Ngolunye usuku ngihlangane nesevisi eqinisekisa ukusayinwa kwezicelo ohlangothini lweseva. Bekuyikhasino encane eku-inthanethi, okuthi kuso sonke isicelo kuhlolwe inani elithile elithunyelwe umsebenzisi kusuka kusiphequluli. Kungakhathalekile ukuthi ubuwenzani ekhasino: ukubheja noma ukwenza idiphozi, ipharamitha eyengeziwe esicelweni ngasinye kwakuyinani “uphawu”, oluhlanganisa isethi yezinhlamvu ezibonakala zingahleliwe. Akukwazanga ukuthumela isicelo ngaphandle kwaso - isayithi libuyise iphutha, futhi lingivimbele ukuthi ngithumele izicelo zami zangokwezifiso. Ukube bekungengenxa yaleli nani, ngabe ngashiya isayithi ngaleso sikhathi futhi angiphindanga ngacabanga ngakho. Kodwa, ngokumelene nazo zonke izingqinamba, kwakungewona umuzwa wenzuzo esheshayo owangenza ngajabula, kodwa kunalokho intshisekelo yocwaningo kanye nenselelo enganginikezwa yikhasino ngokufakazela kwayo ubuwula. Kungakhathalekile ukuthi iyiphi injongo abathuthukisi ababenayo engqondweni lapho bengeza le pharamitha, kimina kubonakala sengathi bekuwukumosha isikhathi. Phela, isignesha ngokwayo ikhiqizwa ohlangothini lweklayenti, futhi noma yisiphi isenzo sohlangothi lweklayenti singaba ngaphansi kwe-reverse-engineering. Kulesi sihloko, ngizoxoxa ngokuthi ngakwazi kanjani ukwenza lokhu: Xazulula isicelo se-algorithm yokwenza isiginesha Bhala esami isandiso seBurp Suite ezenza wonke umsebenzi ongcolile ngokuzenzakalelayo Lesi sihloko sizokufundisa indlela yokulondoloza isikhathi sakho esiyigugu futhi wenqabe izixazululo ezingenamsebenzi uma ungunjiniyela onentshisekelo yokwenza amaphrojekthi avikelekile. Futhi uma uyi-pentester, ngemva kokufunda lesi sihloko, ungafunda izifundo ezithile eziwusizo ekulungiseni iphutha kanye nokuhlela izandiso zakho Zommese Wokuphepha waseSwitzerland. Ngamafuphi, wonke umuntu usohlangothini oluhle. Ake sigcine sifinyelele iphuzu. Uchungechunge luka-Ariadne: ukwembula i-algorithm yesiginesha Ngakho-ke, insizakalo iyikhasino eku-inthanethi enesethi yemidlalo yakudala: I-Plinko — umdlalo lapho abadlali bewisa khona ibhola lisuka phezulu ebhodini eligcwele isikhonkwane, balibuke ligxuma lize lihlale endaweni eliwinayo noma elilahlekelwe yinani; Amathikithi — abadlali bathenga amathikithi elotho ngeqoqo lezinombolo futhi bawine uma izinombolo zabo zihambisana nezinombolo ezidonswe ngokungahleliwe; I-LiveDealers — imidlalo yekhasino eku-inthanethi eqhutshwa abathengisi bangempela ngesikhathi sangempela, evumela abadlali ukuthi babukele futhi bahlanganyele ngokusakazwa kwevidiyo. Kabili — umdlalo olula lapho abadlali bebheja khona ngokuthi ikhadi elilandelayo lizoba phezulu noma ngaphansi kunekhadi lamanje. Ukuphahlazeka — abadlali bayabheja futhi babuke ukwanda okuphindaphindayo, kuhloswe ukukhipha imali ngaphambi kokuphahlazeka kokuphindaphinda; Nvuti — abadlali babheja ukuthi inombolo izowela ngezansi noma ngaphezulu kwesikhawu esithile; Izikhala — imidlalo yasekhasino lapho abadlali bephotha ama-reels anezimpawu