.. | ||
cookie-bomb.md | ||
cookie-jar-overflow.md | ||
cookie-tossing.md | ||
README.md |
Cookies Hacking
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the ð¬ Discord group or the telegram group or follow us on Twitter ðŠ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
Cookie Attributes
ã¯ãããŒã«ã¯ããŠãŒã¶ãŒã®ãã©ãŠã¶ã§ã®åäœãå¶åŸ¡ããããã€ãã®å±æ§ããããŸãããããã®å±æ§ã®æŠèŠã¯ä»¥äžã®éãã§ãã
Expires and Max-Age
ã¯ãããŒã®æå¹æéã¯Expires
å±æ§ã«ãã£ãŠæ±ºãŸããŸãã察ç
§çã«ãMax-age
å±æ§ã¯ã¯ãããŒãåé€ããããŸã§ã®æéïŒç§åäœïŒãå®çŸ©ããŸããMax-age
ãéžæããããšããå§ãããŸããããã¯ããçŸä»£çãªæ
£è¡ãåæ ããŠããŸãã
Domain
ã¯ãããŒãåãåããã¹ãã¯Domain
å±æ§ã«ãã£ãŠæå®ãããŸããããã©ã«ãã§ã¯ãããã¯ã¯ãããŒãçºè¡ãããã¹ãã«èšå®ããããµããã¡ã€ã³ã¯å«ãŸããŸãããããããDomain
å±æ§ãæ瀺çã«èšå®ããããšããµããã¡ã€ã³ãå«ãŸããŸããããã«ããããµããã¡ã€ã³éã§ã®ã¯ãããŒå
±æãå¿
èŠãªã·ããªãªã§åœ¹ç«ã€ãå¶çŽã®å°ãªããªãã·ã§ã³ãšãªããŸããããšãã°ãDomain=mozilla.org
ãèšå®ãããšãdeveloper.mozilla.org
ã®ãããªãµããã¡ã€ã³ã§ã¯ãããŒã«ã¢ã¯ã»ã¹ã§ããŸãã
Path
Cookie
ããããŒãéä¿¡ãããããã«èŠæ±ãããURLã«ååšããªããã°ãªããªãç¹å®ã®URLãã¹ã¯ãPath
å±æ§ã«ãã£ãŠç€ºãããŸãããã®å±æ§ã¯/
æåããã£ã¬ã¯ããªã»ãã¬ãŒã¿ãŒãšããŠèæ
®ãããµããã£ã¬ã¯ããªå
ã§ã®äžèŽãå¯èœã«ããŸãã
Ordering Rules
åãååã®ã¯ãããŒã2ã€ããå Žåãéä¿¡ãããã¯ãããŒã¯ä»¥äžã«åºã¥ããŠéžæãããŸãïŒ
- èŠæ±ãããURLå ã§æãé·ããã¹ã«äžèŽããã¯ãããŒã
- ãã¹ãåãå Žåã¯ãæãæè¿èšå®ãããã¯ãããŒã
SameSite
SameSite
å±æ§ã¯ããµãŒãããŒãã£ã®ãã¡ã€ã³ããçºä¿¡ããããªã¯ãšã¹ãã«ã¯ãããŒãéä¿¡ããããã©ããã決å®ããŸãã3ã€ã®èšå®ããããŸãïŒ- Strict: ãµãŒãããŒãã£ã®ãªã¯ãšã¹ãã«ã¯ãããŒãéä¿¡ãããã®ãå¶éããŸãã
- Lax: ãµãŒãããŒãã£ã®ãŠã§ããµã€ãã«ãã£ãŠéå§ãããGETãªã¯ãšã¹ãã§ã¯ãããŒãéä¿¡ãããããšãèš±å¯ããŸãã
- None: ã©ã®ãµãŒãããŒãã£ã®ãã¡ã€ã³ãããã¯ãããŒãéä¿¡ãããããšãèš±å¯ããŸãã
ã¯ãããŒãèšå®ããéã«ã¯ããããã®å±æ§ãç解ããããšã§ãããŸããŸãªã·ããªãªã§æåŸ éãã«åäœããããšã確ä¿ã§ããŸãã
Request Type | Example Code | Cookies Sent When |
---|---|---|
Link | <a href="..."></a> | NotSet*, Lax, None |
Prerender | <link rel="prerender" href=".."/> | NotSet*, Lax, None |
Form GET | <form method="GET" action="..."> | NotSet*, Lax, None |
Form POST | <form method="POST" action="..."> | NotSet*, None |
iframe | <iframe src="..."></iframe> | NotSet*, None |
AJAX | $.get("...") | NotSet*, None |
Image | <img src="..."> | NetSet*, None |
Table from Invicti and slightly modified.
