修改商品价格
目标是修改价格后低价买下这件夹克,再home这个页面的第一个商品就是
点击Add to cart,抓包,发现price的值可以该,改成000发现不行,0.00也不行,改成10后发现购物车里面有了一件0.1美元的夹克,我们有100美元,直接买,通关.后来我再试了一次,看看这个改价格的机制是什么,我把
price的值改成700,里面就多了一件7美元的夹克,但是改成000也不能0美元买啊,觉得这个逻辑应该不允许价格为0,其他都可以
解决,下一关
高级版修改商品价格
还是买那个夹克,但是这次抓包没有显示价格了
Quantity是商品数量,改成0后就是购物车变空,但是改成-1后,购物车多了个数量为-1的jacket,点击下单,报错Cart total price cannot be less than zero购物车总价不能小于零
这时候,先把jacket数量改回1,我们看看其他商品,比如Snow Delivered To Your Door,单价30.31美元,如果抓包把购买数量改成-44,1337-44*30.31=3.36,我们就可以买下。
事实证明可以这样,ok
Inconsistent security controls
该实验室的逻辑缺陷允许任意用户访问本应仅对公司员工可用的管理功能。要解决实验室问题,请访问管理面板并删除用户carlos
进去后它给了我们一个邮箱attacker@exploit-0ab500ae0367983780d2b12701650029.exploit-server.net
Displaying all emails @exploit-0ab500ae0367983780d2b12701650029.exploit-server.net and all subdomains
然后还有一个exp服务器,可以查看访问https://exploit-0ab500ae0367983780d2b12701650029.exploit-server.net/及其子目录的日志
随便注册账号,返回Emailclient看信息,点击信息里面的链接完成注册
访问主页admin子目录,发现访问不了
之前注册页面提示我们,如果我们为dont什么什么的工作,请使用@dontwannacry电子邮件地址,我们把邮箱地址改一改
然后发现可以访问/admin目录了
删除carlos即可
Flawed enforcement of business rules
This lab has a logic flaw in its purchasing workflow. To solve the lab, exploit this flaw to buy a "Lightweight l33t leather jacket".
这个实验室的采购流程存在逻辑缺陷。为了解决实验室,利用这个缺陷购买“轻量级l33t皮夹克”。
You can log in to your own account using the following credentials: wiener:peter
您可以使用以下凭据登录到自己的帐户:wiener:peter
登录进去,主页底部多了个订阅什么什么的
随便搞个邮箱订阅,返回弹窗
已知顶部有个提示,说新用户有优惠卷NEWCUST5
都apply上,发现还是很贵
但是试了一下,可以反复使用优惠卷,但是不能连续添加两个同样优惠卷,所以两张优惠卷交替添加,直到够钱
然后买了即可。
Low-level logic flaw
这关登录后照样抓包添加购物车的页面,修改商品个数的地方发现最大只能填99,100会提示参数无效
我们就拿商品个数为99的数据包去一直爆破,我发了1000多个包,发现总价变成负数了。那看看能不能变成0呢
我把商品删除,重新爆破,换成300、200等请求次数,价格都是负的,但是100的时候是正的,所以应该把范围缩小到100--200,但是好像也不得啊。
后来我发现196个的时候价格是负数,然后一个一个增加商品数量,负数绝对值是在减小的,如果一直点击可以减到0,看来这个逻辑是价格会随商品数量增加呈现周期性变化。这题参考这位大佬的吧,原理是整数溢出,理解起来倒是简单,但是我数学不好,推理不出,反正就是把价格搞到一个负数再用其他商品凑成正数就得了。(参考这个大佬做的https://www.freebuf.com/articles/web/404230.html)
折磨了很久,终于搞得了,老是把控不住爆破次数。。。。
Inconsistent handling of exceptional input
这关输入一个比较长的邮箱注册但是后缀是@exploit-0a37004b040c7a0b8166b0330198001d.exploit-server.net
发现展示信息的地方net不见了,看来展示邮箱的信息有长度限制,计算出是255
于是可以用截断的方法使得邮箱后缀是@dontwannacry.com
a='q'*238
print(a+"@dontwannacry.com")
print(len(a+"@dontwannacry.com"))
# qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq@dontwannacry.com
因为他说Displaying all emails @exploit-0a37004b040c7a0b8166b0330198001d.exploit-server.net and all subdomains
显示所有电子邮件 @exploit-0a37004b040c7a0b8166b0330198001d.exploit-server.net 和所有子域
所以可以用下面的来注册
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq@dontwannacry.com.exploit-0a37004b040c7a0b8166b0330198001d.exploit-server.net
显示我们邮箱是@dontwannacry.com后缀的了,可以进管理界面删除了
Weak isolation on dual-use endpoint
注册后更改密码抓包,删除current密码字段,把用户名改成administrator即可,然后登录管理员账号操作就得了
