I-Pentester Yahlulahlula iKhowudi yeWebhusayithi ukungqina ukuba yayingenanjongo kwaphela

Ngenye imini ndiye ndadibana nenkonzo eqinisekisa ukutyikitywa kwezicelo kwicala leseva. Yayiyikhasino encinci ye-intanethi, apho isicelo ngasinye sijongiwe ixabiso elithile elithunyelwe ngumsebenzisi ukusuka kwisikhangeli. Kungakhathaliseki ukuba wenza ntoni kwikhasino: ukubeka ukubheja okanye ukwenza idiphozithi, iparameter eyongezelelweyo kwisicelo ngasinye yayilixabiso "uphawu", olubandakanya isethi yabalinganiswa ababonakala bengaqhelekanga. Kwakungenakwenzeka ukuthumela isicelo ngaphandle kwayo - isayithi ibuyise impazamo, kwaye yandithintela ukuba ndithumele izicelo zam zesiko.

Ukuba bekungengenxa yeli xabiso, ngendishiye indawo ngelo xesha kwaye andizange ndiphinde ndicinge ngayo. Kodwa, ngokuchaseneyo nawo onke amathuba, yayingeyiyo ingqiqo yenzuzo ekhawulezayo eyandenza ndachulumanca, kodwa kunoko umdla wophando kunye nocelomngeni olwalundinika i-casino ngobungqina bayo bobudenge.

Nokuba yeyiphi injongo abaphuhlisi ababenayo engqondweni xa besongeza le parameter, kubonakala kum ngathi yinkcitho yexesha. Emva kwayo yonke loo nto, utyikityo ngokwalo luveliswa kwicala lomxhasi, kwaye nasiphi na isenzo secala lomxhasi sinokuthi sixhomekeke kwi-reverse-engineering.

Kweli nqaku, ndiza kuxoxa ngendlela endenze ngayo:

1. Sombulula isicelo sokwenziwa kotyikityo lwealgorithm
2. Bhala olwam ulwandiso lweBurp Suite ezenzela wonke umsebenzi omdaka

Eli nqaku liza kukufundisa indlela yokulondoloza ixesha lakho elixabisekileyo kwaye ukhabe izisombululo ezingenamsebenzi ukuba ungumphuhlisi onomdla wokwenza iiprojekthi ezikhuselekileyo. Kwaye ukuba uyipentester, emva kokufunda eli nqaku, unokufunda izifundo eziluncedo malunga nokulungiswa kweempazamo kunye nokucwangcisa izandiso zakho zeSwiss Knife yokhuseleko. Ngamafutshane, wonke umntu ukwicala elihle.

Makhe sifikelele kwinqanaba.

Intambo ka-Ariadne: ukutyhila i-algorithm yotyikityo

Ke, inkonzo yikhasino ekwi-intanethi eneseti yemidlalo yakudala:

• I-Plinko - umdlalo apho abadlali bewisa khona ibhola ukusuka phezulu kwibhodi egcwele isikhonkwane, beyibukele igxuma ukuya kumhlaba kwindawo yokubeka kunye nokuphumelela okanye ukuphulukana nexabiso;
• Amatikiti - abadlali bathenga amatikiti elotho kunye neseti yamanani kwaye baphumelele ukuba amanani abo ahambelana namanani atsalwe ngokungacwangciswanga;
• I-LiveDealers - imidlalo yekhasino ye-intanethi eqhutywa ngabathengisi bokwenyani ngexesha lokwenyani, ivumela abadlali ukuba babukele kwaye banxibelelane ngevidiyo.
• Kabini — umdlalo olula apho abadlali babheje ukuba ikhadi elilandelayo liya kuba phezulu okanye ngaphantsi kwekhadi langoku.
• Ukuphahlazeka - abadlali bayabheja kwaye babukele ukonyuka okuphindaphindayo, bejolise ekukhupheni imali ngaphambi kokuba i-multiplier ingqubeke;
• Nvuti - abadlali babheje malunga nokuba inani liya kuwa ngaphantsi okanye ngaphezulu kwesithuba esithile;
• Slots — imidlalo yekhasino apho abadlali spin iireels kunye neesimboli kwaye baphumelele ukuba imidibaniso ethile ivela kwiscreen.