_SameSite_å±æ§ãæã€ã¯ãããŒã¯ãCSRFæ»æã軜æžããŸãã
*Chrome80ïŒ2019幎2æïŒä»¥éãã¯ãããŒã«SameSiteå±æ§ããªãå Žåã®ããã©ã«ãã®åäœã¯Laxã«ãªããŸã (https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/).
ãã®å€æŽãé©çšããåŸãChromeã§ã¯SameSiteããªã·ãŒã®ãªãã¯ãããŒã¯æåã®2åéã¯NoneãšããŠæ±ããããã®åŸã¯ãããã¬ãã«ã®ã¯ãã¹ãµã€ãPOSTãªã¯ãšã¹ãã«å¯ŸããŠLaxãšããŠæ±ãããŸãã
Cookies Flags
HttpOnly
ããã¯ã¯ã©ã€ã¢ã³ããã¯ãããŒã«ã¢ã¯ã»ã¹ããã®ãé²ããŸãïŒäŸãã°Javascriptçµç±ïŒdocument.cookie
ïŒã
Bypasses
- ããŒãžããªã¯ãšã¹ãã®ã¬ã¹ãã³ã¹ãšããŠã¯ãããŒãéä¿¡ããŠããå ŽåïŒäŸãã°PHPinfoããŒãžïŒãXSSãæªçšããŠãã®ããŒãžã«ãªã¯ãšã¹ããéããã¬ã¹ãã³ã¹ããã¯ãããŒãçãããšãå¯èœã§ãïŒäŸã¯ãã¡ããåç §ïŒã
- TRACE HTTPãªã¯ãšã¹ãã䜿çšããããšã§ãã€ãã¹å¯èœã§ãããµãŒããŒããã®ã¬ã¹ãã³ã¹ã¯éä¿¡ãããã¯ãããŒãåæ ããŸãïŒãã®HTTPã¡ãœãããå©çšå¯èœãªå ŽåïŒããã®æè¡ã¯Cross-Site TrackingãšåŒã°ããŸãã
- ãã®æè¡ã¯ãã¢ãã³ãã©ãŠã¶ãJSããTRACEãªã¯ãšã¹ããéä¿¡ããããšãèš±å¯ããªãããšã«ãã£ãŠåé¿ãããŸãããã ããIE6.0 SP2ã«å¯ŸããŠ
TRACE
ã®ä»£ããã«\r\nTRACE
ãéä¿¡ãããªã©ãç¹å®ã®ãœãããŠã§ã¢ã§ã®ãã€ãã¹ãèŠã€ãã£ãŠããŸãã - ãã©ãŠã¶ã®ãŒããã€è匱æ§ãæªçšããããšãå¯èœã§ãã
- ã¯ãããŒãžã£ãŒãªãŒããŒãããŒæ»æãå®è¡ããããšã§HttpOnlyã¯ãããŒãäžæžãããããšãå¯èœã§ãïŒ
{% content-ref url="cookie-jar-overflow.md" %} cookie-jar-overflow.md {% endcontent-ref %}
- Cookie Smugglingæ»æã䜿çšããŠãããã®ã¯ãããŒãå€éšã«æã¡åºãããšãå¯èœã§ãã
Secure
ãªã¯ãšã¹ãã¯ãHTTPSãªã©ã®å®å šãªãã£ãã«ãä»ããŠéä¿¡ãããå Žåã«ã®ã¿ãHTTPãªã¯ãšã¹ãã§ã¯ãããŒãéä¿¡ããŸãã
Cookies Prefixes
__Secure-
ã§å§ãŸãã¯ãããŒã¯ãHTTPSã§ä¿è·ãããããŒãžããsecure
ãã©ã°ãšãšãã«èšå®ãããå¿
èŠããããŸãã
__Host-
ã§å§ãŸãã¯ãããŒã«ã¯ãããã€ãã®æ¡ä»¶ãæºããããªããã°ãªããŸããïŒ
secure
ãã©ã°ã§èšå®ãããªããã°ãªããŸããã- HTTPSã§ä¿è·ãããããŒãžããçºä¿¡ãããªããã°ãªããŸããã
- ãã¡ã€ã³ãæå®ããããšã¯çŠããããŠããããµããã¡ã€ã³ãžã®éä¿¡ãé²ããŸãã
- ãããã®ã¯ãããŒã®ãã¹ã¯
/
ã«èšå®ãããªããã°ãªããŸããã
