十一

Technique 1: JS Encryption Parameter Reversal and Utilization

• Tip 1: The Important Role of JS in Vulnerability Discovery
• Tip 2: Tips and Methods for Using the Browser Console
• Tip 3: JS Breakpoint Techniques and Hook Injection
• Tip 4: Combining Python and JS to Solve Encryption Problems
• Practical Case 1: Practical MD5 Encryption Reversal of Encrypted Parameters

Technique 2: The Art of FUZZ, Directly Improving Output

• Tip 5: Common FUZZ Techniques, Tools, and Dictionaries
• Tip 6: FUZZ in Vulnerabilities like Unknown Directories, Information Leakage, Backup Files, etc.
• Tip 7: FUZZ Techniques for Weak Passwords, Hidden Variables, and Unknown Parameters
• Tip 8: FUZZ Techniques in Vulnerabilities like SQL, XSS, SSRF, CSRF, etc.
• Practical Case 2: Practical FUZZ Penetration into Remote RCE Vulnerability to Control Computer (80% of src will be used)

Technique 1: JS Encryption Parameter Reversal and Utilization#

1.1 Tip 1: The Important Role of JS in Vulnerability Discovery#

1.1.1 JavaScript#

JS: JavaScript is the scripting language for web pages, mainly used to add interactive behavior to HTML pages, with the following functions:

1. Embed dynamic text into HTML pages;
2. Respond to browser events;
3. Read and write HTML elements;
4. Validate data before it is submitted to the server;
5. Detect visitor's browser information.

1.1.2 Differences Between HTML, JS, and CSS#

• HTML: The bare structure
• CSS: The decoration
• JS: Makes the house come alive, adding smart home features

1.1.3 The Important Role of JS in Vulnerability Discovery#

1. JS contains plugin names, allowing direct exploitation of corresponding vulnerabilities.
2. JS contains some URL links, enabling further testing and exploitation based on the URLs.
3. JS contains a subdomain that can be accessed directly.
4. Some comments in JS may leak account passwords or other information.

1.1.4 Jsfind#

Use JsFind to find leaked URL links and domains in JS (JD.com)

python jsfind.py -u "http://www.jd.com"

1.2 Tip 2: Tips and Methods for Using the Browser Console#

The network is a monitoring tool for all network requests, capable of monitoring traffic.

1. Disable cache: If checked, data will be fetched from the browser each time. This needs to be enabled during penetration testing and vulnerability discovery.
2. Debugger (Source Code): Stores the website's JS code
   1. Click the bottom right {} to format.
   2. Allows for breakpoint debugging.
3. Console: Allows for operations on functions within JS.

1.3 Tip 3: JS Breakpoint Techniques and Hook Injection#

Hook: Using Python for crawling and penetration, bypassing image verification codes.

1.3.1 JS Breakpoint Debugging#

Setting breakpoints in JS will halt execution at the breakpoint; you can step into it.

1.3.2 How to Find Breakpoints#

Search globally in the debugger using keywords, jump to the desired location, and click on the JS line to turn it blue.

Note: The MD5 function can be customized; when cracking passwords, you need to find the actual MD5 function being used.

1.4 Tip 4: Combining Python and JS to Solve Encryption Problems#

1. JS code test.js

   Copy

   // JS encryption function
   function encryptByDES(message) {
     var encrypted = message;
     encrypted = encrypted + "asdfdsaf";
     return encrypted;
   }
   

2. Call the function from the JS file using Python

   Copy

   # Install execjs pip install pyexecjs 
   # pyexecjs has been discontinued since 2018; js2py can be used instead
   import execjs
   with open('test.js', 'r') as f:
       a = execjs.compile(f.read())
   # Call the encryptByDES function in the test.js file, passing 'password' as the argument
   result1 = a.call('encryptByDES', 'password')
   print(result1)
   

1.5 Practical Case: MD5 Encryption Reversal of Encrypted Parameters#

1. Use bp to intercept and gather information

   

2. In the browser console, search for the keyword password to find the JS function that processes password;

3. Use Python code to call the JS function that processes password, and complete the function and other parameters based on error prompts;

4. Compare the value obtained from running Python with the value intercepted by bp to see if they match;

5. If they match, you can use Python to process the password dictionary and then use bp for brute force cracking.

Technique 2: The Art of FUZZ, Directly Improving Output (Technique)#

Tip 5: Common FUZZ Techniques, Tools, and Dictionaries (Technique)#

2.1.1 FUZZ Fuzz Testing#

FUZZ: As a noun, it translates to "fuzz; blur; fine hair; officer."

Core Idea: When only part of the conditions are known, a fuzzy test is needed, using different inputs for continuous testing until the desired result is obtained.

For example: For large transfers on Alipay, some information needs to be filled in.

2.1.2 Where can FUZZ techniques be applied?#

1. When cracking passwords
2. When scanning directories
3. When scanning parameters
4. When testing vulnerabilities
5. When bypassing WAF
6. Any visible parameters can actually be tested using FUZZ
7. ...many more, FUZZ can be used everywhere

Using FUZZ effectively leads to discovering vulnerabilities.

The core idea of directory scanning and brute force cracking is FUZZ; often, problems that tools can't solve can be manually fuzzed for unexpected results.

