Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to track Js files to unauthorized access. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

0x00 introduction

Almost every system has a variety of verification functions. Several common verification functions include account password verification, CAPTCHA verification, and JavaScript

For data verification and server-side data verification, programmers may have defects when it comes to verification methods, which may lead to being bypassed, so there are loopholes in verification bypass.

Some masters in major security communities have published more detailed introductions of loopholes, so I won't elaborate on them here.

0x01 text

I had nothing to do last night. I was reviewing the history of my Edusrc and saw that some injection bypassed the fixed one and clicked in. The injection was intercepted by using the previous bypass technique, and it was really fixed.

With some unreconciled reasons, continue to dig loopholes on this site.

Open the URL: http://xxx.xxxx.com/login.do

It is still the familiar landing box, and the injection of the article at the beginning of the article has been fixed.

The thinking of most people may be:

1. Brute force cracking 2. Capture and log in POST package injection

In the face of this landing frame, straighten out the train of thought:

Attempt to log in using the password you got from the last injection-> failed (but it's normal, it will be changed)

Try to inject (fixed. Fix: encrypt the password of the incoming account with RSA, and then determine whether it is correct. If it is not RSA, return False directly)

So you just cut me off?

No, it's not.

0x02 tracking Js

When looking through the source Js file, I found a login.min.js, which is presumed to be an interface file related to login.

We continue to track the details.

Some of the content is encoded by Unicode. Take it to the website to solve the convenient point of analysis.

It is obvious that three variables are defined to verify:

A-> loginId (username) b-> password (password) c-> verifycode (CAPTCHA)

See two interfaces url:

/ frameword/login_login.do/frameword/login_toManage.do

Visit separately, the first place is login verification, jump to the landing point at the beginning of the article.

When visiting the second interface, I flashed the background frame and went to a blank interface.

Logic problems may not be judged directly from js, but through this interface accessed by js, the sixth sense of dish x tells me that there may be a problem here.

Analyze the Js here. Guess that these may be the problems.

Post (baseUrl_+ "/ framework/login_login.do", {loginId:a,password:b,verifycode:c,abc:Math.random ()}, function (a) {"true" = = a recent window.locationlocated baseUrlfloor + "/ framework/login_toManage.do": "code Faild" = = a?

Why can I access the background framework? It convinced me that there must be a problem here.

This associates the three variables defined before. As far as I understand it, there is no problem with the definition of variables.

But it seems that only loginId, or a, has been verified here.

It may be wrong to judge according to Js, but it is true that Js only judges an and then directly gets the background url.

Then I will track and test this analysis.

Enter admin for account number

Password at will

Enter a user name that does not exist: 123

Password at will

It's normal to follow the logic of Js, but before we enter the correct user name, that is, a. When you manually access the address of the background interface you just got.

Get all the permissions of the user admin directly.

It is obvious that only the parameter a. Successfully entered the backstage

Multiple function points in the background, file upload has not been verified.

And then there's a very common process.

File upload-> Getshell above is what to do when the Js file shared by Xiaobian is traced to unauthorized access. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.