__Host-
ã§å§ãŸãã¯ãããŒã¯ãã¹ãŒããŒãã¡ã€ã³ããµããã¡ã€ã³ã«éä¿¡ãããããšã¯èš±å¯ãããŠããªãããšã«æ³šæããããšãéèŠã§ãããã®å¶éã¯ãã¢ããªã±ãŒã·ã§ã³ã¯ãããŒãéé¢ããã®ã«åœ¹ç«ã¡ãŸãããããã£ãŠããã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ã¯ãããŒã«__Host-
ãã¬ãã£ãã¯ã¹ã䜿çšããããšã¯ãã»ãã¥ãªãã£ãšéé¢ã匷åããããã®è¯ããã©ã¯ãã£ã¹ãšèŠãªãããŸãã
Overwriting cookies
ãããã£ãŠã__Host-
ã§å§ãŸãã¯ãããŒã®ä¿è·ã®1ã€ã¯ããµããã¡ã€ã³ããã®äžæžããé²ãããšã§ããããšãã°ãCookie Tossing attacksãé²ããŸããããŒã¯ã§Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities (paper)ã§ã¯ãããŒãµãŒãéšãããšã§ãµããã¡ã€ã³ãã__HOST-ã§å§ãŸãã¯ãããŒãèšå®ããããšãå¯èœã§ããããšã瀺ãããŠããŸããããšãã°ãæåãæåŸã«=
ãè¿œå ããããšã§ãïŒ
ãŸããPHPã§ã¯ãã¯ãããŒåã®å
é ã«ä»ã®æåãè¿œå ããããšã§ãã¢ã³ããŒã¹ã³ã¢æåã«çœ®ãæãããã__HOST-
ã¯ãããŒãäžæžãããããšãå¯èœã§ããïŒ
Cookies Attacks
ã«ã¹ã¿ã ã¯ãããŒã«æ©å¯ããŒã¿ãå«ãŸããŠããå Žåã¯ãç¹ã«CTFãè¡ã£ãŠããå Žåã¯ç¢ºèªããŠãã ãããè匱æ§ããããããããŸããã
Decoding and Manipulating Cookies
ã¯ãããŒã«åã蟌ãŸããæ©å¯ããŒã¿ã¯åžžã«ç²Ÿæ»ãããã¹ãã§ããBase64ãé¡äŒŒã®åœ¢åŒã§ãšã³ã³ãŒããããã¯ãããŒã¯ããã°ãã°ãã³ãŒãå¯èœã§ãããã®è匱æ§ã«ãããæ»æè ã¯ã¯ãããŒã®å 容ãå€æŽããä¿®æ£ãããããŒã¿ãå床ã¯ãããŒã«ãšã³ã³ãŒãããããšã§ä»ã®ãŠãŒã¶ãŒãåœè£ ããããšãã§ããŸãã
Session Hijacking
ãã®æ»æã¯ããŠãŒã¶ãŒã®ã¯ãããŒãçãããšã§ãã¢ããªã±ãŒã·ã§ã³å ã®ã¢ã«ãŠã³ãã«äžæ£ã«ã¢ã¯ã»ã¹ããããšãå«ã¿ãŸããçãŸããã¯ãããŒã䜿çšããããšã§ãæ»æè ã¯æ£åœãªãŠãŒã¶ãŒãåœè£ ã§ããŸãã
Session Fixation
ãã®ã·ããªãªã§ã¯ãæ»æè ã被害è ãç¹å®ã®ã¯ãããŒã䜿çšããŠãã°ã€ã³ãããããã«ä»åããŸããã¢ããªã±ãŒã·ã§ã³ããã°ã€ã³æã«æ°ããã¯ãããŒãå²ãåœãŠãªãå Žåãæ»æè ã¯å ã®ã¯ãããŒãæã£ãŠããããã被害è ãåœè£ ã§ããŸãããã®æè¡ã¯ã被害è ãæ»æè ãæäŸããã¯ãããŒã§ãã°ã€ã³ããããšã«äŸåããŠããŸãã
ãµããã¡ã€ã³ã«XSSãèŠã€ããå Žåããµããã¡ã€ã³ãå¶åŸ¡ããŠããå Žåã¯ã次ããèªã¿ãã ããïŒ
{% content-ref url="cookie-tossing.md" %} cookie-tossing.md {% endcontent-ref %}
