黑客如何不花一分钱获取某网站豪华会员
作者:FancyPig | 发布时间: | 更新时间:
相关阅读
上一期我们讲了如何无需密码,通过注入的方式登录管理员账户
data-postsbox="{"id":10830,"title":"黑客是如何利用网站漏洞入侵你的账户","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3217,"comment_count":4,"category":"knowledge","is_forum_post":false}">{"id":10830,"title":"黑客是如何利用网站漏洞入侵你的账户","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3217,"comment_count":4,"category":"knowledge","is_forum_post":false}
今天我们讲讲,如何通过json web token登录验证的一个漏洞来免费获取豪华会员
data-postsbox="{"id":2179,"title":"前端鉴权必须了解的 5 个兄弟:cookie、session、token、jwt、单点登录","author":"热心网友","author_id":9547,"cover_image":"","cover_video":"","views":2257,"comment_count":3,"category":"knowledge","is_forum_post":false}">{"id":2179,"title":"前端鉴权必须了解的 5 个兄弟:cookie、session、token、jwt、单点登录","author":"热心网友","author_id":9547,"cover_image":"","cover_video":"","views":2257,"comment_count":3,"category":"knowledge","is_forum_post":false}
视频教程
图文教程
我们发现用户在注册、登陆时,在payload中存在用户身份的信息,譬如非会员
再譬如豪华会员
这时,我们在注册时不禁想到,能不能通过手动增加role字段的值,进行提交,看看能不能有奇效!
我们在抓包中增加了"role":"deluxe"(豪华会员)
发现返回是成功的
登录到页面中看下,果然香喷喷的豪华会员就到手了!
本视频中之所可以白嫖到豪华会员,是因为json web token登录验证中的漏洞,不应该携带用户身份等级信息!如果携带,我们就可以随意修改自己的会员等级了,这也是有些APP轻轻松松就能通过黄鸟(HttpCanary)改参数就获得会员,本质上思路是一致的。
相关资源
burpsuite工具
通过burpsuite进行sql批量注入完成密码暴力破解
data-postsbox="{"id":10913,"title":"最新BurpSuite2022.2.2破解版下载","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":2731,"comment_count":4,"category":"software","is_forum_post":false}">{"id":10913,"title":"最新BurpSuite2022.2.2破解版下载","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":2731,"comment_count":4,"category":"software","is_forum_post":false}
FoxyProxy
视频中的FoxyProxy插件作用是快速帮我们快速修改浏览器的代理端口,这样就避免每次手动去设置浏览器端口了
Owasp Juice Shop
Owasp Juice shop是视频中进行测试的站点,您可以通过npm的方式进行部署
git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop
npm install
npm start也可以直接docker部署
docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop两者最终均需要通过http://localhost:3000进行访问