maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/parameter-pollution.md

210 lines
10 KiB
Markdown
Raw Blame History

# Parameter Pollution | JSON Injection
## Parameter Pollution
{{#include ../banners/hacktricks-training.md}}
## Muhtasari wa HTTP Parameter Pollution (HPP)
HTTP Parameter Pollution (HPP) ni mbinu ambapo washambuliaji wanabadilisha vigezo vya HTTP ili kubadilisha tabia ya programu ya wavuti kwa njia zisizokusudiwa. Mabadiliko haya yanafanywa kwa kuongeza, kubadilisha, au kuiga vigezo vya HTTP. Athari za mabadiliko haya hazionekani moja kwa moja kwa mtumiaji lakini zinaweza kubadilisha kwa kiasi kikubwa utendaji wa programu upande wa seva, huku zikiwa na athari zinazoweza kuonekana upande wa mteja.
### Mfano wa HTTP Parameter Pollution (HPP)
URL ya muamala wa programu ya benki:
- **URL ya Asili:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000`
Kwa kuingiza vigezo vya ziada `from`:
- **URL iliyobadilishwa:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC`
Muamala unaweza kuchajiwa kwa makosa kwa `accountC` badala ya `accountA`, ikionyesha uwezo wa HPP kubadilisha miamala au kazi nyingine kama vile kurekebisha nywila, mipangilio ya 2FA, au maombi ya funguo za API.
#### **Uchambuzi wa Vigezo Maalum kwa Teknolojia**
- Njia vigezo vinavyoshughulikiwa na kupewa kipaumbele inategemea teknolojia ya wavuti inayotumika, ikikathiri jinsi HPP inavyoweza kutumika.
- Zana kama [Wappalyzer](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/) husaidia kubaini teknolojia hizi na tabia zao za uchambuzi.
### PHP na HPP Ukatili
**Kesi ya Ubadilishaji wa OTP:**
- **Muktadha:** Mfumo wa kuingia unahitaji Nywila ya Muda Mmoja (OTP) ulitumiwa vibaya.
- **Mbinu:** Kwa kukamata ombi la OTP kwa kutumia zana kama Burp Suite, washambuliaji waligundua vigezo vya `email` katika ombi la HTTP.
- **Matokeo:** OTP, iliyokusudiwa kwa barua pepe ya awali, ilitumwa badala yake kwa anwani ya pili ya barua pepe iliyotajwa katika ombi lililobadilishwa. Kasoro hii iliruhusu ufikiaji usioidhinishwa kwa kukwepa kipimo cha usalama kilichokusudiwa.
Hali hii inaonyesha makosa muhimu katika nyuma ya programu, ambayo ilishughulikia kigezo cha kwanza `email` kwa ajili ya uzalishaji wa OTP lakini ilitumia ya mwisho kwa ajili ya usambazaji.
**Kesi ya Ubadilishaji wa Funguo za API:**
- **Hali:** Programu inaruhusu watumiaji kubadilisha funguo zao za API kupitia ukurasa wa mipangilio ya wasifu.
- **Njia ya Shambulio:** Mshambuliaji anagundua kwamba kwa kuongeza kigezo cha ziada `api_key` kwenye ombi la POST, wanaweza kubadilisha matokeo ya kazi ya kubadilisha funguo za API.
- **Mbinu:** Kwa kutumia zana kama Burp Suite, mshambuliaji anaunda ombi ambalo lina vigezo viwili vya `api_key`: kimoja halali na kingine kibaya. Seva, ikishughulikia tu matukio ya mwisho, inasasisha funguo za API kwa thamani iliyotolewa na mshambuliaji.
- **Matokeo:** Mshambuliaji anapata udhibiti juu ya utendaji wa API wa mwathirika, akipata au kubadilisha data binafsi bila idhini.
Mfano huu unasisitiza zaidi umuhimu wa kushughulikia vigezo kwa usalama, hasa katika vipengele muhimu kama usimamizi wa funguo za API.
### Uchambuzi wa Vigezo: Flask vs. PHP
Njia teknolojia za wavuti zinavyoshughulikia vigezo vya HTTP vilivyopigwa marufuku inatofautiana, ikikathiri uwezekano wao wa kushambuliwa na HPP:
- **Flask:** Inachukua thamani ya kigezo cha kwanza kilichokutana, kama vile `a=1` katika mfuatano wa maswali `a=1&a=2`, ikipa kipaumbele mfano wa awali kuliko nakala zinazofuata.
- **PHP (katika Apache HTTP Server):** Kinyume chake, inapa kipaumbele thamani ya mwisho ya kigezo, ikichagua `a=2` katika mfano uliopewa. Tabia hii inaweza kwa bahati mbaya kuruhusu HPP kutumika kwa kuheshimu kigezo kilichobadilishwa na mshambuliaji badala ya asili.
## Uchafuzi wa vigezo kwa teknolojia
Matokeo haya yalichukuliwa kutoka [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
### PHP 8.3.11 NA Apache 2.4.62 <a href="#id-9523" id="id-9523"></a>
<figure><img src="../images/image (1255).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*l_Pf2JNCYhmfAvfk7UTEbQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*l_Pf2JNCYhmfAvfk7UTEbQ.jpeg</a></p></figcaption></figure>
1. Puuza chochote baada ya %00 katika jina la kigezo.
2. Shughulikia jina\[] kama array.
3. \_GET haina maana ya Njia ya GET.