Session Donation
ããã§ã¯ãæ»æè ã被害è ã«æ»æè ã®ã»ãã·ã§ã³ã¯ãããŒã䜿çšãããããã«ä»åããŸãã被害è ã¯èªåã®ã¢ã«ãŠã³ãã«ãã°ã€ã³ããŠãããšä¿¡ããŠãæ»æè ã®ã¢ã«ãŠã³ãã®ã³ã³ããã¹ãã§æå³ããã«ã¢ã¯ã·ã§ã³ãå®è¡ããŸãã
ãµããã¡ã€ã³ã«XSSãèŠã€ããå Žåããµããã¡ã€ã³ãå¶åŸ¡ããŠããå Žåã¯ã次ããèªã¿ãã ããïŒ
{% content-ref url="cookie-tossing.md" %} cookie-tossing.md {% endcontent-ref %}
JWT Cookies
åã®ãªã³ã¯ãã¯ãªãã¯ããŠãJWTã®å¯èœãªæ¬ é¥ã説æããããŒãžã«ã¢ã¯ã»ã¹ããŠãã ããã
ã¯ãããŒã§äœ¿çšãããJSON Web TokensïŒJWTïŒã«ãè匱æ§ãååšããå¯èœæ§ããããŸããæœåšçãªæ¬ é¥ãšãããæªçšããæ¹æ³ã«ã€ããŠã®è©³çŽ°æ å ±ãåŸãã«ã¯ãJWTããããã³ã°ããããã®ãªã³ã¯ãããææžã«ã¢ã¯ã»ã¹ããããšããå§ãããŸãã
Cross-Site Request Forgery (CSRF)
ãã®æ»æã¯ããã°ã€ã³äžã®ãŠãŒã¶ãŒã«å¯ŸããŠãçŸåšèªèšŒãããŠããWebã¢ããªã±ãŒã·ã§ã³ã§äžèŠãªã¢ã¯ã·ã§ã³ãå®è¡ããããã®ã§ããæ»æè ã¯ãè匱ãªãµã€ããžã®ãã¹ãŠã®ãªã¯ãšã¹ãã«èªåçã«éä¿¡ãããã¯ãããŒãæªçšã§ããŸãã
Empty Cookies
ïŒè©³çŽ°ã¯å ã®ç 究ãåç §ããŠãã ããïŒãã©ãŠã¶ã¯ååã®ãªãã¯ãããŒã®äœæãèš±å¯ããŠãããJavaScriptãéããŠæ¬¡ã®ããã«ç€ºãããšãã§ããŸãïŒ
document.cookie = "a=v1"
document.cookie = "=test value;" // Setting an empty named cookie
document.cookie = "b=v2"
éä¿¡ãããã¯ãã㌠ããããŒã®çµæ㯠a=v1; test value; b=v2;
ã§ããèå³æ·±ãããšã«ãããã¯ç©ºã®ååã®ã¯ãããŒãèšå®ãããŠããå Žåã«ã¯ãããŒãæäœããããšãå¯èœã«ãã空ã®ã¯ãããŒãç¹å®ã®å€ã«èšå®ããããšã§ä»ã®ã¯ãããŒãå¶åŸ¡ããå¯èœæ§ããããŸãã
function setCookie(name, value) {
document.cookie = `${name}=${value}`;
}
setCookie("", "a=b"); // Setting the empty cookie modifies another cookie's value
ããã«ããããã©ãŠã¶ã¯ãã¹ãŠã®ãŠã§ããµãŒããŒã«ãã£ãŠ a
ãšããååã®ã¯ãããŒãš b
ãšããå€ãæã€ã¯ãããŒãšããŠè§£éãããã¯ãã㌠ããããŒãéä¿¡ããŸãã
Chromeã®ãã°: Unicodeãµãã²ãŒãã³ãŒããã€ã³ãã®åé¡
Chromeã§ã¯ãUnicodeãµãã²ãŒãã³ãŒããã€ã³ããèšå®ãããã¯ãããŒã®äžéšã§ããå Žåãdocument.cookie
ãç Žæãããã®åŸç©ºã®æååãè¿ããŸã:
document.cookie = "\ud800=meep";