Ukusebenzisana nomncedisi kusebenza ngokupheleleyo kwisiseko sezicelo zeHTTP. Nokuba nguwuphi na umdlalo owukhethayo, isicelo ngasinye se-POST kumncedisi kufuneka sisayinwe - kungenjalo umncedisi uya kwenza impazamo. Izicelo zokutyikitya kuzo zonke ezi midlalo zisebenza kumgaqo ofanayo - ndiza kuthatha umdlalo omnye kuphela ukuphanda ukuze ndingenzi umsebenzi ofanayo kabini.

Kwaye ndiza kuthatha umdlalo obizwa Dragon Dungeon.

Undoqo walo mdlalo kukukhetha iingcango kwinqaba ngokulandelelana kwindima ye-knight. Ngasemva kocango ngalunye kufihlwe ubutyebi okanye inamba. Ukuba umdlali udibana nenamba emva kocango, umdlalo uyayeka kwaye ulahlekelwe yimali. Ukuba ubuncwane bufunyenwe - isixa ubhejo lokuqala ukwanda kwaye umdlalo uyaqhubeka de umdlali uthatha lokuwina, ulahlekelwa okanye udlula onke amanqanaba.

Ngaphambi kokuqala komdlalo, umdlali kufuneka achaze inani lokubheja kunye nenani leedragons.

Ndifaka inani le-10 njengenani, ndishiye inamba enye kwaye ndijonge isicelo esiya kuthunyelwa. Oku kunokwenziwa kwizixhobo zomphuhlisi nakuwuphi na umkhangeli zincwadi, kwiChromium iNethiwekhi ithebhu inoxanduva loku.

Apha ungabona kwakhona ukuba isicelo sithunyelwe kwindawo yokuphela /srv/api/v1/dungeon .

Ithebhu yePayload ibonisa umzimba wesicelo ngokwawo kwifomathi ye-JSON

Iiparamitha ezimbini zokuqala zicacile-ndizikhethile kwi-UI; Eyokugqibela, njengoko unokuthelekelela, timestamp okanye ixesha eliye ladlula ukusukela nge-1 kaJanuwari, 1970, ngokuchaneka kweJavascript yeemilliseconds.

Oku kushiya iparameter enye engasonjululwanga kwaye, - kwaye lutyikityo ngokwalo. Ukuze uqonde indlela eyakhiwe ngayo, ndiya kwithebhu yeMithombo - le ndawo iqulethe zonke izibonelelo zenkonzo elayishwe ngumkhangeli. Kubandakanya iJavascript, enoxanduva kuyo yonke ingqiqo yenxalenye yomxhasi wesayithi.

Akulula kangako ukuyiqonda le khowudi - incinci. Ungazama ukuyenza icace yonke into - kodwa yinkqubo ende nedinayo eya kuthatha ixesha elininzi (uthathela ingqalelo isixa sekhowudi yomthombo), andikakulungeli ukuyenza.

Inketho yesibini kunye nelula kukufumana nje inxalenye efunekayo yekhowudi ngegama elingundoqo kwaye usebenzise i-debugger. Yiloo nto endiya kuyenza, kuba andifuni ukwazi ukuba yonke indawo isebenza njani, ndifuna nje ukwazi ukuba utyikityo lwenziwa njani.

Ke, ukufumana inxalenye yekhowudi enoxanduva lokuvelisa ikhowudi, unokuvula uphendlo kuyo yonke imithombo usebenzisa i CTRL+SHIFT+F indibaniselwano yesitshixo kwaye ujonge isabelo sexabiso kwisitshixo sign esithunyelwayo. kwisicelo.

Ngethamsanqa, mnye kuphela umdlalo, nto leyo ethetha ukuba ndikwindlela elungileyo.

Ukuba ucofa kumdlalo, ungaya kwicandelo lekhowudi apho utyikityo ngokwalo lwenziwa. Ikhowudi icacile njengangaphambili, ngoko kusenzima ukuyifunda.