4. Pendelea kigezo cha mwisho.
### Ruby 3.3.5 na WEBrick 1.8.2
<figure><img src="../images/image (1257).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*kKxtZ8qEmgTIMS81py5hhg.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*kKxtZ8qEmgTIMS81py5hhg.jpeg</a></p></figcaption></figure>
1. Inatumia vichungi & na ; kugawanya vigezo.
2. Haitaeleweka jina\[].
3. Pendelea kigezo cha kwanza.
### Spring MVC 6.0.23 NA Apache Tomcat 10.1.30 <a href="#dd68" id="dd68"></a>
<figure><img src="../images/image (1258).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*llG22MF1gPTYZYFVCmCiVw.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*llG22MF1gPTYZYFVCmCiVw.jpeg</a></p></figcaption></figure>
1. POST RequestMapping == PostMapping & GET RequestMapping == GetMapping.
2. POST RequestMapping & PostMapping Haitaeleweka jina\[].
3. Pendelea jina ikiwa jina NA jina\[] vinapatikana.
4. Unganisha vigezo e.g. first,last.
5. POST RequestMapping & PostMapping Haitaeleweka kigezo cha swali chenye Content-Type.
### **NodeJS** 20.17.0 **NA** Express 4.21.0 <a href="#id-6d72" id="id-6d72"></a>
<figure><img src="../images/image (1259).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*JzNkLOSW7orcHXswtMHGMA.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*JzNkLOSW7orcHXswtMHGMA.jpeg</a></p></figcaption></figure>
1. Haitaeleweka jina\[].
2. Unganisha vigezo e.g. first,last.
### GO 1.22.7 <a href="#id-63dc" id="id-63dc"></a>
<figure><img src="../images/image (1260).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NVvN1N8sL4g_Gi796FzlZA.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NVvN1N8sL4g_Gi796FzlZA.jpeg</a></p></figcaption></figure>
1. Haitaeleweka jina\[].
2. Pendelea kigezo cha kwanza.
### Python 3.12.6 NA Werkzeug 3.0.4 NA Flask 3.0.3 <a href="#b853" id="b853"></a>
<figure><img src="../images/image (1261).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*Se5467PFFjIlmT3O7KNlWQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*Se5467PFFjIlmT3O7KNlWQ.jpeg</a></p></figcaption></figure>
1. Haitaeleweka jina\[].
2. Pendelea kigezo cha kwanza.
### Python 3.12.6 NA Django 4.2.15 <a href="#id-8079" id="id-8079"></a>
<figure><img src="../images/image (1262).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*rf38VXut5YhAx0ZhUzgT8Q.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*rf38VXut5YhAx0ZhUzgT8Q.jpeg</a></p></figcaption></figure>
1. Haitaeleweka jina\[].
2. Pendelea kigezo cha mwisho.
### Python 3.12.6 NA Tornado 6.4.1 <a href="#id-2ad8" id="id-2ad8"></a>
<figure><img src="../images/image (1263).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*obCn7xahDc296JZccXM2qQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*obCn7xahDc296JZccXM2qQ.jpeg</a></p></figcaption></figure>
1. Haitaeleweka jina\[].
2. Pendelea kigezo cha mwisho.
## JSON Injection
### Funguo za Nakala
```ini
obj = {"test": "user", "test": "admin"}
```
Mbele inaweza kuamini tukio la kwanza wakati nyuma inatumia tukio la pili la ufunguo.
### Mkutano wa Ufunguo: Kukatwa kwa Wahusika na Maoni
Wahusika fulani hawatafasiriwa vizuri na mbele lakini nyuma watafasiri na kutumia ufunguo hao, hii inaweza kuwa na manufaa ili **kupita vizuizi fulani**:
```json
{"test": 1, "test\[raw \x0d byte]": 2}
{"test": 1, "test\ud800": 2}
{"test": 1, "test"": 2}
{"test": 1, "te\st": 2}
```
Kumbuka jinsi katika kesi hizi upande wa mbele unaweza kufikiria kwamba `test == 1` na upande wa nyuma utafikiri kwamba `test == 2`.
Hii pia inaweza kutumika kupita vizuizi vya thamani kama:
```json
{"role": "administrator\[raw \x0d byte]"}
{"role":"administrator\ud800"}
{"role": "administrator""}
{"role": "admini\strator"}
```
### **Kutumia Kukatwa kwa Maoni**
```ini
obj = {"description": "Duplicate with comments", "test": 2, "extra": /*, "test": 1, "extra2": */}
```
Hapa tutatumia serializer kutoka kila parser ili kuona matokeo yake.
Serializer 1 (kwa mfano, maktaba ya GoJay ya GoLang) itatoa:
- `description = "Duplicate with comments"`
- `test = 2`
- `extra = ""`
Serializer 2 (kwa mfano, maktaba ya JSON-iterator ya Java) itatoa:
- `description = "Duplicate with comments"`
- `extra = "/*"`
- `extra2 = "*/"`
- `test = 1`
Vinginevyo, matumizi rahisi ya maoni yanaweza pia kuwa na ufanisi:
```ini
obj = {"description": "Comment support", "test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/}
```
Maktaba ya GSON ya Java:
```json
{ "description": "Comment support", "test": 1, "extra": "a" }
```
Maktaba ya simdjson ya Ruby:
```json
{ "description": "Comment support", "test": 2, "extra": "a", "extra2": "b" }
```
### **Kukosekana kwa Kipaumbele: Deserialization dhidi ya Serialization**
```ini
obj = {"test": 1, "test": 2}
obj["test"] // 1
obj.toString() // {"test": 2}
```
### Float na Integer
Nambari
```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
```
inaweza kufasiriwa kwa uwakilishi mwingi, ikiwa ni pamoja na:
```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
9.999999999999999e95
1E+96
0
9223372036854775807
```
Ambayo yanaweza kuunda ukosefu wa usawa
## Marejeo
- [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)
- [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution)
- [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
- [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)
{{#include ../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink