test = cli.String("input", cli.setRequired(true))
cli.check()
# mirrorHTTPFlow 会镜像所有的流量到这里,包括 .js / .css / .jpg 这类一般会被劫持程序过滤的请求
mirrorHTTPFlow = func(isHttps /*bool*/, url /*string*/, req /*[]byte*/, rsp /*[]byte*/, body /*[]byte*/) {
yakit.Output(sprintf("input data %s", test))
}
oc.replaceHeader("Cookie", lowCookie),poc.https(isHttps))
log.error("send low permissions cookie request err %s", err)
if lowRsp == rsp {
risk.NewRisk(
url,
risk.title("越权访问"),
risk.severity("high"),
risk.titleVerbose("越权访问"),
risk.details({
"target": url,
"request": lowReq,
"response": lowRsp,
}),
risk.description("越权访问"),
risk.solution("增强权限检查")
)
}
}
}
lowCookie = cli.Text("lowCookie", cli.setRequired(true),cli.setVerboseName("低权限cookie"))
website = cli.String("website",cli.setRequired(true),cli.setVerboseName("目标检测网站"))
pathPrefix = cli.String("pathPrefix", cli.setRequired(true),cli.setVerboseName("路径前缀过滤"))
Website :指定只检测某个网站
pathPrefix:指定网站路径前缀 只做敏感的路径检查
mirrorHTTPFlow = func(isHttps , url , req , rsp , body ) {
urlIns,err = str.ParseStringUrlToUrlInstance(url)
if err != nil{
log.error("parse url string to url instance err %s", err)
return
}
if urlIns.Host != website || str.HasPrefix(urlIns.Path, pathPrefix){
return
}
if poc.GetHTTPPacketHeader(req,"Cookie") != ""{
lowRsp,lowReq,err = poc.HTTP(req, poc.replaceHeader("Cookie", lowCookie),poc.https(isHttps))
log.error("send low permissions cookie request err %s", err)
if lowRsp == rsp {
risk.NewRisk(
url,
risk.title("越权访问"),
risk.severity("high"),
risk.titleVerbose("越权访问"),
risk.details({
"target": url,
"request": lowReq,
"response": lowRsp,
}),
risk.description("越权访问"),
risk.solution("增强权限检查")
)
}
}
}
GET /logic/user/profile?id=24 HTTP/1.1
Host: 127.0.0.1:8787
Cookie: _cookie=7d367973-c806-436d-a2e0-778eec224b6e
Sec-Fetch-Mode: navigate
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Sec-Fetch-Dest: document
sec-ch-ua: "Not)A;Brand";v="99", "Google Chrome";v="127", "Chromium";v="127"
Referer: http://127.0.0.1:8787/logic/user/login
Sec-Fetch-Site: same-origin
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-mobile: ?0
END
YAK官方资源
Yak 语言官方教程:
https://yaklang.com/docs/intro/
Yakit 视频教程:
https://space.bilibili.com/437503777
Github下载地址:
https://github.com/yaklang/yakit
Yakit官网下载地址:
https://yaklang.com/
Yakit安装文档:
https://yaklang.com/products/download_and_install
Yakit使用文档:
https://yaklang.com/products/intro/
常见问题速查:
https://yaklang.com/products/FAQ