Ngokuchasene nomgca wekhowudi ndibeka i-breakpoint, uvuselele iphepha kwaye wenze ibhidi entsha "kwi-dragons" - ngoku iskripthi siyeke umsebenzi waso kanye ngexesha lokwenziwa kwesiginesha, kwaye unokubona imeko yezinye izinto eziguquguqukayo.

Umsebenzi obizwa ngokuba ngunobumba omnye, iinguqu nazo - kodwa akukho ngxaki. Ungaya kwi-console kwaye ubonise amaxabiso ngamnye kubo. Imeko iqala ukucaca ngakumbi.

Ixabiso lokuqala Imveliso lixabiso lenguquko H , engumsebenzi. Ungacofa kuyo kwi-console kwaye uye kwindawo apho ichazwe khona kwikhowudi, ngezantsi kuluhlu.

Esi sisiqwengana esihle kakhulu sekhowudi apho ndabona khona umkhondo-SHA256. Le yi-algorithm ye-hashing. Unokubona kwakhona ukuba iiparamitha ezimbini zigqithiselwe kumsebenzi, obonisa ukuba oku kungabi yi-SHA256 nje, kodwa i-HMAC SHA256 eyimfihlo.

Mhlawumbi izinto eziguquguqukayo ezigqithisiweyo apha (kwakhona zikhupha ikhonsoli):

• umtya 10;1;6693a87bbd94061678473bfb;1732817300080;gRdVWfmU-YR_RCuSkWFLCUTly_GZfDx3KEM8 - ngqo ixabiso apho umsebenzi we-HMAC SHA256 usetyenziswa khona.
• 31754cff-be0f-446f-9067-4cd827ba8707 yinto engatshintshiyo esebenza njengemfihlo.

Ukuqinisekisa oku, ndifowunela umsebenzi kwaye ndifumane utyikityo olucingelwayo

Ngoku ndiya kwindawo ebala i-HMAC SHA256 kwaye ndigqithise amaxabiso kuyo.

Kwaye ndiyithelekisa naleyo ithunyelwe kwisicelo xa ndifaka isicelo.

Iziphumo ziyafana, okuthetha ukuba uqikelelo lwam beluchanekile-isebenzisa i-HMAC SHA256 enemfihlo engatshintshiyo, egqithiswa ngomtya owenziwe ngokukodwa ngomlinganiselo, inani leedragons kunye nezinye iiparameter, endiza kukuxelela ngazo ngokuqhubekayo. ekuhambeni kwenqaku.

I-algorithm ilula kwaye ithe ngqo. Kodwa akwanelanga - ukuba ibiyinjongo kwiprojekthi yomsebenzi yepentest ukufumana ubuthathaka, bendiya kufuna ukuba ndifunde ukuthumela eyam imibuzo ndisebenzisa iBurp Suite.

Kwaye oku ngokuqinisekileyo kufuna i-automation, yile nto ndiza kuthetha ngayo ngoku.

Ngaba kuyimfuneko ukuba ubhale eyakho isandiso?

Ndiyifumene i-algorithm yokwenza utyikityo. Ngoku lixesha lokufunda indlela yokwenza ngokuzenzekelayo ukuze ukhuphe zonke izinto ezingeyomfuneko xa uthumela izicelo.

Ungathumela izicelo usebenzisa iZAP, iCaido, iBurp Suite, kunye nezinye izixhobo zepentest. Eli nqaku liza kugxila kwiBurp Suite, njengoko ndiyifumanisa iyeyona isebenziseka lula kwaye iphantse igqibelele. Ushicilelo loLuntu lunokukhutshelwa simahla kwindawo esemthethweni, kwanele kuzo zonke iimvavanyo.

Ngaphandle kwebhokisi iBurp Suite ayikwazi ukwenza i-HMAC SHA256. Ke ngoko, ukwenza oku, ungasebenzisa izandiso ezihambelana nokusebenza kweBurp Suite.

Izandiso zenziwe ngamalungu oluntu kunye nabaphuhlisi ngokwabo. Zisasazwa mhlawumbi nge-BApp eyakhelwe-ngaphakathi kwiVenkile yasimahla, iGithub, okanye enye indawo yokugcina ikhowudi yomthombo.