futhi bawine uma inhlanganisela ethile ivela esikrinini. Ukusebenzisana neseva kusebenza ngokuphelele ngesisekelo sezicelo ze-HTTP. Kungakhathalekile igeyimu oyikhethayo, isicelo ngasinye OKUTHUNYELWE esiphakelini kufanele sisayinwe - ngaphandle kwalokho iseva izokhiqiza iphutha. Izicelo zokusayina kumdlalo ngamunye wale midlalo zisebenza ngesimiso esifanayo - ngizothatha umdlalo owodwa kuphela ukuze ngiphenye ukuze kungadingeki ngenze umsebenzi ofanayo kabili. Futhi ngizothatha umdlalo obizwa nge-Dragon Dungeon. Ingqikithi yalo mdlalo ukukhetha iminyango enqabeni ngokulandelana kwendima ye-knight. Ngemuva komnyango ngamunye kufihla umcebo noma udrako. Uma umdlali ehlangana nodrako ngemuva komnyango, umdlalo uyama bese elahlekelwa yimali. Uma ingcebo itholakala - inani lokubheja kokuqala liyakhula futhi umdlalo uyaqhubeka kuze kube yilapho umdlali ethatha ama-winnings, elahlekelwa noma edlula wonke amazinga. Ngaphambi kokuqala umdlalo, umdlali kufanele acacise inani lokubheja kanye nenani lama-dragons. Ngifaka inombolo ye-10 njengesamba, ngishiye udrako owodwa futhi ngibheke isicelo esizothunyelwa. Lokhu kungenziwa kusukela kumathuluzi kanjiniyela kunoma yisiphi isiphequluli, ku-Chromium ithebhu Yenethiwekhi inesibopho salokhu. Lapha ungabona futhi ukuthi isicelo sithunyelwe endaweni yokugcina . /srv/api/v1/dungeon Ithebhu ye-Payload ibonisa umzimba wesicelo ngokwawo ngefomethi ye-JSON Amapharamitha amabili okuqala asobala - ngiwakhethe ku-UI; esokugcina, njengoba ungase uqagele, noma isikhathi esidlulile kusukela ngomhla ka-January 1, 1970, nokunemba okujwayelekile kwe-Javascript kwama-millisecond. timestamp Lokho kushiya ipharamitha eyodwa engaxazululiwe futhi, - futhi leyo yisignesha uqobo. Ukuze uqonde ukuthi yakhiwa kanjani, ngiya kuthebhu ethi Imithombo - le ndawo iqukethe zonke izinsiza zesevisi isiphequluli esilayishile. Kubandakanya i-Javascript, enesibopho sayo yonke i-logic yengxenye yeklayenti yesayithi. Akulula kangako ukuyiqonda le khodi - inified. Ungazama ukukucacisa konke - kodwa kuyinqubo ende futhi eyisicefe ezothatha isikhathi esiningi (kucatshangelwa inani lekhodi yomthombo), angikakalungeli ukukwenza. Inketho yesibili futhi elula iwukuthola nje ingxenye edingekayo yekhodi ngegama elingukhiye bese usebenzisa i-debugger. Yilokho engizokwenza, ngoba angidingi ukwazi ukuthi isayithi lonke lisebenza kanjani, ngidinga ukwazi ukuthi isiginesha yenziwa kanjani. Ngakho-ke, ukuze uthole ingxenye yekhodi enesibopho sokukhiqiza ikhodi, ungavula ukusesha kuyo yonke imithombo usebenzisa inhlanganisela yokhiye futhi ubheke isabelo senani kukhiye oluthunyelwayo. esicelweni. CTRL+SHIFT+F sign Ngenhlanhla, kukhona okufanayo kuphela, okusho ukuthi ngisendleleni efanele. Uma uchofoza okufanayo, ungafika esigabeni sekhodi lapho isiginesha ngokwayo ikhiqizwa khona. Ikhodi ayicaciswanga njengakuqala, ngakho kusenzima ukuyifunda. Ngokuphikisana nomugqa wekhodi Ngibeke i-breakpoint, ngivuselele ikhasi futhi