Insufficient workflow validation
本实验对采购工作流程中的事件顺序做出了错误的假设。为了解决实验室,利用这个缺陷购买“轻量级l33t皮夹克”。
这靶场告诉我们如果不能直接买的话,就借助其他商品发现漏洞。
比如说买Conversation Controlling Lemon
点击place order 抓包,发现会请求/cart/checkout,这请求又会跳转到
/cart/order-confirmation?order-confirmed=true
现在添加Lightweight "l33t" Leather Jacket进购物车,点击购买后抓包
POST /cart/checkout HTTP/2
Host: 0a4a00300374c0a182034cba006a00a7.web-security-academy.net
Cookie: session=LZdKsAqShz7CF87VdKovbJOYVVa7paMA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Origin: https://0a4a00300374c0a182034cba006a00a7.web-security-academy.net
Referer: https://0a4a00300374c0a182034cba006a00a7.web-security-academy.net/cart
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
csrf=6aqT97TN07TzLTmeOvOnjhpzW5p9m7hV
数据包的/cart/checkout直接改成/cart/order-confirmation?order-confirmed=true,方法改成GET
Authentication bypass via flawed state machine
登录后有个角色选择器,抓包改角色是管理员,发现没用。。。
那就放掉跳到选角色页面的包,直接请求home页面(根目录)
(把上面那个role-selector删掉)
发现直接变管理员了。。。
Infinite money logic flaw
又是订阅,直接输入自己邮箱订阅
获得SIGNUP30
账号界面有礼品卡兑换功能,主页有个礼品卡商品
用折扣卡购买礼品卡后获得兑换码,兑换后得到钱,100美元变成103美元了。再次回到home,输入邮箱可以再次获得优惠卷,这次买九张礼品卡
9eSIAmrcla
JA5ibMJAgf
6hG3KX7SSs
A7qoMKWCxB
mHZflE7iKl
SqknMhuZbF
KfJm7XsjB4
VSAlofyi0u
qz6mEQlwzO
然后现在我们有了更多钱,所以继续去获得优惠卷然后用全部钱买礼品卡,刷钱就是了。不过手动太耗时间了,我看了其他大佬的操作,自己试了一下,而且那位大佬漏讲了一些东西,我就详细说明过程吧。
先把bp请求历史清空,然后去home主页点进礼物卡页面,添加礼物卡,回到购物车使用优惠卷买一张礼物卡,然后去账号页面兑换成钱。
这时候在bp的proxy-->proxy settings-->左侧选择session-->找到macro(中文版叫宏),我们点击添加.
然后按住ctrl选择五条记录分别是
POST /cart
POST /cart/coupon
POST /cart/checkout
GET /cart/order-confirmation?order-confirmed=true
POST /gift-card
然后确认,之后选择我们添加的宏(macro),点击编辑(edit)
选择第四条记录,然后点项目设置
设置界面右下角点击添加(add).然后选择响应的HTML数据中Code下面的第一条兑换码,参数名称写gift-card,确定添加.
最后选择第五条记录的项目设置,参数处理的地方,找到gift-card,右边选择Derive from prior response,然后选择响应4.
确定后,宏编辑器右下角选择测试宏.
测试宏
通过状态码判断测试结果,如果成功,刷新账号页面会发现自己的钱增加了.
回到设置界面的session界面,最上面那个Session handling rules点击添加,找到rules actions点击添加,选择run macro(运行宏),选择刚刚我们添加的宏,确认
回到规则编辑器,点击范围(scape),在url scope
中,使用自定义范围,添加下面6条url
https://xxxxxxx.web-security-academy.net/cart
https://xxxxxxx.web-security-academy.net/cart/coupon
https://xxxxxxx.web-security-academy.net/cart/checkout
https://xxxxxxx.web-security-academy.net/cart/order-confirmation?order-confirmed=true
https://xxxxxxx.web-security-academy.net/cart
https://xxxxxxx.web-security-academy.net/gift-card
https://xxxxxxx.web-security-academy.net/my-account
接下来访问https://xxxxxxx.web-security-academy.net/my-account抓包,把这包发到intruder.选none payload,400多个payload数量应该够了
在代理的http历史记录中找到请求/my-account这条记录右键添加到范围
(scope),然后创建单线程资源池爆破(不然钱可能不会增加),怎么搞单线程爆破网上应该很多教的了.
最后说几个坑的地方,就是做这关动作要快点因为lab给的cookie是有过期时间的,超时得重新进入实验室重新登录,cookie会变lab的url也会变,之前配置的那些宏啊规则都要做相应修改,第一次我就是太慢了没搞得(
标签:web,security,cart,漏洞,exploit,bp,https,靶场,net From: https://www.cnblogs.com/hackzz/p/18470356