Kukho iindlela ezimbini ongazithatha:

1. Sebenzisa ulwandiso olungekho kwishelufu kwi-BApp Store
2. Bhala esakho isandiso

Nganye kwezi ndlela zineenzuzo kunye neengxaki zayo, ndiza kukubonisa zombini.

Ukwazi Hackvertor

Indlela enesandiso esenziwe ngokulungeleyo iyona ilula. Kukuyikhuphela kwi-BApp Store kwaye usebenzise iimpawu zayo ukuvelisa ixabiso lepharamitha sign .

Ulwandiso endilusebenzisileyo lubizwa ngokuba yiHackvertor . Ikuvumela ukuba usebenzise i-XML njenge-syntax ukuze ukwazi ukuguqulela ikhowudi/ukuguqula, ukubethela/ukucoca, ukudibanisa idatha eyahlukeneyo.

Ukuze uyifake, iBurp ifuna:

1. Yiya kwi Izandiso thebhu

2. Chwetheza iHackvertor kukhangelo

3. Khetha ulwandiso olufunyenweyo kuluhlu

4. Cofa Faka

   
   

Nje ukuba ifakwe, ithebhu enegama elifanayo iya kuvela kwiBurp. Unokuya kuyo kwaye uvavanye amandla okwandisa kunye nenani lamathegi akhoyo, nganye enokuthi idibaniswe kunye nomnye.

Ukwenza umzekelo, ungabhala ngokuntsonkothileyo into nge-symmetric AES usebenzisa ithegi <@aes_encrypt('supersecret12356','AES/ECB/PKCS5PADDING')>MySuperSecretText<@/aes_encrypt> .

Imfihlo kunye ne-algorithm ikwizibiyeli, kwaye phakathi kweethegi kumbhalo ngokwawo oza kufihlwa. Naziphi iithegi zingasetyenziswa kwi-Repeater, Intruder kunye nezinye izixhobo ezakhelwe ngaphakathi zeBurp Suite.

Ngoncedo lokwandiswa kweHackvertor ungachaza indlela isiginitsha kufuneka iveliswe ngayo kwinqanaba lethegi. Ndiza kuyenza kumzekelo wesicelo sokwenyani.

Ukusebenzisa i-Hackvertor ekulweni

Ke, ndenza ukubheja kwi-Dragon Dungeon, ndibambe isicelo esifanayo endisifumeneyo ekuqaleni kweli nqaku nge-Intercept Proxy, kwaye ndiyicinezele kwi-Repeater ukuze ndikwazi ukuyihlela kwaye ndiyithumele kwakhona.

Ngoku endaweni yexabiso le ae04afe621864f569022347f1d1adcaa3f11bebec2116d49c4539ae1d2c825fc , kufuneka sithathe indawo ye-algorithm ukuvelisa i-HMAC SHA256 usebenzisa iithegi ezinikezwe nguHackvertor.

Формула генерации у меня получилась следующая <@hmac_sha256('31754cff-be0f-446f-9067-4cd827ba8707')>10;1;6693a87bbd94061678473bfb;<@timestamp/>000;MDWpmNV9-j8tKbk-evbVLtwMsMjKwQy5YEs4<@/hmac_sha256> .

Qwalasela zonke iiparamitha:

• 10 - imali yokubheja
• 1 - inani leedragons
• 6693a87bbd94061678473bfb - I-ID yomsebenzisi ekhethekileyo evela kwi-database ye-MongoDB, ndayibona ngelixa ndihlalutya isiginitsha kwisikhangeli, kodwa andizange ndibhale ngayo ngoko. Ndikwazile ukuyifumana ngokukhangela imixholo yemibuzo kwiBurp Suite, ibuya kumbuzo /srv/api/v1/profile/me endpoint query.

• <@timestamp/>000 - ukuveliswa kwesitampu sexesha, ooziro abathathu bokugqibela bacokisa ixesha ukuya kwi-millisecond
• MDWpmNV9-j8tKbk-evbVLtwMsMjKwQy5YEs4 - ithokheni ye-CSRF, ebuyiselwe ukusuka /srv/api/v1/csrf endpoint, kwaye ifakwe endaweni kwisicelo ngasinye, kwisihloko se X-Xsrf-Token .