ãã®çµæãdocument.cookie
ã¯ç©ºã®æååãåºåããæ°žç¶çãªç Žæã瀺ããŸãã
ããŒã¹ã®åé¡ã«ããã¯ãããŒã®ã¹ã¢ã°ãªã³ã°
(詳现ã¯å ã®ç 究ãåç §) JavaïŒJettyãTomCatãUndertowïŒãPythonïŒZopeãcherrypyãweb.pyãaiohttpãbottleãwebobïŒãå«ãããã€ãã®ãŠã§ããµãŒããŒã¯ãå€ãRFC2965ãµããŒãã®ããã«ã¯ãããŒæååã誀ã£ãŠåŠçããŸãã圌ãã¯ãã»ãã³ãã³ãå«ãã§ããŠããããã«ã¯ãªãŒããããã¯ãããŒå€ãåäžã®å€ãšããŠèªã¿åããŸããã»ãã³ãã³ã¯éåžžãããŒãšå€ã®ãã¢ãåºåãã¹ãã§ãã
RENDER_TEXT="hello world; JSESSIONID=13371337; ASDF=end";
Cookie Injection Vulnerabilities
(詳现ã¯å
ã®ç 究ãåç
§ããŠãã ãã) ãµãŒããŒã«ããã¯ãããŒã®äžé©åãªè§£æãç¹ã«UndertowãZopeãããã³Pythonã®http.cookie.SimpleCookie
ãšhttp.cookie.BaseCookie
ã䜿çšããŠãããã®ã¯ãã¯ãããŒã€ã³ãžã§ã¯ã·ã§ã³æ»æã®æ©äŒãçã¿åºããŸãããããã®ãµãŒããŒã¯æ°ããã¯ãããŒã®éå§ãé©åã«åºåãããšãã§ãããæ»æè
ãã¯ãããŒãåœè£
ããããšãå¯èœã«ããŸãïŒ
- Undertowã¯ãã»ãã³ãã³ãªãã§åŒçšãããå€ã®çŽåŸã«æ°ããã¯ãããŒãæåŸ ããŸãã
- Zopeã¯ã次ã®ã¯ãããŒã®è§£æãéå§ããããã«ã«ã³ããæ¢ããŸãã
- Pythonã®ã¯ãããŒã¯ã©ã¹ã¯ãã¹ããŒã¹æåã§è§£æãéå§ããŸãã
ãã®è匱æ§ã¯ãã¯ãããŒããŒã¹ã®CSRFä¿è·ã«äŸåããWebã¢ããªã±ãŒã·ã§ã³ã«ãããŠç¹ã«å±éºã§ããæ»æè
ãåœè£
ãããCSRFããŒã¯ã³ã¯ãããŒã泚å
¥ã§ãããããã»ãã¥ãªãã£å¯Ÿçãåé¿ããå¯èœæ§ããããŸãããã®åé¡ã¯ãPythonãéè€ããã¯ãããŒåãåŠçããæ¹æ³ã«ãã£ãŠæªåããæåŸã®åºçŸã以åã®ãã®ãäžæžãããŸãããŸãã__Secure-
ããã³__Host-
ã¯ãããŒãäžå®å
šãªã³ã³ããã¹ãã§æ±ãããããšã«å¯Ÿããæžå¿µãçããã¯ãããŒãåœè£
ã«å¯ŸããŠè匱ãªããã¯ãšã³ããµãŒããŒã«æž¡ããããšãèªå¯ã®ãã€ãã¹ã«ã€ãªããå¯èœæ§ããããŸãã
Extra Vulnerable Cookies Checks
Basic checks
- ã¯ãããŒã¯ããã°ã€ã³ãããã³ã«åãã§ãã
- ãã°ã¢ãŠãããŠãåãã¯ãããŒã䜿çšããŠã¿ãŠãã ããã
- 2ã€ã®ããã€ã¹ïŒãŸãã¯ãã©ãŠã¶ïŒã§åãã¢ã«ãŠã³ãã«åãã¯ãããŒã䜿çšããŠãã°ã€ã³ããŠã¿ãŠãã ããã
- ã¯ãããŒã«æ å ±ãå«ãŸããŠããã確èªããå€æŽãè©Šã¿ãŠãã ããã
- ã»ãŒåããŠãŒã¶ãŒåã§è€æ°ã®ã¢ã«ãŠã³ããäœæããé¡äŒŒç¹ãèŠããã確èªããŠãã ããã