2.1.3 Excellent FUZZ Cases#

2.1.3.1 Parameter FUZZ Practical Vulnerability#

1. During a vulnerability discovery process in a certain src, an interesting file http://36...*/upload_image.php was found, which returned a blank content when accessed.

   

2. For such a page, undoubtedly, FUZZing the parameters is necessary, and a parameter field do was discovered.

   

   1. Found that http://360...*/upload_image.php?do is usable.

3. Then FUZZ the do parameter and use bp.

   

4. Constructed http://xxxxx/image_upload.php?do=upload, accessed it, and successfully displayed the upload form, resulting in the following interface.

   

5. After uploading the file, FUZZ the upload path.

   Copy

   http://36.*.*.*/uppload -------> 403
   Continue fuzzing
   http://36.*.*.*/upload/images ------->403
   。。。。
   Found the file path, construct the URL
   http://36.*.*.*/upload/images/skr_anti.php 
   

6. Then use a remote control tool to connect to the target server.

   

2.1.3.2 FUZZ Hidden Parameters and Fields#

1. Directory scanning revealed the following files.

   

2. Locate the files.

   

3. Construct directory access.

   Copy

   Construct the information from the prompt into the URL for access
   http://....../start/face_xxx
   Access the interface, which prompts Method Not Allowed, 405 error, so we need to switch to POST parameters.
   

4. POST any parameter, and the interface indicates Request error, content-type was unsupported.

5. Continue FUZZing the content-type header.

   

   

6. The content-type header of application/json is usable, so it's simple, construct JSON and continue FUZZing JSON data parameters.

   

   

7. Using SSRF here can completely batch spray passwords against internal Redis and reverse shell to breach boundaries.

   

2.1.3.3 Combining JS and FUZZ#

1. Access a login page.

   

2. Set the username and password to start brute-forcing the password.

   

   

3. The tested username and password login shows no response; the login page remains just a login page.

4. Not giving up, continue FUZZing directories and discover the existence of the /JS/ directory, starting to FUZZ the contents inside.

   

5. Based on the discovered links, construct the URL and access it, revealing a new page.

   

   Here, a logout is found, which shouldn't exist without logging in. It is inferred that the account and password displayed below are from the previous brute force, but they seem to have no use.

6. Next, discover the JS file and find the following pattern.

   

7. Then FUZZ the domain and discover an exhibition page.

   

8. Next, use bp to capture packets, modify the returned data, and log in successfully.

   

9. Successfully access the site.

   

Tip 6: FUZZ in Vulnerabilities like Unknown Directories, Information Leakage, Backup Files, etc. (Technique)#

2.2.1 Unknown Directories#

1. FUZZ the website's directories and files step by step;
2. Based on the paths obtained from FUZZ, FUZZ parameters and paths;
3. Repeat the FUZZ process until you achieve the desired result.

Tip 7: FUZZ Techniques for Hidden Variables and Unknown Parameters#

1. Perform initial directory and parameter FUZZ based on the obtained URL;
2. Then make bold predictions based on FUZZ results and FUZZ according to those predictions;
3. Construct new URLs based on the results from the previous step, access them, and FUZZ again;
4. Repeat the above operations until you achieve the desired result;
5. Note: The key is patience, attention to detail, and bold predictions, gradually expanding the dictionary size.

Tip 8: FUZZ Techniques in Vulnerabilities like SQL, XSS, SSRF, CSRF, etc.#

Target: phpStudy/PHPTurorial/www/pikaqiu/pikachu

In actual penetration testing, to bypass WAF, you can use FUZZ to filter content, simply import all content into bp for testing, and find out which items are not filtered by WAF in the results.

2.4.1 Case: Discovering SQL Injection Vulnerabilities in the pikaqiu Target#

1. Which parameters can be FUZZed?

   

   Parameters that can be FUZZed:

   • Parameters in the GET line
   • Parameters in the Cookie line
   • Other parameters

2. Use bp to import the dictionary for FUZZing.

   

3. Based on the results obtained from bp, construct the URL for access to achieve the desired result.

Practical Case 2: Practical FUZZ Penetration into Remote RCE Vulnerability to Control Computer#

1. Use the browser to access the specified address and open the browser console.

   

   The red box shows the website's directory files and JS files, check if there is any information we need in the directories and files.

2. If not, you can FUZZ the JS directory (usually, if there is a JS directory, you can start by FUZZing the JS directory).

   1. Construct a complete JS URL;

   2. Use bp to intercept;

   3. Import the dictionary for the attack;

   4. Based on the results of the bp attack, perform secondary analysis; if the desired information is not obtained, continue with secondary FUZZing, repeating the above steps;

   5. Analyze the bp results, construct the URL, access it, and obtain results.

   6. Display of bp results.

      

3. If FUZZing the JS directory does not yield results, continue FUZZing other directories using the above steps.

4. Note: During the FUZZ process, you may need to repeatedly FUZZ different parameters, directories, content-types, etc., so be careful to check the results obtained from each bp.

5. The final result: Obtain shell access to the website, after obtaining an uploadable URL, modify the request data in bp, send a backdoor (e.g., a one-liner backdoor), access the corresponding URL in the browser, and ultimately obtain the result.

   Copy

   <?php
     system("whoami")
   ?>
   

   

   Copy

   <?php
     phpinfo();
   ?>