DVWA shooting range-JavaScript Attacks JS attacks

Hirofumi in the past:

DVWA shooting range-Brute Force Source brute force cracking

DVWA shooting range-Command Injection

DVWA range-CSRF cross-site request forgery

DVWA range-File Inclusion file contains

DVWA shooting range-File Upload

DVWA shooting range-SQL Injection

DVWA Shooting Range-Weak Session IDs

DVWA shooting range-XSS (DOM type, reflection type, storage type)

DVWA Range-Content Security Policy (CSP) Bypass

Setting up of shooting range environment

https://github.com/ethicalhack3r/DVWA

[Network Security Study Articles Attached]: DVWA shooting range construction

table of Contents

 

JavaScript Attacks

Low JavaScript

Core code

Medium JavaScript

Core code

High JavaScript

Core code

Impossible JavaScript


JavaScript Attacks

Low JavaScript

Core code

<?php

$page[ 'body' ] .= <<<EOF

<script>

/*

MD5 code from here

https://github.com/blueimp/JavaScript-MD5

*/

!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<<t|n>>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<<r%32,n[14+(r+64>>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e<n.length;e+=16)i=l,a=g,d=v,h=m,g=f(g=f(g=f(g=f(g=c(g=c(g=c(g=c(g=u(g=u(g=u(g=u(g=o(g=o(g=o(g=o(g,v=o(v,m=o(m,l=o(l,g,v,m,n[e],7,-680876936),g,v,n[e+1],12,-389564586),l,g,n[e+2],17,606105819),m,l,n[e+3],22,-1044525330),v=o(v,m=o(m,l=o(l,g,v,m,n[e+4],7,-176418897),g,v,n[e+5],12,1200080426),l,g,n[e+6],17,-1473231341),m,l,n[e+7],22,-45705983),v=o(v,m=o(m,l=o(l,g,v,m,n[e+8],7,1770035416),g,v,n[e+9],12,-1958414417),l,g,n[e+10],17,-42063),m,l,n[e+11],22,-1990404162),v=o(v,m=o(m,l=o(l,g,v,m,n[e+12],7,1804603682),g,v,n[e+13],12,-40341101),l,g,n[e+14],17,-1502002290),m,l,n[e+15],22,1236535329),v=u(v,m=u(m,l=u(l,g,v,m,n[e+1],5,-165796510),g,v,n[e+6],9,-1069501632),l,g,n[e+11],14,643717713),m,l,n[e],20,-373897302),v=u(v,m=u(m,l=u(l,g,v,m,n[e+5],5,-701558691),g,v,n[e+10],9,38016083),l,g,n[e+15],14,-660478335),m,l,n[e+4],20,-405537848),v=u(v,m=u(m,l=u(l,g,v,m,n[e+9],5,568446438),g,v,n[e+14],9,-1019803690),l,g,n[e+3],14,-187363961),m,l,n[e+8],20,1163531501),v=u(v,m=u(m,l=u(l,g,v,m,n[e+13],5,-1444681467),g,v,n[e+2],9,-51403784),l,g,n[e+7],14,1735328473),m,l,n[e+12],20,-1926607734),v=c(v,m=c(m,l=c(l,g,v,m,n[e+5],4,-378558),g,v,n[e+8],11,-2022574463),l,g,n[e+11],16,1839030562),m,l,n[e+14],23,-35309556),v=c(v,m=c(m,l=c(l,g,v,m,n[e+1],4,-1530992060),g,v,n[e+4],11,1272893353),l,g,n[e+7],16,-155497632),m,l,n[e+10],23,-1094730640),v=c(v,m=c(m,l=c(l,g,v,m,n[e+13],4,681279174),g,v,n[e],11,-358537222),l,g,n[e+3],16,-722521979),m,l,n[e+6],23,76029189),v=c(v,m=c(m,l=c(l,g,v,m,n[e+9],4,-640364487),g,v,n[e+12],11,-421815835),l,g,n[e+15],16,530742520),m,l,n[e+2],23,-995338651),v=f(v,m=f(m,l=f(l,g,v,m,n[e],6,-198630844),g,v,n[e+7],10,1126891415),l,g,n[e+14],15,-1416354905),m,l,n[e+5],21,-57434055),v=f(v,m=f(m,l=f(l,g,v,m,n[e+12],6,1700485571),g,v,n[e+3],10,-1894986606),l,g,n[e+10],15,-1051523),m,l,n[e+1],21,-2054922799),v=f(v,m=f(m,l=f(l,g,v,m,n[e+8],6,1873313359),g,v,n[e+15],10,-30611744),l,g,n[e+6],15,-1560198380),m,l,n[e+13],21,1309151649),v=f(v,m=f(m,l=f(l,g,v,m,n[e+4],6,-145523070),g,v,n[e+11],10,-1120210379),l,g,n[e+2],15,718787259),m,l,n[e+9],21,-343485551),l=t(l,i),g=t(g,a),v=t(v,d),m=t(m,h);return[l,g,v,m]}function a(n){var t,r="",e=32*n.length;for(t=0;t<e;t+=8)r+=String.fromCharCode(n[t>>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t<r.length;t+=1)r[t]=0;var e=8*n.length;for(t=0;t<e;t+=8)r[t>>5]|=(255&n.charCodeAt(t/8))<<t%32;return r}function h(n){return a(i(d(n),8*n.length))}function l(n,t){var r,e,o=d(n),u=[],c=[];for(u[15]=c[15]=void 0,o.length>16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r<n.length;r+=1)t=n.charCodeAt(r),e+="0123456789abcdef".charAt(t>>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this);

    function rot13(inp) {

        return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});

