Portswigger靶場業務邏輯漏洞實驗
Portswigger靶場業務邏輯漏洞實驗
對客戶端控制過度信任
Excessive trust in client-side controls
靶場
logic-flaws-excessive-trust-in-client-side-control
說明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: `wiener:peter
題解
點選新增購物車的時候,會發送產品id和價格Get請求,修改請求
fetch('/cart',{method:'POST',body:'productId=1&redir=PRODUCT&quantity=1&price=0'})
雙重驗證2FA邏輯錯誤
2FA broken logic
靶場
提示
Carlos will not attempt to log in to the website himself.
說明
This lab's two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos's account page.
- Your credentials:
wiener:peter - Victim's username:
carlos
You also have access to the email server to receive your 2FA verification code.
題解
登入賬號,發現有郵箱二次驗證,將/login2的GET請求修改使用者為carlos,給carlos傳送郵箱驗證碼
將/login2的POST請求發往intruder,四位數字驗證碼爆破,選取響應狀態碼為302的結果即為正確驗證碼
高階邏輯漏洞
High-level logic vulnerability
靶場
說明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
題解
修改加入購物車表單,F12取消最小限制,購買-1件商品,檢視購物車,總價是負數,提交購買請求
伺服器提示Cart total price cannot be less than zero
嘗試加入購物車-13件$98的商品,再加入$1337的目標商品,使購物車總價低於賬戶餘額$100又不為負數
提交訂單,成功結算通過靶場
低階邏輯缺陷
Low-level logic flaw
靶場
說明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
提示
You will need to use Burp Intruder (or Turbo Intruder) to solve this lab.
To make sure the price increases in predictable increments, we recommend configuring your attack to only send one request at a time. In Burp Intruder, you can do this from the resource pool settings using the Maximum concurrent requests option.
題解
本題實際上是用到整形資料的上限,32位作業系統中,31位用以表示整數,最高位用以表示正負,因此整形的有效範圍是-2,147,483,647到+2,147,483,647”
不斷增加購物車數量,直到超過上限,變為負數,繼續增加,直至變為正數而又不超過賬戶餘額$100,結算購物車通過靶場
對異常輸入不一致的處理
Inconsistent handling of exceptional input
靶場
logic-flaws-inconsistent-handling-of-exceptional-input
說明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete Carlos.
提示
You can use the link in the lab banner to access an email client connected to your own private mail server. The client will display all messages sent to @YOUR-EMAIL-ID.web-security-academy.net and any arbitrary subdomains. Your unique email ID is displayed in the email client.
題解
本靶場有一個後臺地址/admin,但提示需要DontWannaCry使用者
到登入頁面,提醒If you work for DontWannaCry, please use your @dontwannacry.com email address註冊DontWannaCry使用者要用到其公司郵箱
註冊一個使用者,郵箱嘗試輸入一串很長的email(超過255),在郵箱點選驗證後登入這個使用者,檢視郵箱發現被截斷為前255位
可以利用這個截斷機制,讓應用程式誤判普通使用者郵箱為DontWannaCry公司內部郵箱,從而獲得管理許可權
再註冊一個使用者
-
郵箱前255位為
[email protected],填充xxx使m剛好在第255位 -
256位開始為
@exploit-ID.web-security-academy.net,確保能在郵箱伺服器接收到驗證郵件
驗證後登入該使用者,進入管理頁面/admin,刪除carlos,通過靶場
不一致的安全控制
Inconsistent security controls
靶場
logic-flaws-inconsistent-security-controls
說明
This lab's flawed logic allows arbitrary users to access administrative functionality that should only be available to company employees. To solve the lab, access the admin panel and delete Carlos.
題解
本題對註冊郵箱做了完善的防禦,無法像上題一樣利用漏洞註冊為管理員賬戶
但是在普通使用者正常註冊以後卻可以直接修改郵箱為@dontwannacry.com從而升級為管理員賬戶
如是完成操作,刪除carlos使用者,通過靶場
多功能終端的弱隔離性
Weak isolation on dual-use endpoint
靶場
logic-flaws-weak-isolation-on-dual-use-endpoint
說明
This lab makes a flawed assumption about the user's privilege level based on their input. As a result, you can exploit the logic of its account management features to gain access to arbitrary users' accounts. To solve the lab, access the administrator account and delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
題解
登入普通賬號,有修改密碼操作,嘗試將修改administrator的密碼,提交表單後發現current password錯誤
嘗試在表單中刪除current password,直接提交使用者名稱和密碼,成功修改
登入administrator賬號,刪除carlos使用者,通過靶場
重置密碼邏輯錯誤
Password reset broken logic
靶場
說明
This lab's password reset functionality is vulnerable. To solve the lab, reset Carlos's password then log in and access his "My account" page.
- Your credentials:
wiener:peter - Victim's username:
carlos
題解
點選忘記賬號,傳送郵件確認,點選郵件的連結進入修改密碼頁面,提交修改密碼請求
注意到提交表單的資料中有username欄位,嘗試篡改
再次點選忘記賬號修改密碼請求,F12開發者除錯控制檯發現有個隱藏的input標籤,name為username,修改wiener使用者為carlos,提交修改密碼請求
成功修改,登入carlos賬戶,通過靶場
雙重驗證簡單繞過
2FA simple bypass
靶場
說明
This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.
