maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-web/xss-cross-site-scripting/integer-overflo

Browse Source
This commit is contained in:
Translator 2025-07-24 16:27:21 +00:00
parent f57a8ec417
commit aea9b518a8
1 changed files with 98 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
View File

@ -1,11 +1,104 @@
# Integer Overflow
# Integer Overflow (Web Applications)
{{#include ../../banners/hacktricks-training.md}}
Angalia:
> Ukurasa huu unazingatia jinsi **overflow/truncation za integer zinavyoweza kutumika vibaya katika programu za wavuti na vivinjari**. Kwa mbinu za unyakuzi ndani ya binaries asilia unaweza kuendelea kusoma ukurasa uliojitolea:
>
> {{#ref}}
> ../../binary-exploitation/integer-overflow.md
> {{#endref}}
{{#ref}}
../../binary-exploitation/integer-overflow.md
{{#endref}}
---
## 1. Kwa nini hesabu za integer bado ni muhimu kwenye wavuti
Ingawa mantiki nyingi za biashara katika stack za kisasa zimeandikwa katika lugha za *memory-safe*, runtime ya chini (au maktaba za wahusika wengine) hatimaye inatekelezwa kwa C/C++. Kila wakati nambari zinazodhibitiwa na mtumiaji zinapotumika kugawa buffers, kuhesabu offsets, au kufanya ukaguzi wa urefu, **kuzunguka kwa 32-bit au 64-bit kunaweza kubadilisha parameter inayonekana kuwa salama kuwa kusoma/kandika nje ya mipaka, kupita kwa mantiki au DoS**.
Uso wa shambulio wa kawaida:
1. **Parameta za ombi za nambari** uwanja wa jadi `id`, `offset`, au `count`.
2. **Vichwa vya urefu / saizi** `Content-Length`, urefu wa fremu ya WebSocket, HTTP/2 `continuation_len`, n.k.
3. **Metadata ya muundo wa faili inayosomwa upande wa seva au upande wa mteja** vipimo vya picha, saizi za vipande, meza za fonti.
4. **Mabadiliko ya kiwango cha lugha** mabadiliko ya signed↔unsigned katika PHP/Go/Rust FFI, JS `Number``int32` truncations ndani ya V8.
5. **Uthibitishaji & mantiki ya biashara** thamani ya kuponi, bei, au hesabu za salio ambazo zinapita kimya.
---
## 2. Uthibitisho wa hivi karibuni wa udhaifu wa kweli (2023-2025)
| Mwaka | Kipengele | Sababu kuu | Athari |
|------|-----------|-----------|--------|
| 2023 | **libwebp CVE-2023-4863** | Kuongezeka kwa 32-bit wakati wa kuhesabu saizi ya pikseli iliyotafsiriwa | Ilisababisha Chrome 0-day (`BLASTPASS` kwenye iOS), iliruhusu *utendaji wa msimbo wa mbali* ndani ya sandbox ya renderer. |
| 2024 | **V8 CVE-2024-0519** | Truncation hadi 32-bit wakati wa kukua `JSArray` inasababisha OOB kuandika kwenye duka la nyuma | Utendaji wa msimbo wa mbali baada ya kutembelea mara moja. |
| 2025 | **Apollo GraphQL Server** (patch isiyotolewa) | Integer ya signed 32-bit inayotumika kwa hoja za pagination `first/last`; thamani hasi zinazunguka kuwa kubwa chanya | Kupita kwa mantiki & uchovu wa kumbukumbu (DoS). |
---
## 3. Mkakati wa kupima
### 3.1 Cheat-sheet ya thamani za mipaka
Tuma **thamani za signed/unsigned za kipekee** popote ambapo integer inatarajiwa:
```
-1, 0, 1,
127, 128, 255, 256,
32767, 32768, 65535, 65536,
2147483647, 2147483648, 4294967295,
9223372036854775807, 9223372036854775808,
0x7fffffff, 0x80000000, 0xffffffff
```
Other useful formats:
* Hex (`0x100`), octal (`0377`), scientific (`1e10`), JSON big-int (`9999999999999999999`).
* Mifumo ya nambari ndefu sana (>1kB) ili kufikia parser maalum.
### 3.2 Burp Intruder template
```
§INTEGER§
Payload type: Numbers
From: -10 To: 4294967300 Step: 1
Pad to length: 10, Enable hex prefix 0x
```
### 3.3 Fuzzing maktaba & mazingira
* **AFL++/Honggfuzz** na `libFuzzer` harness kuzunguka parser (mfano, WebP, PNG, protobuf).
* **Fuzzilli** fuzzing inayojua sarufi ya injini za JavaScript ili kugonga V8/JSC integer truncations.
* **boofuzz** fuzzing ya itifaki ya mtandao (WebSocket, HTTP/2) ikilenga uwanja wa urefu.
---
## 4. Mifumo ya unyakuzi
### 4.1 Kupanua mantiki katika msimbo wa upande wa seva (mfano wa PHP)
```php
$price = (int)$_POST['price']; // expecting cents (0-10000)
$total = $price * 100; // ← 32-bit overflow possible
if($total > 1000000){
die('Too expensive');
}
/* Sending price=21474850 → $total wraps to 2147483648 and check is bypassed */
```
### 4.2 Heap overflow kupitia decoder ya picha (libwebp 0-day)
Decoder ya WebP isiyo na hasara iliongeza upana wa picha × urefu × 4 (RGBA) ndani ya `int` ya 32-bit. Faili iliyoundwa kwa vipimo `16384 × 16384` inazidi kuongezeka, inatenga buffer fupi na hatimaye inaandika **~1GB** ya data iliyoshughulishwa kupita kwenye heap ikisababisha RCE katika kila kivinjari kinachotegemea Chromium kabla ya 116.0.5845.187.
### 4.3 Mnyororo wa XSS/RCE unaotegemea kivinjari
1. **Integer overflow** katika V8 inatoa kusoma/kandika bila mipaka.
2. Kimbia kwenye sandbox kwa hitilafu ya pili au piga API za asili ili kuangusha payload.
3. Payload kisha inaingiza script hatari katika muktadha wa asili → XSS iliyohifadhiwa.
---
## 5. Miongozo ya kujihami
1. **Tumia aina pana au hesabu zilizokaguliwa** e.g., `size_t`, Rust `checked_add`, Go `math/bits.Add64`.
2. **Thibitisha mipaka mapema**: kataa thamani yoyote nje ya eneo la biashara kabla ya hesabu.
3. **Washa sanitizers za kompilita**: `-fsanitize=integer`, UBSan, Go race detector.
4. **Kubaliana na fuzzing katika CI/CD** changanya mrejesho wa kufunika na mipaka ya data.
5. **Baki na sasisho** makosa ya integer overflow katika kivinjari mara nyingi yanatumika kama silaha ndani ya wiki chache.
---
## Marejeo
* [NVD CVE-2023-4863 libwebp Heap Buffer Overflow](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
* [Google Project Zero "Understanding V8 CVE-2024-0519"](https://googleprojectzero.github.io/)
{{#include ../../banners/hacktricks-training.md}}