Request after successful login, including the user name and user_id of the currently logged-in user:
Followed by a packet containing sensitive information, as follows:
It can be seen that the returned information contains the password MD5 of the current user, which can be decrypted normally. Replace with another user id:
You can see that the passwords of other user _ ids are returned. But in general, a user's user_id can only be obtained after successfully logging into another user's account. Therefore, if you want to log in to another user's account, you must know the user name corresponding to the user_id value ... Because the system will have a data packet that returns the password, and other sensitive information may be returned in the data packet, so you open the hsitory of burp and search for the user _ id at the bottom.
By logging in the user name, it is requested to return information containing the user_id corresponding to the user name:
Get password by id:
More user _ ids can be obtained by constantly traversing the user name, and more user passwords MD5 can be obtained through the above request, and any user can log in through the decrypted user name password:
Summary of vulnerability mining types
If you happen to be Xiao Bai who just finished learning the basics, if you happen to have not participated in various trainings, then teach yourself completely.
Then your vulnerability list may look like the following.
Violently crack the loophole
Sql injection vulnerability
Command execution vulnerability
Xss Vulnerability (Cross-site Scripting)
Csrf vulnerability (cross-site forged request)
Xxe vulnerability
File upload vulnerability
This file contains vulnerabilities.
Open loopholes in cms
Yes, that's about it. Of course, there may be some useless ways of writing, which vary from person to person.
If you are lucky enough to see a list of vulnerabilities of a big boss. Then it is possible that in addition to the above, there are the following items. Logical loophole
Ssrf vulnerability
information disclosure
Possible unauthorized access to js file.
Comprehensive vulnerability
……
However, these are only part of it. I am not the big boss, but I welcome the big boss to make up for it. Let me just talk about the types of loopholes I added.
3. A detailed description of the vulnerability type
Insert one before the official start. There was a misunderstanding about the definition of vulnerability before, thinking that only those listed above are vulnerabilities, but they are not, as long as they can bring losses to manufacturers. Logical loopholes are also based on this article. Looking back on my own excavation process, I actually missed a lot.
Logical loophole
Logical vulnerabilities are also an enduring topic, but unlike previous vulnerabilities, logical vulnerabilities can be scanned by scanners. As far as I know, no scanner dares to say that it can scan logical loopholes. Maybe some vendors dare to say that they don't have a sql injection, but no one dares to say that they don't have logical loopholes (I don't think any vendor dares to say that they don't have sql injection, hahaha). Moreover, due to the gradual improvement of waf and firewall, sql injection, upload and other vulnerabilities are increasingly difficult to find and use, while logical vulnerabilities do not exist.
What is a logical loophole? It is a series of loopholes that can be maliciously exploited by attackers due to lax code logic in the development process. And logical vulnerability is also a general term for vulnerability.
For example, the most common is the payment loophole of buying anything at any price at a low price, or the control of password retrieval process is not strict, which leads to the modification of any user's login password, and the unauthorized viewing of other people's orders and personal information.
Of course, this is only part of it. I'm just an introduction here. The principle and introduction of specific vulnerabilities, you can search for keywords yourself. It is easier to write articles with more bosses, otherwise I will write dozens of pages of this article. For details about some loopholes, you can go to see the dark clouds.
information disclosure
As the name implies, information leakage loopholes are information leakage, and there are many kinds of information leakage, such as.
For source code leakage, you can go to github to find it. Many programmers will publish the source code on github, and some even don't change their user names and passwords. The database connection password exists directly in the source code. Of course, I think a vegetable chicken like me will submit this source code directly when she finds it leaked. A competent boss is a wave of audits directly, and then hehehehehehe. For employee information disclosure, you can collect accounts when collecting information, and then put them into the social work library for operation, or record accounts for blasting.
Comprehensive vulnerability
Combined vulnerability is a magical thing that can turn low-risk vulnerability into high-risk vulnerability. For example, if you find an xss vulnerability and a csrf vulnerability, if they are submitted separately, they may be two low-risk vulnerabilities or two neglected vulnerabilities. But if you combine your xss with csrf, it may become a high-risk vulnerability. If it is a combination boxing, the master key combination boxing will be very hard. Look up to the master. The master key told me not to rush to submit it if you dig low risk, so save it. In case one day you encounter another loophole, combine it and you will be fascinated.
Say a little trick, if you want a detailed vulnerability list, you can collect more src vulnerability manuals and then copy them, which is a perfect vulnerability list.
4. Personal methods to improve vulnerability mining ability
This section is about how to improve and what good habits you should have when digging holes.
Caution comes first, because it is very, very important. I have the honor to ask many bosses the secret of success. The first word they told me was caution, the so-called caution rule to dig the world. Many vulnerabilities need to be carefully discovered, not letting go of any parameter in the data packet, nor letting go of any point of the website. I once asked Master Xiaoshi of the team how to dig the src that many people have dug. So many people have dug, so I have to test some more function points. Master Xiao Shi didn't answer me directly, but told me his experience of digging holes. That's when he was digging for a beautiful group. Master Xiao Shi started digging directly from the main station, and dug a high-risk loophole for storing xss in an obvious place of personal data. Therefore, when we dig a hole, don't give up any place where there may be a hole. Everyone digs a hole in a different way. For such a big website, there will always be several leaks, and a loophole has been fixed. Who can guarantee that after the repair, another hole has not been repaired?
patience
Patience, like carefulness, can be said to be a pair of CPS. If you are confident enough, then I don't think your patience will be bad. If carefulness is your sword to dig a hole, then patience is your whetstone. Many times, when you meet a broken station and stare for a few days, you can dig a hole. If you persist, you will be the winner. Some people say that digging a hole is also a lucky job. With luck, there are only a few high risks. Bad luck, I can't dig one in a few days. Although there is some truth, when you are strong enough and have your own routine, digging holes is also very easy and enjoyable.
Can read and remember.
Can read and remember. This is very simple, that is, read more and remember more, and read more vulnerability details and technical articles. The details of the vulnerability can be seen in the dark clouds, and there are also many cases shared by many people on the Internet, mainly the dark clouds. Remember after reading it, to make what you read truly become your thing, if you are still at a loss when facing a manufacturer, then go to Wuyun to read the details of the vulnerabilities one by one, and then write down the location of the vulnerabilities and some previous skills to become your own vulnerability mining manual, which is what I have been doing recently. There are some good articles and skills that you may not need for a while, but you must learn to remember and use them one day.
Know how to collect
Master key says that vulnerability mining is a process of fuzzification, and the key to fuzzification is an efficient dictionary. Yes, we should learn to collect dictionaries. The dictionary we want to make public is fuzzdb, which is a very good collection of fuzzy dictionaries. Of course, when we collect other people's dictionaries, we should also collect our own dictionaries. We once met a big boss who collected a large number of github development projects and then formed a dictionary. I didn't ask Xiaobai to write a program and then automatically collect dictionaries. However, in the usual process of vulnerability mining, we still need to collect a lot of things and gradually form our own special dictionary, which can definitely improve your vulnerability mining efficiency. When you have a dictionary of your own collection, I believe you have become a big shot.
Do it diligently.
When you read a lot of loopholes and take a lot of notes, I believe what you need most is actual combat at this time. Actual combat is the fastest way to master what you have learned. No one. Only actual combat can exercise your digging ability and efficiency. Seeing new vulnerabilities is also an improvement in the reproducibility of the build environment.
?