ngenze ibhidi entsha "kuma-dragons" - manje umbhalo umise umsebenzi waso ngesikhathi sokwakhiwa kwesiginesha, futhi ungabona isimo sokuguquguquka okuthile. Umsebenzi obizwayo uqukethe uhlamvu olulodwa, okuguquguqukayo futhi - kodwa akunankinga. Ungaya kukhonsoli futhi ubonise amanani azo zonke. Isimo siqala ukucaca. Inani lokuqala okukhiphayo inani le-variable , okuwumsebenzi. Ungachofoza kukho usuka kukhonsoli bese udlulela endaweni lapho kumenyezelwe khona kukhodi, ngezansi wuhlu. H Lona amazwibela amahle wekhodi lapho engabona khona umkhondo - SHA256. Lena i-algorithm ye-hashing. Ungabona futhi ukuthi amapharamitha amabili adluliselwa emsebenzini, okukhomba ukuthi lokhu kungase kungabi nje i-SHA256, kodwa i-HMAC SHA256 eyimfihlo. Mhlawumbe okuguquguqukayo okudluliswa lapha (futhi kuphuma kukhonsoli): iyunithi yezinhlamvu - inani eliqondile okusetshenziswa kulo ukusebenza kwe-HMAC SHA256. 10;1;6693a87bbd94061678473bfb;1732817300080;gRdVWfmU-YR_RCuSkWFLCUTly_GZfDx3KEM8 iyisimo esingaguquki esisebenza njengemfihlo 31754cff-be0f-446f-9067-4cd827ba8707 Ukuqinisekisa lokhu, ngibiza umsebenzi futhi ngithole isiginesha ecatshangwayo Manje ngiya kusayithi elibala i-HMAC SHA256 futhi ngidlulise amanani kuyo. Futhi ukuyiqhathanisa naleyo ethunyelwe esicelweni lapho ngifaka isicelo. Umphumela uyafana, okusho ukuthi ukuqagela kwami bekulungile - isebenzisa ngempela i-HMAC SHA256 enemfihlo emile, edluliswa intambo eyakhelwe ngokukhethekile ngenani, inani lamadragoni namanye amapharamitha, engizokutshela wona ngokuqhubekayo. phakathi nesihloko. I-algorithm ilula futhi iqondile. Kodwa namanje akwanele - uma bekuwumgomo ngaphakathi kwephrojekthi yomsebenzi we-pentest ukuthola ubungozi, bengizodinga ukufunda ukuthumela imibuzo yami ngisebenzisa iBurp Suite. Futhi lokhu kudinga i-automation, okuyilokho engizokhuluma ngakho manje. Ingabe kuyadingeka ukuthi ubhale isandiso sakho? Ngithole i-algorithm yokwenza isiginesha. Manje sekuyisikhathi sokufunda ukuthi ungayikhiqiza kanjani ngokuzenzakalelayo ukuze ukhiphe zonke izinto ezingadingekile lapho uthumela izicelo. Ungathumela izicelo usebenzisa i-ZAP, i-Caido, iBurp Suite, namanye amathuluzi e-pentest. Lesi sihloko sizogxila kuBurp Suite, njengoba ngiyithola isebenziseka kalula futhi icishe iphelele. I-Community Edition mahhala kusayithi elisemthethweni, yanele kukho konke ukuhlola. ingalandwa Ngaphandle kwebhokisi iBurp Suite ayazi ukuthi iyenziwa kanjani i-HMAC SHA256. Ngakho-ke, ukuze wenze lokhu, ungasebenzisa izandiso ezihambisana nokusebenza kweBurp Suite. Izandiso zidalwa kokubili ngamalungu omphakathi kanye nabathuthukisi ngokwabo. Zisatshalaliswa nge-BApp Store yamahhala eyakhelwe ngaphakathi, i-Github, noma amanye amakhodi omthombo. Kunezindlela ezimbili ongazithatha: Sebenzisa isandiso esingekho eshalofini kusukela ku-BApp Store Bhala esakho isandiso Ngayinye yalezi zindlela inobuhle nobubi bayo, ngizokukhombisa nobabili. Ukwazi Hackvertor Indlela enesandiso