%7D 这个就是yy支付的接口 但是调用之后给出的支付链接为

https://payplf-gate.yy.com/gotochannel/jump/post.do?jumpKey=0c1bc7d5f4404cce9683e2bf45c80d3d

需要转化成支付宝的支付链接的话 还需要进行一次

get_curl_header($json['payUrl'],$header);

然后就可以获取到最终的支付链接了

贴上部分代码

            list($msec, $sec) = explode(' ', microtime());
            $msectime = (float)sprintf('%.0f', (floatval($msec) + floatval($sec)) * 1000);
            $header = [
                'Host: turnover.yy.com',
                'Connection: keep-alive',
                'Pragma: no-cache',
                'Cache-Control: no-cache',
                'User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1',
                'Accept: */*',
                'Origin: https://web.yy.com',
                'Sec-Fetch-Site: same-site',
                'Sec-Fetch-Mode: cors',
                'Sec-Fetch-Dest: empty',
                'Referer: https://web.yy.com/',
            ];
            $url = 'https://turnover.yy.com/charge_currency/charge?subappid=0&sid=0&ssid=0&currency=4&payMethod=Wap&payChannel=Zfb&amount='.$money.'&configId=0&returnUrl=https%3A%2F%2Fweb.yy.com%2Fyy_wallet%2Fpay_ext_ZXh0UGFn.html%3Faccount%3D'.$atad['zhanghao'].'%26accountType%3D1%26i%3D1%26orderId%3D%24%7BorderId%7D&userAccount='.$atad['zhanghao'].'&userAccountType=1&seq=1722054059490&chargeToken=XUrFnKrP4c5PZcEX&appid=44&usedChannel=10013&expand=%7B%22turnoverOS%22%3A%22iOS%22%7D';
            $ret = curl_get($url,$header);
            $json=json_decode($ret,TRUE);
            if($json['result']!=1){
                return $this->getReturn(-1, $atad['typec_name'].$json['message']);
            }
            $ret = get_curl_header($json['payUrl'],$header);
            $data = $ret['data'];
            $url=$this->cut_z($data,'action="','"');
            $biz_content=$this->cut_z($data,'biz_content" value="','">');
            $biz_content='biz_content='.urlencode(html_entity_decode($biz_content));
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_NOBODY, 1);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
            curl_setopt($ch, CURLOPT_POST, 1 );
    	    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false );
    	    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false );
    	    curl_setopt($ch, CURLOPT_POSTFIELDS, $biz_content);
            curl_exec($ch);
            $url_html = curl_getinfo($ch,CURLINFO_EFFECTIVE_URL);
            $url=$url_html;
            $h5_route_token=$this->cut_z($url,'h5_request_token=','&');
            $atad['data'] = '';//通道监控数据
            $atad['pay_id'] = $h5_route_token;//通道订单号
            $atad['mid_url'] = $url;//通道二维码
            return $this->getReturn(1, $atad, $atad['data']);

不想干别的就想diss一下你这种二波一

最终成品