• <@hmac_sha256('31754cff-be0f-446f-9067-4cd827ba8707')> kunye <@/hmac_sha256> - ukuvula nokuvala iithegi zokuvelisa i-HMAC SHA256 ukusuka kwixabiso elifakwe endaweni enemfihlo njengesiqhelo 31754cff-be0f-446f-9067-4cd827ba8707 .

Kubalulekile ukuba uqaphele: iiparamitha kufuneka zixhunywe omnye komnye nge ; ngolandelelwano olungqongqo, - kungenjalo utyikityo luyakwenziwa ngokungalunganga - njengakumfanekiso wekhusi apho ndiye ndatshintsha umyinge kunye nenani leedragons.

Kulapho bonke ubugqi bulele khona.

Ngoku ndenza umbuzo ochanekileyo, apho ndichaza iiparameters ngendlela echanekileyo, kwaye ndifumana ulwazi lokuba yonke into iphumelele kwaye umdlalo waqala - oku kuthetha ukuba i-Hackvertor ivelise isignesha endaweni yefomula, ifake endaweni yombuzo, kwaye yonke into isebenza. .

Nangona kunjalo, le ndlela inenzuzo enkulu - awukwazi ukulahla umsebenzi wezandla ngokupheleleyo. Ngalo lonke ixesha utshintsha ireyithi okanye inani leedragons kwi-JSON, kufuneka uyitshintshe kwisignesha ngokwayo ukuze ihambelane.

Kwakhona, ukuba uthumela isicelo esitsha esisuka kuMmeli wesithuba kwi-Intruder okanye uMphindi, kufuneka uphinde ubhale ifomula, enzima kakhulu xa ufuna iithebhu ezininzi kwiimeko ezahlukeneyo zovavanyo.

Le fomula iya kusilela kwakhona kweminye imibuzo apho ezinye iiparameters zisetyenziswa.

Ndiye ndagqiba ekubeni ndibhale olwam ulwandiso ukuze ndoyise ezi ntsilelo.

Fumana bonke umlingo weBurp kunye nolwandiso lwakho

Iisetingi zokuqala

Ungabhala izandiso zeBurp Suite kwiJava kunye nePython. Ndiza kusebenzisa ulwimi lwenkqubo yesibini njengoko ilula kwaye ibonwa ngakumbi. Kodwa kufuneka uzilungiselele kwangaphambili: okokuqala kufuneka ukhuphele i-Jython Standalone kwiwebhusayithi esemthethweni, kwaye emva koko indlela eya kwifayile ekhutshelweyo kwiisetingi zeBurp Suite.

Emva koko, kufuneka wenze ifayile ngekhowudi yemvelaphi ngokwayo kunye nolwandiso *.py .

Sele ndinayo i-billet echaza ingqiqo esisiseko, nantsi imixholo yayo:

Yonke into ilula nge-intuitively kwaye ithe ngqo:

• getActionName - le ndlela ibuyisela igama lesenzo ekufuneka senziwe lulwandiso. Ulwandiso ngokwalo longeza uMgaqo wokuPhathwa kweSeshini onokuthi usetyenziswe ngokuguquguqukayo kuzo naziphi na izicelo, kodwa ngaphezulu koko kamva. Kubalulekile ukwazi ukuba eli gama linokwahluka kwigama lolwandiso, kwaye liya kukhetheka kujongano.
• performAction - ingqiqo yomgaqo ngokwawo, ozakusetyenziswa kwizicelo ezikhethiweyo, ziya kupelwa apha.

Zombini iindlela zibhengezwe ngokwe- ISessionHandlingAction interface.

Ngoku kwi-interface ye-IBurpExtender . Ichaza eyona ndlela ifunekayo registerExtenderCallbacks , eyenziwa ngoko nangoko emva kokulayisha ulwandiso, kwaye iyafuneka ukuba isebenze kuzo zonke.