esenziwe ngomumo iyona elula. Iwukuyilanda ku-BApp Store futhi usebenzise izici zayo ukuze ukhiqize inani lepharamitha . sign Isandiso engisisebenzisile sibizwa nge . Ikuvumela ukuthi usebenzise i-XML njenge-syntax ukuze ukwazi ukufaka ikhodi/ukukhipha ikhodi ngendlela eguquguqukayo, ubethele/ususe ukubethela, nedatha ehlukahlukene. -Hackvertor Ukuze uyifake, i-Burp idinga: Iya kuthebhu Yezandiso Thayipha i-Hackvertor ekusesheni Khetha isandiso esitholiwe ohlwini Chofoza Faka Uma isifakiwe, ithebhu enegama elifanayo izovela kokuthi Burp. Ungaya kuyo futhi uhlole amakhono esandiso kanye nenani lamathegi atholakalayo, ngalinye lawo elingahlanganiswa nomunye nomunye. Ukuze unikeze isibonelo, ungakwazi ukubethela okuthile nge-AES yokulinganisa usebenzisa ithegi . <@aes_encrypt('supersecret12356','AES/ECB/PKCS5PADDING')>MySuperSecretText<@/aes_encrypt> Imfihlo kanye ne-algorithm ikubakaki, futhi phakathi kwamathegi kunombhalo ngokwawo ozobethelwa. Noma yimaphi amathegi angasetshenziswa ku-Repeater, Intruder namanye amathuluzi akhelwe ngaphakathi eBurp Suite. Ngosizo lwesandiso se-Hackvertor ungachaza ukuthi isignesha kufanele yenziwe kanjani ezingeni lethegi. Ngizokwenza ngesibonelo sesicelo sangempela. Ukusebenzisa i-Hackvertor ekulweni Ngakho-ke, ngibheja ku-Dragon Dungeon, ngamukela isicelo esifanayo engisithole ekuqaleni kwalesi sihloko nge-Intercept Proxy, futhi ngigcizelele ku-Repeater ukuze ngikwazi ukusihlela futhi sikuthumele kabusha. Manje esikhundleni senani le , sidinga ukufaka esikhundleni se-algorithm ukuze sikhiqize i-HMAC SHA256 sisebenzisa omaka abanikezwe iHackvertor. ae04afe621864f569022347f1d1adcaa3f11bebec2116d49c4539ae1d2c825fc I-Формула генерации у меня получилась следующая . <@hmac_sha256('31754cff-be0f-446f-9067-4cd827ba8707')>10;1;6693a87bbd94061678473bfb;<@timestamp/>000;MDWpmNV9-j8tKbk-evbVLtwMsMjKwQy5YEs4<@/hmac_sha256> Cabangela wonke amapharamitha: - inani lokubheja 10 - inombolo yamadragons 1 - I-ID yomsebenzisi eyingqayizivele evela ku-database ye-MongoDB, ngiyibone ngenkathi ngihlaziya isiginesha kusuka kusiphequluli, kodwa angizange ngibhale ngakho ngaleso sikhathi. Ngikwazile ukuyithola ngokusesha okuqukethwe kwemibuzo kuBurp Suite, ibuya embuzweni othi . 6693a87bbd94061678473bfb /srv/api/v1/profile/me - ukukhiqizwa kwesitembu sesikhathi, oziro abathathu bokugcina benza ngcono isikhathi sibe ama-millisecond <@timestamp/>000 - Ithokheni ye-CSRF, ebuyiswa isuka ku- endpoint, futhi ifakwe esikhundleni esicelweni ngasinye, kunhlokweni . MDWpmNV9-j8tKbk-evbVLtwMsMjKwQy5YEs4 /srv/api/v1/csrf X-Xsrf-Token kanye - omaka bokuvula nokuvala ukuze kukhiqizwe i-HMAC SHA256 kusuka kunani elishintshiwe nemfihlo njengehlala njalo . <@hmac_sha256('31754cff-be0f-446f-9067-4cd827ba8707')> <@/hmac_sha256> 31754cff-be0f-446f-9067-4cd827ba8707 Kubalulekile ukuqaphela: imingcele kufanele ixhunywe komunye nomunye nge ngokulandelana okuqinile, - uma kungenjalo isiginesha izokhiqizwa ngokungalungile - njengakulesi sithombe-skrini lapho ngishintshe khona izinga kanye nenani lamadragoni. ; Kulapho yonke imilingo ilele khona. Manje ngenza umbuzo olungile, lapho ngicacisa khona imingcele ngokulandelana okufanele, futhi ngithole ulwazi lokuthi konke kuphumelele futhi umdlalo waqala - lokhu kusho ukuthi i-Hackvertor ikhiqize isiginesha esikhundleni sefomula, yafaka esikhundleni sayo embuzweni, futhi yonke into iyasebenza. . Kodwa-ke, le ndlela inomonakalo omkhulu - awukwazi ukuqeda ngokuphelele umsebenzi wezandla. Ngaso sonke isikhathi uma ushintsha isilinganiso noma inombolo yamadragoni e-JSON, kufanele ulishintshe kusiginesha ngokwayo ukuze uwenze afane. Futhi, uma uthumela isicelo esisha kusuka kuthebhu yommeleli ku-Intruder noma Isiphindaphinda, kufanele uphinde ubhale ifomula, okuyinto ephazamisa kakhulu, kakhulu uma udinga amathebhu amaningi ezimo zokuhlola ezihlukene. Le fomula izophinda yehluleke kweminye imibuzo lapho kusetshenziswa khona amanye amapharamitha. Ngakho-ke nganquma ukubhala esami isandiso ukuze nginqobe lezi zimo ezimbi. Zitholele wonke umlingo we-Burp ngesandiso sakho Izilungiselelo zokuqala Ungabhala izandiso zeBurp Suite kuJava nePython. Ngizosebenzisa ulimi lwesibili lokuhlela njengoba lulula futhi lubonakala kakhudlwana. Kodwa udinga ukuzilungiselela kusengaphambili: okokuqala udinga ukulanda i-Jython Standalone kusuka kuwebhusayithi esemthethweni, bese indlela eya efayeleni elilandiwe kuzilungiselelo zeBurp Suite. Ngemva kwalokho, udinga ukudala ifayela elinekhodi yomthombo ngokwayo kanye nesandiso . *.py Sengivele ngine-billet echaza ingqondo eyisisekelo, nakhu okuqukethwe kwayo: Konke kulula nge-intuitively futhi kuqondile: - le ndlela ibuyisela igama lesenzo okufanele senziwa isandiso. Isandiso ngokwaso sengeza Umthetho Wokuphatha Isikhathi ongasetshenziswa kalula kunoma yisiphi isicelo, kodwa okwengeziwe ngalokho kamuva. Kubalulekile ukwazi ukuthi leli gama lingase lehluke egameni lesandiso, nokuthi lizokhetheka kusixhumi esibonakalayo. getActionName - umqondo womthetho ngokwawo, ozosetshenziswa ezicelweni ezikhethiwe, uzobhalwa lapha. performAction Zombili izindlela zimenyezelwe ngokuya ngesixhumi esibonakalayo . se-ISessionHandlingAction Manje ku-interface . Imemezela okuwukuphela yendlela edingekayoExtenderCallbacks , eyenziwa ngokushesha ngemva kokulayisha isandiso, futhi esidingekayo ukuze sisebenze nhlobo. ye-IBurpExtender registerExtenderCallbacks Lapha yilapho ukulungiselelwa okuyisisekelo kwenziwa khona: - ibhalisa isandiso samanje njengesenzo sokusingatha izikhathi callbacks.setExtensionName(EXTENSION_NAME) - iqondisa kabusha okukhiphayo okujwayelekile (stdout) ewindini lokuphumayo le-Burp Suite (iphaneli “Yezandiso”) sys.stdout = callbacks.getStdout() - idala umfudlana wamaphutha okukhipha self.stderr = PrintWriter(callbacks.getStdout(), True) - iphrinta igama lesandiso ku-Burp Suite self.stdout.println(EXTENSION_NAME) - igcina into yokufona njengesibaluli sakho. Lokhu