Portswigger靶场业务逻辑漏洞实验
Portswigger靶场业务逻辑漏洞实验
对客户端控制过度信任
Excessive trust in client-side controls
靶场
logic-flaws-excessive-trust-in-client-side-control
说明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: `wiener:peter
题解
点击添加购物车的时候,会发送产品id和价格Get请求,修改请求
fetch('/cart',{method:'POST',body:'productId=1&redir=PRODUCT&quantity=1&price=0'})
双重验证2FA逻辑错误
2FA broken logic
靶场
2fa-broken-logic
提示
Carlos will not attempt to log in to the website himself.
说明
This lab's two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos's account page.
- Your credentials:
wiener:peter - Victim's username:
carlos
You also have access to the email server to receive your 2FA verification code.
题解
登录账号,发现有邮箱二次验证,将/login2的GET请求修改用户为carlos,给carlos发送邮箱验证码
将/login2的POST请求发往intruder,四位数字验证码爆破,选取响应状态码为302的结果即为正确验证码
高级逻辑漏洞
High-level logic vulnerability
靶场
logic-flaws-high-level
说明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
题解
修改加入购物车表单,F12取消最小限制,购买-1件商品,查看购物车,总价是负数,提交购买请求
服务器提示Cart total price cannot be less than zero
尝试加入购物车-13件$98的商品,再加入$1337的目标商品,使购物车总价低于账户余额$100又不为负数
提交订单,成功结算通过靶场
低级逻辑缺陷
Low-level logic flaw
靶场
logic-flaws-low-level
说明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
提示
You will need to use Burp Intruder (or Turbo Intruder) to solve this lab.
To make sure the price increases in predictable increments, we recommend configuring your attack to only send one request at a time. In Burp Intruder, you can do this from the resource pool settings using the Maximum concurrent requests option.
题解
本题实际上是用到整形数据的上限,32位操作系统中,31位用以表示整数,最高位用以表示正负,因此整形的有效范围是-2,147,483,647到+2,147,483,647”
不断增加购物车数量,直到超过上限,变为负数,继续增加,直至变为正数而又不超过账户余额$100,结算购物车通过靶场
对异常输入不一致的处理
Inconsistent handling of exceptional input
靶场
logic-flaws-inconsistent-handling-of-exceptional-input
说明
This lab doesn't adequately validate user input. You can exploit a logic flaw in its account registration process to gain access to administrative functionality. To solve the lab, access the admin panel and delete Carlos.
提示
You can use the link in the lab banner to access an email client connected to your own private mail server. The client will display all messages sent to @YOUR-EMAIL-ID.web-security-academy.net and any arbitrary subdomains. Your unique email ID is displayed in the email client.
题解
本靶场有一个后台地址/admin,但提示需要DontWannaCry用户
到登录页面,提醒If you work for DontWannaCry, please use your @dontwannacry.com email address注册DontWannaCry用户要用到其公司邮箱
注册一个用户,邮箱尝试输入一串很长的email(超过255),在邮箱点击验证后登录这个用户,查看邮箱发现被截断为前255位
可以利用这个截断机制,让应用程序误判普通用户邮箱为DontWannaCry公司内部邮箱,从而获得管理权限
再注册一个用户
-
邮箱前255位为
xxx@dontwannacry.com,填充xxx使m刚好在第255位 -
256位开始为
@exploit-ID.web-security-academy.net,确保能在邮箱服务器接收到验证邮件
验证后登录该用户,进入管理页面/admin,删除carlos,通过靶场
不一致的安全控制
Inconsistent security controls
靶场
logic-flaws-inconsistent-security-controls
说明
This lab's flawed logic allows arbitrary users to access administrative functionality that should only be available to company employees. To solve the lab, access the admin panel and delete Carlos.
题解
本题对注册邮箱做了完善的防御,无法像上题一样利用漏洞注册为管理员账户
但是在普通用户正常注册以后却可以直接修改邮箱为@dontwannacry.com从而升级为管理员账户
如是完成操作,删除carlos用户,通过靶场
多功能终端的弱隔离性
Weak isolation on dual-use endpoint
靶场
logic-flaws-weak-isolation-on-dual-use-endpoint
说明
This lab makes a flawed assumption about the user's privilege level based on their input. As a result, you can exploit the logic of its account management features to gain access to arbitrary users' accounts. To solve the lab, access the administrator account and delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
题解
登录普通账号,有修改密码操作,尝试将修改administrator的密码,提交表单后发现current password错误
尝试在表单中删除current password,直接提交用户名和密码,成功修改
登录administrator账号,删除carlos用户,通过靶场
重置密码逻辑错误
Password reset broken logic
靶场
password-reset-broken-logic
说明
This lab's password reset functionality is vulnerable. To solve the lab, reset Carlos's password then log in and access his "My account" page.