Apha kulapho uqwalaselo olusisiseko lwenziwa khona:

• callbacks.setExtensionName(EXTENSION_NAME) - ibhalisa ulwandiso lwangoku njengesenzo sokuphatha iiseshoni
• sys.stdout = callbacks.getStdout() - iqondisa ngokutsha imveliso esemgangathweni (stdout) kwiBurp Suite yefestile yemveliso (indawo yolawulo "Izandiso"
• self.stderr = PrintWriter(callbacks.getStdout(), True) - yenza umsinga wokukhupha iimpazamo
• self.stdout.println(EXTENSION_NAME) - iprinta igama lolwandiso kwiBurp Suite
• self.callbacks = callbacks - igcina into yokufowuna njengophawu lwakho. Oku kuyafuneka kusetyenziso lwakamva lweBurp Suite API kwezinye iindawo zekhowudi yolwandiso.
• self.helpers = callbacks.getHelpers() - ikwafumana iindlela eziluncedo eziyakufuneka njengoko ulwandiso luqhuba

Ngamalungiselelo okuqala enziwe, yiloo nto. Ngoku ungalayisha ulwandiso kwaye uqiniseke ukuba lusebenza konke. Ukwenza oku, yiya kwi Izandiso thebhu kwaye ucofe Yongeza.

Kwifestile evelayo, khankanya

• Uhlobo lolwandiso-Python, okanye ulwimi lwenkqubo apho ulwandiso lubhalwe khona
• Ifayile yolwandiso - indlela eya kwifayile yolwandiso ngokwayo.

Kwaye nqakraza Okulandelayo.

Ukuba ifayile yekhowudi yomthombo ifomathwe ngokufanelekileyo, akukho ziphoso kufuneka zenzeke, kwaye ithebhu yeSiphumo iya kubonisa igama lolwandiso. Oku kuthetha ukuba yonke into isebenza kakuhle.

Uvavanyo losiba

Imithwalo eyandisiweyo kunye nemisebenzi - kodwa yonke into eyayilayishiwe yayiyi-wrapper ngaphandle kwengqiqo, ngoku ndifuna ikhowudi ngokuthe ngqo ukusayina isicelo. Sele ndiyibhalile kwaye iboniswe kwiskrini esingezantsi.

Indlela ulwandiso lonke lusebenza ngayo kukuba ngaphambi kokuba isicelo sithunyelwe kumncedisi, siya kuguqulwa ngokwandiswa kwam.

Ndiqala ngokuthatha isicelo sokuba ukwandiswa kuthintelwe, kwaye ndifumane ireyithi, kunye nenani leedragons, emzimbeni wayo.

 json_body = json.loads(message_body) amount_currency = json_body["amountCurrency"] dragons = json_body["dragons"]

Emva koko, ndifunde i-Timestamp yangoku kwaye ndifumana ithokheni ye-CSRF kwisihloko esihambelanayo

 currentTime = str(time.time()).split('.')[0]+'100' xcsrf_token = None for header in headers: if header.startswith("X-Xsrf-Token"): xcsrf_token = header.split(":")[1].strip()

Okulandelayo, isicelo ngokwaso sisayinwe kusetyenziswa i-HMAC SHA256

 hmac_sign = hmac_sha256(key, message=";".join([str(amount_currency), str(dragons), user_id, currentTime, xcsrf_token]))

Umsebenzi ngokwawo kunye nee-constants ezibonisa imfihlo kunye ne-ID yomsebenzisi zichazwe kwangaphambili phezulu

 def hmac_sha256(key, message): return hmac.new( key.encode("utf-8"), message.encode("utf-8"), hashlib.sha256 ).hexdigest() key = "434528cb-662f-484d-bda9-1f080b861392" user_id = "zex2q6cyc4ba3gvkyex5f80m"

Emva koko amaxabiso abhalwa kumzimba wesicelo kwaye aguqulelwe kwi-JSON

 json_body["sign"] = hmac_sign json_body["t"] = currentTime message_body = json.dumps(json_body)

Inyathelo lokugqibela kukwenza isicelo esayiniweyo kunye nesilungisiweyo kwaye usithumele kuyo

 httpRequest = self.helpers.buildHttpMessage(get_final_headers, message_body) baseRequestResponse.setRequest(httpRequest)

Kuko konke, ikhowudi yomthombo ibhaliwe. Ngoku ungalayisha kwakhona ulwandiso kwiBurp Suite (kufuneka yenziwe emva kokuguqulwa kweskripthi ngasinye), kwaye uqinisekise ukuba yonke into iyasebenza.

Ukuvavanya umthetho omtsha osebenzayo

Kodwa kuqala kufuneka wongeze umthetho omtsha wokuqhuba izicelo. Ukwenza oku, yiya kwiiSetingi, kwicandelo leeSeshini. Apha uya kufumana yonke imithetho eyahlukeneyo ethi iqhutywe xa uthumela izicelo.

Cofa Faka ukongeza ulwandiso oluqalisa kwiintlobo ezithile zezicelo.

Kwifestile evelayo, ndishiya yonke into njengoko injalo kwaye ukhethe Yongeza kuMthetho izenzo

Uluhlu lokuthoba luya kuvela. Kuyo, khetha Biza ulwandiso lweBurp.

Kwaye uchaze ulwandiso oluya kubizwa xa uthumela izicelo. Ndinayo, kwaye siSisolulo seBurp.

Emva kokukhetha ulwandiso, ndicofa u-OK. Kwaye ndiya kwi Scope tab, apho ndichaza khona:

• Umda wezixhobo-Uphinda-phinda (ulwandiso kufuneka luvuse xa ndithumela izicelo ngesandla ngoMphindi)

• Umda we-URL - Bandakanya zonke ii-URL (ukuze isebenze kuzo zonke izicelo endizithumelayo).

  
  

Kufuneka isebenze njengakumfanekiso wekhusi ongezantsi.

Emva kokucofa u-Kulungile, umthetho wokwandisa uvele kuluhlu oluqhelekileyo.

Ekugqibeleni, unokuvavanya yonke into esebenzayo! Ngoku ungawutshintsha umbuzo kwaye ubone ukuba utyikityo luya kuhlaziya njani. Kwaye nangona umbuzo ungaphumeleli, kuya kuba ngenxa yokuba ndikhethe ireyithi engalunganga, kungekhona ngenxa yokuba kukho into engalunganga kwisignesha (andifuni kumosha imali 😀). Ulwandiso ngokwalo lusebenza kwaye utyikityo lwenziwa ngokuchanekileyo.

Ukuyizisa kwimfezeko

Yonke into ilungile, kodwa kukho iingxaki ezintathu:

1. Ithokheni ye-CSRF ithathwa kwisihloko. Ngokuqhelekileyo kufuneka ilahlwe, kodwa mhlawumbi apha inobomi bonke (okanye hayi, into engalunganga). Kwimeko nayiphi na into, kuya kulunga ngakumbi ukwenza isicelo esahlukileyo ngokwaso ukuze ufumane entsha kwaye uyihlaziye. 2- I-ID yomsebenzisi echazwe kwangaphambili isetyenziswa. Ukuba ndifuna ukujonga i-IDOR kule nkonzo, iskripthi sam sangaphambili siya kuba singasebenzi komnye umsebenzisi, kuba i-ID inekhowudi.
2. Imibuzo eyahlukeneyo ingaba neeparamitha ezahlukeneyo. Kwaye iskimu esichazwe kwiskripthi ekuqaleni siya kusebenza kuphela kwiDungeon Dragons, kwaye akukho enye. Kwaye ndingathanda ukukwazi ukuhlela kwaye ndithumele nasiphi na isicelo.

Ukusombulula oku, kufuneka songeze izicelo ezibini ezongezelelweyo, ezinokwenziwa lithala leencwadi leBurp Suite elakhelwe ngaphakathi, endaweni yalo naliphi na iqela lesithathu, endaweni requests .