kuyadingeka ukuze kusetshenziswe kamuva i-Burp Suite API kwezinye izingxenye zekhodi yesandiso. self.callbacks = callbacks - futhi ithola izindlela eziwusizo ezizodingeka njengoba isandiso sisebenza self.helpers = callbacks.getHelpers() Ngamalungiselelo okuqala enziwe, yilokho kuphela. Manje ungalayisha isandiso futhi uqiniseke ukuthi siyasebenza nhlobo. Ukuze wenze lokhu, yiya kuthebhu ethi Izandiso bese uchofoza Engeza. Efasiteleni elivelayo, cacisa Uhlobo lwesandiso - I-Python, noma ulimi lokuhlela okubhalwe ngalo isandiso Ifayela lesandiso - indlela eya kufayela lesandiso ngokwalo. Bese uchofoza Okulandelayo. Uma ifayela lekhodi yomthombo lifomethwe kahle, awekho amaphutha okufanele enzeke, futhi ithebhu ethi Okukhiphayo izobonisa igama lesandiso. Lokhu kusho ukuthi konke kusebenza kahle. Ukuhlolwa kwepeni Imithwalo yesandiso nemisebenzi - kodwa konke okulayishiwe kwakuyi-wrapper ngaphandle kwanoma iyiphi i-logic, manje ngidinga ikhodi ngokuqondile ukuze ngisayine isicelo. Sengiyibhalile kakade futhi iboniswa kusithombe-skrini esingezansi. Indlela yonke isandiso esisebenza ngayo ukuthi ngaphambi kokuba isicelo sithunyelwe kuseva, sizolungiswa ngokunwetshwa kwami. Ngiqale ngithathe isicelo sokuthi isandiso sinqanyulwe, futhi ngithole isilinganiso, kanye nenani lamadragoni, emzimbeni walo. json_body = json.loads(message_body) amount_currency = json_body["amountCurrency"] dragons = json_body["dragons"] Okulandelayo, ngifunde Isitembu sesikhathi samanje futhi ngathola ithokheni ye-CSRF kunhlokweni ehambisanayo currentTime = str(time.time()).split('.')[0]+'100' xcsrf_token = None for header in headers: if header.startswith("X-Xsrf-Token"): xcsrf_token = header.split(":")[1].strip() Okulandelayo, isicelo ngokwaso sisayinwa kusetshenziswa i-HMAC SHA256 hmac_sign = hmac_sha256(key, message=";".join([str(amount_currency), str(dragons), user_id, currentTime, xcsrf_token])) Umsebenzi ngokwawo kanye nama-constants abonisa imfihlo kanye ne-ID yomsebenzisi kwamenyezelwa ngaphambili phezulu def hmac_sha256(key, message): return hmac.new( key.encode("utf-8"), message.encode("utf-8"), hashlib.sha256 ).hexdigest() key = "434528cb-662f-484d-bda9-1f080b861392" user_id = "zex2q6cyc4ba3gvkyex5f80m" Bese amanani abhalwa kumzimba wesicelo futhi aguqulelwe ku-JSON json_body["sign"] = hmac_sign json_body["t"] = currentTime message_body = json.dumps(json_body) Isinyathelo sokugcina ukukhiqiza isicelo esayiniwe futhi esilungisiwe bese usithumela ku httpRequest = self.helpers.buildHttpMessage(get_final_headers, message_body) baseRequestResponse.setRequest(httpRequest) Yilokho kuphela, ikhodi yomthombo ibhaliwe. Manje usungakwazi ukulayisha kabusha isandiso ku-Burp Suite (kufanele yenziwe ngemva kokuguqulwa ngakunye kweskripthi), futhi uqiniseke ukuthi yonke into iyasebenza. Ukuhlola umthetho omusha uyasebenza Kodwa okokuqala udinga ukungeza umthetho omusha wokucubungula izicelo. Ukuze wenze lokhu, iya kokuthi Izilungiselelo, engxenyeni