- Your credentials:
wiener:peter - Victim's username:
carlos
题解
点击忘记账号,发送邮件确认,点击邮件的链接进入修改密码页面,提交修改密码请求
注意到提交表单的数据中有username字段,尝试篡改
再次点击忘记账号修改密码请求,F12开发者调试控制台发现有个隐藏的input标签,name为username,修改wiener用户为carlos,提交修改密码请求
成功修改,登录carlos账户,通过靶场
双重验证简单绕过
2FA simple bypass
靶场
2fa-simple-bypass
说明
This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.
- Your credentials:
wiener:peter - Victim's credentials
carlos:montoya
题解
登录受害者账号,发送了邮箱验证码
原以为是使用intruder爆破验证码,其实只需要将url修改为/my-account即可绕过
意想不到的简单又出其不意
对事件流程的验证不充分
Insufficient workflow validation
靶场
logic-flaws-insufficient-workflow-validation
说明
This lab makes flawed assumptions about the sequence of events in the purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
题解
登录账户,先购买价格一个小于$100的物品,观察流程
- 用户点击Place Order,浏览器发起一个Get请求,URL为/cart/checkout
- 服务器确认,返回状态码为303的响应,重定向到/cart/order-confirmation?order-confirmed=true
再购买一个价格高于账户余额的物品,观察流程
- 用户点击Place Order,浏览器发起一个Get请求,URL为/cart/checkout
- 服务器发现余额不足,返回状态码为303的响应,重定向到/cart?err=INSUFFICIENT_FUNDS
这两次请求不同点是服务器接收到checkout请求后的响应,尝试篡改服务器响应
将目标商品加入到购物车,打开burpsuite拦截请求,提交订单,到burp设置拦截该GET请求的响应后放行请求包
接获到服务器响应,将响应中的重定向URL改为/cart/order-confirmation?order-confirmed=true,放行,关闭拦截
成功购买,通过靶场
通过有缺陷的状态机绕过验证
Authentication bypass via flawed state machine
靶场
logic-flaws-authentication-bypass-via-flawed-state-machine
说明
This lab makes flawed assumptions about the sequence of events in the login process. To solve the lab, exploit this flaw to bypass the lab's authentication, access the admin interface, and delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
题解
本题不会做。将role-selector请求包丢弃就会默认登录到administrator管理员账户。。。果然漏洞都是人的问题
官解:
登录账户,开启burp拦截,放行POST /login 请求包,将下一个GET /role-selector请求表丢弃,然后直接访问/admin删除carlos用户即可通过
有缺陷的业务规则执行
Flawed enforcement of business rules
靶场
logic-flaws-flawed-enforcement-of-business-rules
说明
This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
题解
登录,获取到一个$5的优惠券,在购物车尝试再次使用优惠券,提醒已经用过
在页面底部发现绑定邮箱可获取优惠,输入优惠券即可获得7折优惠
尝试再使用$5的优惠券,成功获得优惠,交替使用两个优惠代码,直至购物车总价变为0,提交购买通过
无限金钱逻辑漏洞
Infinite money logic flaw
靶场
logic-flaws-infinite-money
说明
This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
You can log in to your own account using the following credentials: wiener:peter
题解
在页面底部发现绑定邮箱可获取优惠,输入优惠券即可获得7折优惠
购买$10的礼品券,使用七折券,然后在我的账号兑换该礼品券,即可用$7换取$10钱生钱
重复刷钱步骤,直至能购买目标商品
通过加密orale绕过验证
Authentication bypass via encryption oracle
靶场
logic-flaws-authentication-bypass-via-encryption-oracle
说明
This lab contains a logic flaw that exposes an encryption oracle to users. To solve the lab, exploit this flaw to gain access to the admin panel and delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
题解
登陆账号,把保持登录勾选上,发现cookies有个stay-logged-in字段加密保存了登录信息
尝试提交评论,邮箱为一个无效地址abc,发现cookie有个notification字段,同时页面上提示Invalid email address: abc
尝试将cookie的notification字段改为stay-logged-in字段的值,发送请求,页面提示wiener:1653387720371
猜测stay-logged-in值就是加密过后的 用户名:时间戳
- 提交评论的POST可以作为加密请求,请求的email地址为加密前的数据,响应的set-cookie值就是加密后的数据
- 查看博客的GET请求可以作为解密请求,请求头的notification字段为解密前的数据,页面开头的字符串就是解密后的数据
将administrator:1653387720371使用加密请求加密(密文串1),再放到解密请求解密,发现结果为Invalid email address: administrator:1653387720371
Invalid email address: 这23个字符是我们要剔除的数据,将上一步的加密数据密文串1使用url解码和base64解码,删除23个字节,使用base64编码后使用解密请求解密
服务器提示只接受16的倍数的数据,为了能让服务器正常解析,再次对期望的字符串进行加密,有所区别的是要在前面加入9个无关字符,和前面23个要剔除的字符组成32位一起删除
将xxxxxxxxxadministrator:1653387720371使用加密请求加密(密文串2)再放到解密请求解密,发现结果为administrator:1653387720371,这正是我们需要的
密文串2即为我们要替换的stay-logged-in字段值,清除cookie,篡改stay-logged-in,发现已经登陆上管理员账号,删除carlos用户 通过靶场