    }

    function generate_token() {

        var phrase = document.getElementById("phrase").value;

        document.getElementById("token").value = md5(rot13(phrase));

    }

    generate_token();

</script>

EOF;

?>

Look at index.html again

$message = "";

// Check whwat was sent in to see if it was what was expected

if ($_SERVER['REQUEST_METHOD'] == "POST") {

    if (array_key_exists ("phrase", $_POST) && array_key_exists ("token", $_POST)) {



        $phrase = $_POST['phrase'];

        $token = $_POST['token'];



        if ($phrase == "success") {

            switch( $_COOKIE[ 'security' ] ) {

                case 'low':

                    if ($token == md5(str_rot13("success"))) {

                        $message = "<p style='color:red'>Well done!</p>";

                    } else {

                        $message = "<p>Invalid token.</p>";

                    }
            }
        }
    }
}

Here, the values ​​of the variable phrase and token are obtained by Post, if (phrase == "success") and the token value is correct, it will output well done!

 

Direct input success found invalid

Check the source code of the page and find that the value of the token is determined by md5(rot13(phrase))

 

Get the token value directly through the console

token:38581812b435834ebf84ebcc2c6424d6

Next, directly post request to submit, you can succeed

token=38581812b435834ebf84ebcc2c6424d6&phrase=success&send=Submit

 

Medium JavaScript

Core code

<?php

$page[ 'body' ] .= '<script 

src="' . DVWA_WEB_PAGE_TO_ROOT . 'vulnerabilities/javascript/source/medium.js">

</script>';

?>

We continue to follow up to view medium.js

function do_something(e) {

    for (var t = "", n = e.length - 1; n >= 0; n--) t += e[n];

    return t

}

setTimeout(function () {

    do_elsesomething("XX")

}, 300);

function do_elsesomething(e) {

    document.getElementById("token").value = do_something(e + document.getElementById("phrase").value + "XX")

}

Here we analyze the code and find that this code is to reverse the value of the phrase variable, that is, sseccus; the generated token value=XXsseccusXX

Here we directly submit

 

High JavaScript

Core code

<?php

$page[ 'body' ] .= '

<script src="' . DVWA_WEB_PAGE_TO_ROOT . 'vulnerabilities/javascript/source/high.js">

</script>';

?>

Follow up and check high.js, the code here is obviously obfuscated by encryption, we can use the online decoding tool http://deobfuscatejavascript.com/#

Core code
 

function do_something(e) {

    for (var t = "", n = e.length - 1; n >= 0; n--) t += e[n];

    return t

}

function token_part_3(t, y = "ZZ") {

    document.getElementById("token").value = sha256(document.getElementById("token").value + y)

}

function token_part_2(e = "YY") {

    document.getElementById("token").value = sha256(e + document.getElementById("token").value)

}

function token_part_1(a, b) {

    document.getElementById("token").value = do_something(document.getElementById("phrase").value)

}

document.getElementById("phrase").value = "";

setTimeout(function() {

    token_part_2("XX")

}, 300);

document.getElementById("send").addEventListener("click", token_part_3);

token_part_1("ABCD", 44);

The order of execution of the code is like this

First clear the value of phrase

document.getElementById("phrase").value = "";

token_part_1("ABCD", 44);

Call functions

function token_part_1(a, b) {

    document.getElementById("token").value = do_something(document.getElementById("phrase").value)

}

Then automatically delay 300 execution

setTimeout(function() {

    token_part_2("XX")

}, 300);

Call functions

function token_part_2(e = "YY") {

    document.getElementById("token").value = sha256(e + document.getElementById("token").value)

}

That is, the generated sha256 value of "XX"

Then when we click submit, the click event will be triggered:

document.getElementById("send").addEventListener("click", token_part_3);

Then call the token_part_3() function

function token_part_3(t, y = "ZZ") {

    document.getElementById("token").value = sha256(document.getElementById("token").value + y)

}

 

The problem is here

document.getElementById("phrase").value = "";

The success we entered is not read by the function

 

Go to debugger

Select the high.js file and set the click event breakpoint under mouse

Click submit to submit, the following interface appears

 

The browser will help us automatically decode and set breakpoints

 

Now it has stopped at the breakpoint we set, and canceled the click we just set in mouse

 

At this time we enter in the console

document.getElementById("phrase").value = "success";

Release, you can log in successfully

If the first time is not successful, the previous operation is cached, and generally the second time will be successful

 

 

Impossible JavaScript

You can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level.

This level is a bit humorous, and the way to protect it is to directly delete the place where the user can input.


https://www.sqlsec.com/2020/05/dvwa.html#toc-heading-31

 

Guess you like

Origin blog.csdn.net/weixin_43252204/article/details/106723183