ethi AmaSeshini. Lapha uzothola yonke imithetho ehlukene eqalwa lapho kuthunyelwa izicelo. Chofoza okuthi Engeza ukuze wengeze isandiso esicupha izinhlobo ezithile zezicelo. Efasiteleni elivelayo, ngishiya yonke into njengoba injalo bese ukhetha Engeza ku-Rule izenzo Uhlu lokudonsela phansi luzovela. Kuyo, khetha okuthi Biza isandiso se-Burp. Futhi ucacise isandiso esizobizwa lapho kuthunyelwa izicelo. Nginayo, futhi iyi-Burp Extension. Ngemva kokukhetha isandiso, ngichofoza okuthi KULUNGILE. Bese ngiya kuthebhu ethi Scope, lapho ngicacisa khona: Ububanzi bamathuluzi - Isiphinda (isandiso kufanele siqalise lapho ngithumela izicelo mathupha nge-Repeater) Ububanzi be-URL - Faka wonke ama-URL (ukuze asebenze kuzo zonke izicelo engizithumelayo). Kufanele isebenze njengakusithombe-skrini esingezansi. Ngemva kokuchofoza okuthi KULUNGILE, umthetho wokunweba uvele ohlwini olujwayelekile. Ekugcineni, ungahlola yonke into esebenzayo! Manje ungashintsha umbuzo othile futhi ubone ukuthi isiginesha izobuyekezwa kanjani ngokushintshashintshayo. Futhi noma umbuzo uzohluleka, kuzoba yingoba ngikhethe isilinganiso esingesihle, hhayi ngoba kukhona okungahambi kahle ngesignesha (angifuni nje ukuchitha imali 😀). Isandiso ngokwaso siyasebenza futhi isiginesha yenziwe ngendlela efanele. Ukuyiletha ekupheleleni Konke kuhle, kodwa kunezinkinga ezintathu: Ithokheni ye-CSRF ithathwa kunhlokweni. Ngokuvamile kufanele ilahlwe, kodwa mhlawumbe lapha inesikhathi sokuphila (noma cha, okungalungile). Kunoma ikuphi, kungaba kuhle kakhulu ukwenza isicelo esihlukile ukuze uthole esisha futhi usibuyekeze. 2- Kusetshenziswa i-ID yomsebenzisi echazwe ngaphambilini. Uma ngifuna ukuhlola i-IDOR kule sevisi, isikripthi sami sangaphambilini sizoba esingavumelekile komunye umsebenzisi, njengoba i-ID inekhodi eqinile. Imibuzo ehlukene ingaba namapharamitha ahlukene. Futhi uhlelo olwachazwa kuskripthi ekuqaleni luzosebenza kuphela ku-Dungeon Dragons, futhi akukho okunye. Futhi ngingathanda ukukwazi ukuhlela nokuthumela noma yisiphi isicelo. Ukuze sixazulule lokhu, sidinga ukungeza izicelo ezimbili ezengeziwe, ezingenziwa ilabhulali yeBurp Suite eyakhelwe ngaphakathi, esikhundleni sanoma yiziphi izinkampani zangaphandle, esikhundleni . requests Ukuze ngenze lokhu, ngisonge ingqondo ethile evamile ukuze ngenze imibuzo ibe lula kakhulu. Ngezindlela ezijwayelekile zika-Burp, ukusebenzisana nemibuzo kwenziwa nge-pleintext. def makeRequest(self, method="GET", path="/", headers=None, body=None): first_line = method + " " + path + " HTTP/1.1" headers[0] = first_line if body is None: body = "{}" http_message = self.helpers.buildHttpMessage(headers, body) return self.callbacks.makeHttpRequest(self.request_host, self.request_port, True, http_message) Futhi yengeza imisebenzi emibili ekhipha idatha engiyidingayo, ithokheni ye-CSRF, kanye ne-UserID. def get_csrf_token(self, headers): response = self.makeRequest("GET", "/srv/api/v1/csrf", headers) message = self.helpers.analyzeRequest(response) raw_headers = str(message.getHeaders()) match = re.search(r'XSRF-TOKEN=([a-zA-Z0-9_-]+)', raw_headers) return match.group(1) def get_user_id(self, headers): raw_response = self.makeRequest("POST", "/srv/api/v1/profile/me", headers) response = self.helpers.bytesToString(raw_response) match = re.search(r'"_id":"([a-f0-9]{24})"', response) return match.group(1) Futhi ngokubuyekeza ithokheni ngokwalo kumaheda athunyelwe def update_csrf(self, headers, token): for i, header in enumerate(headers): if header.startswith("X-Xsrf-Token:"): headers[i] = "X-Xsrf-Token: " + token return headers Umsebenzi wesiginesha ubukeka kanje. Lapha kubalulekile ukuqaphela ukuthi ngithatha wonke amapharamitha angokwezifiso athunyelwe esicelweni, ngengeza i ejwayelekile , , kuze kube sekugcineni kwawo, futhi ngiwasayine wonke ndawonye ngisebenzisa njengesihlukanisi. user_id currentTime csrf_token ; def sign_body(self, json_body, user_id, currentTime, csrf_token): values = [] for key, value in json_body.items(): if key == "sign": break values.append(str(value)) values.extend([str(user_id), str(currentTime), str(csrf_token)]) return hmac_sha256(hmac_secret, message=";".join(values)) I-floo enkulu yehliswa yaba imigqa embalwa: Ithokheni ye-CSRF kanye nokutholwa kwe-UserID kuyenziwa Isitembu sesikhathi siyabalwa futhi isiginesha iyakhiqizwa ngokusekelwe kuwo wonke amapharamitha. Kubalulekile ukuqaphela lapha ukuthi ngisebenzisa ekhiqiza isichazamazwi ngokulandelana okuqinile njengoba kubalulekile ukusigcina ngenkathi usayina. OrderedDict Umzimba wokugcina wesicelo uyakhiqizwa futhi uthunyelwa phambili csrf_token = self.get_csrf_token(headers) final_headers = self.update_csrf(final_headers, csrf_token) user_id = self.get_user_id(headers) currentTime = str(time.time()).split('.')[0]+'100' json_body = json.loads(message_body, object_pairs_hook=OrderedDict) sign = self.sign_body(json_body, user_id, currentTime, csrf_token) json_body["sign"] = sign json_body["t"] = currentTime message_body = json.dumps(json_body) httpRequest = self.helpers.buildHttpMessage(final_headers, message_body) baseRequestResponse.setRequest(httpRequest) Isithombe-skrini, ukuze uqiniseke Manje, uma uya komunye umdlalo lapho imingcele yangokwezifiso isivele isi-3 esikhundleni sika-2, futhi uthumele isicelo, ungabona ukuthi izothunyelwa ngempumelelo. Lokhu kusho ukuthi isandiso sami manje sesisebenza emhlabeni wonke futhi sisebenzela zonke izicelo. Isibonelo sokuthumela isicelo sokugcwaliswa kabusha kwe-akhawunti Isiphetho Izandiso ziyingxenye ebalulekile yeBurp Suite. Ngokuvamile izinsiza zisebenzisa imisebenzi yangokwezifiso okungekho omunye ozoyibhala kusengaphambili. Yingakho kubalulekile ukuthi ungagcini nje ukulanda izandiso ezenziwe ngomumo, kodwa futhi ubhale ngokwakho, yilokho engizame ukukufundisa kulesi sihloko. Yilokho kuphela okwamanje, zithuthukise futhi ungaguli. Isixhumanisi sekhodi yomthombo yesandiso: . *chofoza*