- Your credentials:
wiener:peter - Victim's credentials
carlos:montoya
題解
登入受害者賬號,傳送了郵箱驗證碼
原以為是使用intruder爆破驗證碼,其實只需要將url修改為/my-account即可繞過
意想不到的簡單又出其不意
對事件流程的驗證不充分
Insufficient workflow validation
靶場
logic-flaws-insufficient-workflow-validation
說明
This lab makes flawed assumptions about the sequence of events in the purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
題解
登入賬戶,先購買價格一個小於$100的物品,觀察流程
- 使用者點選Place Order,瀏覽器發起一個Get請求,URL為/cart/checkout
- 伺服器確認,返回狀態碼為303的響應,重定向到/cart/order-confirmation?order-confirmed=true
再購買一個價格高於賬戶餘額的物品,觀察流程
- 使用者點選Place Order,瀏覽器發起一個Get請求,URL為/cart/checkout
- 伺服器發現餘額不足,返回狀態碼為303的響應,重定向到/cart?err=INSUFFICIENT_FUNDS
這兩次請求不同點是伺服器接收到checkout請求後的響應,嘗試篡改伺服器響應
將目標商品加入到購物車,開啟burpsuite攔截請求,提交訂單,到burp設定攔截該GET請求的響應後放行請求包
接獲到伺服器響應,將響應中的重定向URL改為/cart/order-confirmation?order-confirmed=true,放行,關閉攔截
成功購買,通過靶場
通過有缺陷的狀態機繞過驗證
Authentication bypass via flawed state machine
靶場
logic-flaws-authentication-bypass-via-flawed-state-machine
說明
This lab makes flawed assumptions about the sequence of events in the login process. To solve the lab, exploit this flaw to bypass the lab's authentication, access the admin interface, and delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
題解
本題不會做。將role-selector請求包丟棄就會預設登入到administrator管理員賬戶。。。果然漏洞都是人的問題
官解:
登入賬戶,開啟burp攔截,放行POST /login 請求包,將下一個GET /role-selector請求表丟棄,然後直接訪問/admin刪除carlos使用者即可通過
有缺陷的業務規則執行
Flawed enforcement of business rules
靶場
logic-flaws-flawed-enforcement-of-business-rules
說明
This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
題解
登入,獲取到一個$5的優惠券,在購物車嘗試再次使用優惠券,提醒已經用過
在頁面底部發現繫結郵箱可獲取優惠,輸入優惠券即可獲得7折優惠
嘗試再使用$5的優惠券,成功獲得優惠,交替使用兩個優惠程式碼,直至購物車總價變為0,提交購買通過
無限金錢邏輯漏洞
Infinite money logic flaw
靶場
說明
This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
題解
在頁面底部發現繫結郵箱可獲取優惠,輸入優惠券即可獲得7折優惠
購買$10的禮品券,使用七折券,然後在我的賬號兌換該禮品券,即可用$7換取$10錢生錢
重複刷錢步驟,直至能購買目標商品
通過加密orale繞過驗證
Authentication bypass via encryption oracle
靶場
logic-flaws-authentication-bypass-via-encryption-oracle
說明
This lab contains a logic flaw that exposes an encryption oracle to users. To solve the lab, exploit this flaw to gain access to the admin panel and delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
題解
登陸賬號,把保持登入勾選上,發現cookies有個stay-logged-in欄位加密儲存了登入資訊
嘗試提交評論,郵箱為一個無效地址abc,發現cookie有個notification欄位,同時頁面上提示Invalid email address: abc
嘗試將cookie的notification欄位改為stay-logged-in欄位的值,傳送請求,頁面提示wiener:1653387720371
猜測stay-logged-in值就是加密過後的 使用者名稱:時間戳
- 提交評論的POST可以作為加密請求,請求的email地址為加密前的資料,響應的set-cookie值就是加密後的資料
- 檢視部落格的GET請求可以作為解密請求,請求頭的notification欄位為解密前的資料,頁面開頭的字串就是解密後的資料
將administrator:1653387720371使用加密請求加密(密文串1),再放到解密請求解密,發現結果為Invalid email address: administrator:1653387720371
Invalid email address: 這23個字元是我們要剔除的資料,將上一步的加密資料密文串1使用url解碼和base64解碼,刪除23個位元組,使用base64編碼後使用解密請求解密
伺服器提示只接受16的倍數的資料,為了能讓伺服器正常解析,再次對期望的字串進行加密,有所區別的是要在前面加入9個無關字元,和前面23個要剔除的字元組成32位一起刪除
將xxxxxxxxxadministrator:1653387720371使用加密請求加密(密文串2)再放到解密請求解密,發現結果為administrator:1653387720371,這正是我們需要的
密文串2即為我們要替換的stay-logged-in欄位值,清除cookie,篡改stay-logged-in,發現已經登陸上管理員賬號,刪除carlos使用者 通過靶場