- "remember me"ãªãã·ã§ã³ãååšããå Žåããã®åäœã確èªããŠãã ãããååšããè匱ã§ããå¯èœæ§ãããå Žåã¯ãä»ã®ã¯ãããŒãªãã§remember meã®ã¯ãããŒãåžžã«äœ¿çšããŠãã ããã
- ãã¹ã¯ãŒããå€æŽããŠãåã®ã¯ãããŒãæ©èœããã確èªããŠãã ããã
Advanced cookies attacks
ã¯ãããŒããã°ã€ã³æã«åãïŒãŸãã¯ã»ãŒåãïŒã§ããå Žåãããã¯ã¯ãããŒãããªãã®ã¢ã«ãŠã³ãã®ããã€ãã®ãã£ãŒã«ãïŒãããããŠãŒã¶ãŒåïŒã«é¢é£ããŠããããšãæå³ããŸãã次ã«ãããªãã¯ïŒ
- éåžžã«äŒŒããŠãŒã¶ãŒåã§ããããã®ã¢ã«ãŠã³ããäœæããã¢ã«ãŽãªãºã ãã©ã®ããã«æ©èœããŠããããæšæž¬ããŠã¿ãŠãã ããã
- ãŠãŒã¶ãŒåããã«ãŒããã©ãŒã¹ããŠã¿ãŠãã ãããã¯ãããŒãããªãã®ãŠãŒã¶ãŒåã®èªèšŒæ¹æ³ãšããŠã®ã¿ä¿åãããŠããå ŽåããŠãŒã¶ãŒå"Bmin"ã§ã¢ã«ãŠã³ããäœæããã¯ãããŒã®ãã¹ãŠã®ãããããã«ãŒããã©ãŒã¹ããããšãã§ããŸãããªããªããããªããè©Šãã¯ãããŒã®1ã€ã¯"admin"ã«å±ãããã®ã ããã§ãã
- Padding Oracleãè©ŠããŠãã ããïŒã¯ãããŒã®å 容ã埩å·åã§ããŸãïŒãpadbusterã䜿çšããŠãã ããã
Padding Oracle - Padbuster examples
padbuster <URL/path/when/successfully/login/with/cookie> <COOKIE> <PAD[8-16]>
# When cookies and regular Base64
padbuster http://web.com/index.php u7bvLewln6PJPSAbMb5pFfnCHSEd6olf 8 -cookies auth=u7bvLewln6PJPSAbMb5pFfnCHSEd6olf
# If Base64 urlsafe or hex-lowercase or hex-uppercase --encoding parameter is needed, for example:
padBuster http://web.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 8 -encoding 2
Padbusterã¯è€æ°åè©Šè¡ããã©ã®æ¡ä»¶ããšã©ãŒæ¡ä»¶ïŒç¡å¹ãªãã®ïŒã§ããããå°ããŸãã
ãã®åŸãã¯ãããŒã®åŸ©å·ãéå§ããŸãïŒæ°åãããå ŽåããããŸãïŒã
æ»æãæåããå Žåãä»»æã®æååãæå·åããŠã¿ãããšãã§ããŸããããšãã°ãencrypt user=administratorãæå·åãããå Žåã
padbuster http://web.com/index.php 1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== 8 -cookies thecookie=1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== -plaintext user=administrator
ãã®å®è¡ã«ãããæåå user=administrator ãå éšã«å«ãŸããæ£ããæå·åããããšã³ã³ãŒããããã¯ãããŒãåŸãããŸãã
CBC-MAC
