一、寫在前面
剛剛入職,適應了幾天后抓緊開始學習,畢竟學無止境且自己太菜了……
面試的時候,負責人問了我一些關于Java代審的問題,不過之前接觸的更多是php的代審,熟悉代審的小伙伴們大概都清楚,兩者就不是一個難度等級……而且網上目前好像也沒有一個比較系統的java代審學習路線和視頻,在這里就慢慢摸索吧,學一點就記錄一點,也希望哪一位大佬看到后,可以call我一下,哪怕點一點學習路線也好,實在是頭緒不太夠哈哈~
WebGoat是OWASP開源的一個Java且使用的Spring框架的開源靶場,就從這里開始吧,統一說一下環境搭建(這里走了不少彎路,java的脾氣大家都知道,一點不合就撂攤子……):
- Maven——3.6.3
- jdk11
- WebGoat——8.0.0.M25
安裝好后IDEA直接啟動進入靶場,后面就不說這里了,主要還是代碼漏洞的審計~


二、Xss代審(按題目順序)
- 之前的就不看了,都是一些說明,直接從7開始

這里給了一個類似于購物車的表單提交功能,他這里放在了XSS漏洞下,那我們就從這里找XSS

這里可以看到,Quantity數量只在前端頁面是無法修改的(抓包還沒有嘗試,這里暫定一下,回頭補上,順便提一下,這里的數量可以填寫負數,很有可能會存在支付邏輯漏洞,也是回頭再驗證吧),那就考慮在下方的card number和access code處考慮插入XSS腳本,

開發團隊也是很有意思了,我現在明明就是在攻擊你啊……所以這樣的利用方式估計是那里被過濾了(事后證明,確實是access code輸入框存在著過濾),那就分開試~

可以看到,大概漏洞點在card number位置上,下面上代碼尋找問題~


這里F12檢查按鈕,發現頁面把表單提交給了/WebGoat/CrossSiteScripting/attack5a檔案,在檔案里找了下,確定了該功能的執行類,貼在下面~
1 package org.owasp.webgoat.plugin; 2 3 import org.owasp.webgoat.assignments.AssignmentEndpoint; 4 import org.owasp.webgoat.assignments.AssignmentHints; 5 import org.owasp.webgoat.assignments.AssignmentPath; 6 import org.owasp.webgoat.assignments.AttackResult; 7 import org.owasp.webgoat.session.UserSessionData; 8 import org.springframework.beans.factory.annotation.Autowired; 9 import org.springframework.web.bind.annotation.RequestMapping; 10 import org.springframework.web.bind.annotation.RequestMethod; 11 import org.springframework.web.bind.annotation.RequestParam; 12 import org.springframework.web.bind.annotation.ResponseBody; 13 14 import javax.servlet.http.HttpServletRequest; 15 import java.io.IOException; 16 17 18 19 /*************************************************************************************************** 20 * 21 * 22 * This file is part of WebGoat, an Open Web Application Security Project utility. For details, 23 * please see http://www.owasp.org/ 24 * 25 * Copyright (c) 2002 - 20014 Bruce Mayhew 26 * 27 * This program is free software; you can redistribute it and/or modify it under the terms of the 28 * GNU General Public License as published by the Free Software Foundation; either version 2 of the 29 * License, or (at your option) any later version. 30 * 31 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without 32 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 33 * General Public License for more details. 34 * 35 * You should have received a copy of the GNU General Public License along with this program; if 36 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 37 * 02111-1307, USA. 38 * 39 * Getting Source ============== 40 * 41 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software 42 * projects. 43 * 44 * For details, please see http://webgoat.github.io 45 * 46 * @author Bruce Mayhew <a href="https://www.cnblogs.com/wavesky/archive/2022/08/15/http://code.google.com/p/webgoat">WebGoat</a> 47 * @created October 28, 2003 48 */ 49 @AssignmentPath("/CrossSiteScripting/attack5a") 50 @AssignmentHints(value = https://www.cnblogs.com/wavesky/archive/2022/08/15/{"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"}) 51 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { 52 53 @Autowired 54 UserSessionData userSessionData; 55 56 @RequestMapping(method = RequestMethod.GET) 57 public @ResponseBody AttackResult completed(@RequestParam Integer QTY1, 58 @RequestParam Integer QTY2, @RequestParam Integer QTY3, 59 @RequestParam Integer QTY4, @RequestParam String field1, 60 @RequestParam String field2, HttpServletRequest request) 61 throws IOException { 62 63 if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) { 64 return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build()); 65 } 66 67 double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99; 68 69 userSessionData.setValue("xss-reflected1-complete",(Object)"false"); 70 StringBuffer cart = new StringBuffer(); 71 cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />"); 72 cart.append("<p>We have charged credit card:" + field1 + "<br />"); 73 cart.append( " ------------------- <br />"); 74 cart.append( " $" + totalSale); 75 76 //init state 77 if (userSessionData.getValue("xss-reflected1-complete") == null) { 78 userSessionData.setValue("xss-reflected1-complete",(Object)"false"); 79 } 80 81 if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) { 82 //return trackProgress() 83 userSessionData.setValue("xss-reflected-5a-complete","true"); 84 if(field1.toLowerCase().contains("console.log")) { 85 return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build()); 86 } else { 87 return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build()); 88 } 89 } else { 90 userSessionData.setValue("xss-reflected1-complete","false"); 91 return trackProgress(success() 92 .feedback("xss-reflected-5a-failure") 93 .output(cart.toString()) 94 .build()); 95 } 96 } 97 }
第63行可以看到,確實使field2的引數經過了一個小寫轉換+匹配,也就能證明之前兩個輸入框輸入的命令不正確了~
第72行可以看到,field1也就是card number引數,直接放到了執行陳述句中,沒有經過過濾,這也是7等級主要想表現出的漏洞問題~


修復一下,在上圖處添加html轉義,查看結果,可以看到的確沒有執行腳本,第7級完結~
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/501931.html
標籤:其他
上一篇:leetcode 239. Sliding Window Maximum 滑動視窗最大值(困難)
下一篇:[筆記]淺談分塊