Ukwenza oku, ndisonge ingqiqo eqhelekileyo ukwenza imibuzo ibe lula ngakumbi. Ngeendlela ezisemgangathweni zikaBurp, unxibelelwano nemibuzo lwenziwa kumbhalo omninzi.

 def makeRequest(self, method="GET", path="/", headers=None, body=None): first_line = method + " " + path + " HTTP/1.1" headers[0] = first_line if body is None: body = "{}" http_message = self.helpers.buildHttpMessage(headers, body) return self.callbacks.makeHttpRequest(self.request_host, self.request_port, True, http_message)

Kwaye wongeze imisebenzi emibini ekhupha idatha endiyifunayo, uphawu lweCSRF, kunye neID yoMsebenzisi.

 def get_csrf_token(self, headers): response = self.makeRequest("GET", "/srv/api/v1/csrf", headers) message = self.helpers.analyzeRequest(response) raw_headers = str(message.getHeaders()) match = re.search(r'XSRF-TOKEN=([a-zA-Z0-9_-]+)', raw_headers) return match.group(1) def get_user_id(self, headers): raw_response = self.makeRequest("POST", "/srv/api/v1/profile/me", headers) response = self.helpers.bytesToString(raw_response) match = re.search(r'"_id":"([a-f0-9]{24})"', response) return match.group(1)

Kwaye ngokuhlaziya umqondiso ngokwawo kwizihloko ezithunyelweyo

 def update_csrf(self, headers, token): for i, header in enumerate(headers): if header.startswith("X-Xsrf-Token:"): headers[i] = "X-Xsrf-Token: " + token return headers

Umsebenzi wotyikityo ujongeka ngolu hlobo. Apha kubalulekile ukuqaphela ukuba ndithatha zonke iiparameters zesiko ezithunyelwe kwisicelo, dibanisa umgangatho user_id , currentTime , csrf_token ukuya ekupheleni kwazo, kwaye zisayine zonke kunye usebenzisa ; njengomahluli.

 def sign_body(self, json_body, user_id, currentTime, csrf_token): values = [] for key, value in json_body.items(): if key == "sign": break values.append(str(value)) values.extend([str(user_id), str(currentTime), str(csrf_token)]) return hmac_sha256(hmac_secret, message=";".join(values))

Umthamo ophambili uye wancitshiswa waba yimigca embalwa:

1. Ithokheni yeCSRF kunye nokufunyanwa kwe-UserID kuyenziwa
2. Isitampu sexesha siyabalwa kwaye utyikityo lwenziwa ngokusekelwe kuzo zonke iiparamitha. Kubalulekile ukuqaphela apha ukuba ndisebenzisa OrderedDict eyenza isichazi-magama ngokulandelelana okungqongqo njengoko kubalulekile ukusigcina ngelixa usayina.
3. Umzimba wokugqibela wesicelo uyaveliswa kwaye uthunyelwa phambili

 csrf_token = self.get_csrf_token(headers) final_headers = self.update_csrf(final_headers, csrf_token) user_id = self.get_user_id(headers) currentTime = str(time.time()).split('.')[0]+'100' json_body = json.loads(message_body, object_pairs_hook=OrderedDict) sign = self.sign_body(json_body, user_id, currentTime, csrf_token) json_body["sign"] = sign json_body["t"] = currentTime message_body = json.dumps(json_body) httpRequest = self.helpers.buildHttpMessage(final_headers, message_body) baseRequestResponse.setRequest(httpRequest)

Umfanekiso weskrini, ukuze uqiniseke

Ngoku, ukuba uya komnye umdlalo apho iiparameters zesiko sele zi-3 endaweni ye-2, kwaye uthumele isicelo, unokubona ukuba iya kuthunyelwa ngempumelelo. Oku kuthetha ukuba ukwandiswa kwam ngoku kukwindawo yonke kwaye kusebenza kuzo zonke izicelo.

Umzekelo wokuthumela isicelo sokuzaliswa kweakhawunti

Ukuqukumbela

Izandiso ziyinxalenye yeBurp Suite. Iinkonzo zihlala ziphumeza ukusebenza ngokwesiko ekungekho mntu wumbi ngaphandle kokuba ubhale kwangaphambili. Yingakho kubalulekile ukuba ungagcini nje ukukhuphela izandiso esele zenziwe, kodwa nokuba ubhale ngokwakho, oko ndizama ukukufundisa kweli nqaku.

Kuphelele apho okwangoku, ziphucule kwaye ungaguli.

Ikhonkco kwikhowudi yemvelaphi yolwandiso: *cofa* .