十一

Technique 1: JS Encryption Parameter Reversal and Utilization

• Tip 1: The Important Role of JS in Vulnerability Discovery
• Tip 2: Tips and Methods for Using the Browser Console
• Tip 3: JS Breakpoint Techniques and Hook Injection
• Tip 4: Combining Python and JS to Solve Encryption Problems
• Practical Case 1: Practical MD5 Encryption Reversal of Encrypted Parameters

Technique 2: The Art of FUZZ, Directly Enhancing Output

• Tip 5: Common FUZZ Techniques, Tools, and Dictionaries
• Tip 6: FUZZ in Vulnerabilities like Unknown Directories, Information Leakage, Backup Files, etc.
• Tip 7: FUZZ Techniques for Weak Passwords, Hidden Variables, and Unknown Parameters
• Tip 8: FUZZ Techniques in Vulnerabilities like SQL, XSS, SSRF, CSRF, etc.
• Practical Case 2: Practical FUZZ Penetration into Remote RCE Vulnerabilities to Control Computers (80% of src will be used)

Technique 1: JS Encryption Parameter Reversal and Utilization#

1.1 Tip 1: The Important Role of JS in Vulnerability Discovery#

1.1.1 JavaScript#

JS: JavaScript is the scripting language for web pages, mainly used to add interactive behaviors to HTML pages, with the following functions:

1. Embed dynamic text into HTML pages;
2. Respond to browser events;
3. Read and write HTML elements;
4. Validate data before it is submitted to the server;
5. Detect visitor's browser information.

1.1.2 Differences Between HTML, JS, and CSS#

• HTML: The bare structure
• CSS: The decoration
• JS: Makes the home dynamic, adding smart home features

1.1.3 The Important Role of JS in Vulnerability Discovery#

1. JS contains plugin names, allowing direct exploitation of corresponding vulnerabilities.
2. JS contains some URL links, enabling further testing and exploitation based on the URLs.
3. JS has a subdomain that can be accessed directly.
4. Some comments in JS may leak account passwords or other information.

1.1.4 Jsfind#

Use JsFind to find leaked URL links and domain names in JS (JD.com)

python jsfind.py -u "http://www.jd.com"

1.2 Tip 2: Tips and Methods for Using the Browser Console#

The network monitors all network requests and can monitor traffic.

1. Disable cache: If checked, data will be fetched from the browser each time. This needs to be enabled during penetration testing and vulnerability discovery.
2. Debugger (Source Code): Store the website's JS code.
   1. Click the bottom right {} to format.
   2. Breakpoints can be set.
3. Console: Allows operations on functions within JS.

1.3 Tip 3: JS Breakpoint Techniques and Hook Injection#

Hook: Use Python for crawling and penetration, bypassing image verification codes.

1.3.1 JS Breakpoint Debugging#

Set breakpoints in JS; execution will stop at the breakpoint, and you can step into it.

1.3.2 How to Find Breakpoints#

Search globally in the debugger using keywords, jump to the required location, and click on the JS line to turn it blue.

Note: The MD5 function can be customized; when cracking passwords, you need to find the actual MD5 function being used.

1.4 Tip 4: Combining Python and JS to Solve Encryption Problems#

1. JS code test.js

   Copy

   // JS encryption function
   function encryptByDES(message) {
     var encrypted = message;
     encrypted = encrypted + "asdfdsaf";
     return encrypted;
   }
   

2. Call the function in the JS file using Python

   Copy

   # Install execjs pip install pyexecjs 
   # pyexecjs has been discontinued since 2018; js2py can be used instead
   import execjs
   with open('test.js', 'r') as f:
       a = execjs.compile(f.read())
   # Call the encryptByDES function in the test.js file, passing 'password' as the argument
   result1 = a.call('encryptByDES', 'password')
   print(result1)
   

1.5 Practical Case: MD5 Encryption Reversal of Encrypted Parameters#

1. Use bp to intercept and obtain information.

   

2. In the browser console, search for the keyword password to find the JS function that processes password;

3. Use Python code to call the JS function that processes password, and complete the function and other parameters based on error messages;

4. Compare the value obtained from Python with the value intercepted by bp to see if they match;

5. If they match, you can use Python to process the password dictionary and then use bp for brute force cracking.

Technique 2: The Art of FUZZ, Directly Enhancing Output (Technique)#

Tip 5: Common FUZZ Techniques, Tools, and Dictionaries (Technique)#

2.1.1 FUZZ Fuzz Testing#

FUZZ: As a noun, it translates to "fuzz; blur; fine hair; officer."

Core Idea: When only part of the conditions are known, a vague test is needed, using different things to continuously test until the desired result is obtained.

For example: For large transfers on Alipay, partial information needs to be filled in.

2.1.2 Where can FUZZ techniques be applied?#

1. When cracking passwords
2. When scanning directories
3. When scanning parameters
4. When testing vulnerabilities
5. When bypassing WAF
6. Any parameters seen can actually be tested with FUZZ
7. ...many more, fuzz can be used everywhere

Using FUZZ effectively leads to vulnerabilities.

The core idea of directory scanning and brute force cracking is FUZZ. Often, problems that tools cannot solve can be manually FUZZed for unexpected results.