ã¯ãããŒã«ã¯äœããã®å€ãå«ãŸããCBCã䜿çšããŠçœ²åãããå¯èœæ§ããããŸãããã®å Žåãå€ã®æŽåæ§ã¯ãåãå€ã䜿çšããŠCBCã§äœæããã眲åã§ããIVãšããŠãã«ãã¯ã¿ãŒã䜿çšããããšãæšå¥šãããããããã®ã¿ã€ãã®æŽåæ§ãã§ãã¯ã¯è匱ã§ããå¯èœæ§ããããŸãã
æ»æ
- ãŠãŒã¶ãŒå administ ã®çœ²åãååŸ = t
- ãŠãŒã¶ãŒå rator\x00\x00\x00 XOR t ã®çœ²åãååŸ = t'
- ã¯ãããŒã«å€ administrator+t' ãèšå® (t' 㯠(rator\x00\x00\x00 XOR t) XOR t = rator\x00\x00\x00 ã®æå¹ãªçœ²åã«ãªããŸã)
ECB
ã¯ãããŒãECBã䜿çšããŠæå·åãããŠããå Žåãè匱ã§ããå¯èœæ§ããããŸãã
ãã°ã€ã³ãããšãåãåãã¯ãããŒã¯åžžã«åãã§ãªããã°ãªããŸããã
æ€åºãšæ»ææ¹æ³:
ã»ãŒåãããŒã¿ïŒãŠãŒã¶ãŒåããã¹ã¯ãŒããã¡ãŒã«ãªã©ïŒãæã€2ã€ã®ãŠãŒã¶ãŒãäœæããäžããããã¯ãããŒå ã®ãã¿ãŒã³ãçºèŠããããšããŸãã
äŸãã°ãaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaããšãããŠãŒã¶ãŒãäœæããã¯ãããŒã«ãã¿ãŒã³ãããã確èªããŸãïŒECBã¯åãããŒã§åãããã¯ãæå·åããããããŠãŒã¶ãŒåãæå·åããããšåãæå·åããããã€ããçŸããå¯èœæ§ããããŸãïŒã
䜿çšããããããã¯ã®ãµã€ãºã§ãã¿ãŒã³ãååšããã¯ãã§ãããããã£ãŠããaãããããã¯ã®ãµã€ãºåç¹°ãè¿ããåŸã«ãadminããè¿œå ãããŠãŒã¶ãŒåãäœæã§ããŸãããã®åŸãã¯ãããŒãããaãã®ãããã¯ã®æå·åãã¿ãŒã³ãåé€ããŸããããããã°ããŠãŒã¶ãŒåãadminãã®ã¯ãããŒãåŸãããŸãã
åèæç®
- https://blog.ankursundara.com/cookie-bugs/
- https://www.linkedin.com/posts/rickey-martin-24533653_100daysofhacking-penetrationtester-ethicalhacking-activity-7016286424526180352-bwDd
Try Hard Security Group
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
AWSãããã³ã°ãåŠã³ãå®è·µãã:HackTricks Training AWS Red Team Expert (ARTE)
GCPãããã³ã°ãåŠã³ãå®è·µãã: HackTricks Training GCP Red Team Expert (GRTE)
HackTricksããµããŒããã
- ãµãã¹ã¯ãªãã·ã§ã³ãã©ã³ã確èªããŠãã ããïŒ
- **ð¬ Discordã°ã«ãŒããŸãã¯Telegramã°ã«ãŒãã«åå ããããTwitter ðŠ @hacktricks_liveããã©ããŒããŠãã ããã
- ãããã³ã°ã®ããªãã¯ãå ±æããã«ã¯ãHackTricksããã³HackTricks Cloudã®GitHubãªããžããªã«PRãæåºããŠãã ããã