2.1.3 Excellent FUZZ Cases#

2.1.3.1 Parameter FUZZ Practical Vulnerability#

1. During a vulnerability discovery process in a certain src, an interesting file http://36...*/upload_image.php was found, which returned a blank content when accessed.

   

2. For such a page, undoubtedly, parameters need to be FUZZed, and a parameter field do was discovered.

   

   1. Found that http://360...*/upload_image.php?do can be used.

3. Then FUZZ the do parameter and use bp.

   

4. Constructed http://xxxxx/image_upload.php?do=upload, accessed it, and successfully displayed the upload form, resulting in the following interface.

   

5. After uploading the file, FUZZ the upload path.

   Copy

   http://36.*.*.*/uppload -------> 403
   Continue fuzzing
   http://36.*.*.*/upload/images ------->403
   。。。。
   Found the file path, construct the URL
   http://36.*.*.*/upload/images/skr_anti.php 
   

6. Then use remote control tools to connect to the target server.

   

2.1.3.2 FUZZ Hidden Parameters and Fields#

1. Directory scanning revealed the following files.

   

2. Locate the files.

   

3. Construct directory access.

   Copy

   Construct the information from the prompt into the URL for access.
   http://....../start/face_xxx
   Access the interface, which prompts Method Not Allowed, 405 error, so obviously, we need to switch to POST parameters.
   

4. POST any parameter, and the interface prompts Request error, content-type was unsupported.

5. Continue FUZZing the content-type header.

6. The content-type header of application/json is usable, so it's simple; construct JSON and continue FUZZing the JSON data parameters.

7. Utilizing the SSRF here can completely batch spray passwords against internal Redis and reverse shell to break through the boundary.

2.1.3.3 Combining JS and FUZZ#

1. Access a login page.

2. Set the account password and start brute-forcing the password.

3. The tested account password login has no response, and the login page remains just a login page.

4. It is impossible to give up; continue FUZZing directories and discover the existence of the /JS/ directory, starting to FUZZ its contents.

5. Based on the discovered links, construct the URL and access it, revealing a new page.

It was found that there is a logout here, which should not exist if not logged in. It is speculated that the account password displayed below is from the previous brute force, but it seems to have no use.

6. Next, discover the JS file and find the following pattern.

7. Then FUZZ the domain name and discover an exhibition page.

8. Then use bp to capture packets, modify the returned data, and log in successfully.

9. Successfully access the site.

Tip 6: FUZZ in Vulnerabilities like Unknown Directories, Information Leakage, Backup Files, etc. (Technique)#

2.2.1 Unknown Directories#

1. Gradually FUZZ the website's directories and files;
2. Based on the paths obtained from FUZZ, FUZZ parameters and paths;
3. Repeat the FUZZ process until you get the desired result.

Tip 7: FUZZ Techniques for Hidden Variables and Unknown Parameters#

1. Perform initial directory and parameter FUZZ based on the obtained url;
2. Then make bold predictions based on the FUZZ results and conduct FUZZ based on those predictions;
3. Construct new URLs based on the results from the previous step, access them, and FUZZ again;
4. Repeat the above operations until you achieve the desired result;
5. Note: The key is patience, attention to detail, and bold predictions, gradually expanding the dictionary size.

Tip 8: FUZZ Techniques in Vulnerabilities like SQL, XSS, SSRF, CSRF, etc.#

Target: phpStudy/PHPTurorial/www/pikaqiu/pikachu

During actual penetration testing, to bypass WAF, you can use FUZZ to filter content; simply import all content into bp for testing, and you can find out which items are not filtered by WAF in the results.

2.4.1 Case: Discovering SQL Injection Vulnerabilities in the pikaqiu Target#

1. Which parameters can be FUZZed

Parameters that can be FUZZed:

• Parameters in the GET line
• Parameters in the Cookie line
• Other parameters

2. Use bp to import the dictionary for FUZZ.

3. Based on the results from bp, construct the URL for access to obtain the desired result.

Practical Case 2: Practical FUZZ Penetration into Remote RCE Vulnerabilities to Control Computers#

1. Use the browser to access the specified address and open the browser console.

The red box shows the website's directory files and JS files, checking if there is any information we need in the directories and files.

2. If not, you can FUZZ the JS directory (usually, if there is a JS directory, you can start by FUZZing the JS directory).

   1. Construct the complete JS URL;

   2. Use bp to intercept;

   3. Import the dictionary for the attack;

   4. Based on the results of the bp attack, perform secondary analysis. If no desired information is found, continue with secondary FUZZ, repeating the above steps;

   5. Analyze the bp results, construct the URL, access it, and derive results.

   6. Display of bp results.

3. If FUZZing the JS directory does not yield results, continue FUZZing other directories using the above steps.

4. Note: During the FUZZ process, you may need to repeatedly FUZZ different parameters, directories, content-types, etc., and pay close attention to the results obtained from each bp.

5. The final result: Obtain getshell permissions on the website. After obtaining an uploadable URL, modify the request data in bp to send a backdoor (e.g., a one-liner backdoor), access the corresponding URL, and ultimately obtain the result.

   Copy

   <?php
     system("whoami")
   ?>
   

   

   Copy

   <?php
     phpinfo();
   ?>