思步网

标题: 修改HTTP Post/get数据利器TamperIE(升级版) [打印本页]
作者: bzcyer    时间: 2011-3-9 11:17
标题: 修改HTTP Post/get数据利器TamperIE(升级版)
@author Bzcyer

@ http://www.bzcyer.com/

安全测试中,中间者攻击是一个很常用的手段。采用TamperIE 可以模拟这个过程,主要是工作原理是截获HTTP Post/get数据,然后篡改Post/get数据,提交各类异常信息。
就最近几天工作中使用Tramper做的一些实际测试例子介绍下。
1.XSS(cross-site scripting)
曾经,测试出登录的地方有XSS的问题,主要是通过httpwartch看数据,然后手工拼地址,再往拼的地址中扔脚本。如:
http://192.168.1.129/member.do?method=customerLogon&mail=bzcyer@gmail.com&pws=222222

http://192.168.1.129/member.do?method=customerLogon&mail=>"'><img src="javascript:alert('XSS')">&pws=222222
使用TramperIE,可以非常简单的实现这点,如图:
在登录的时候,Post上来的数据:


讲用户名改成脚本:


然后send altered data。
用TramperIE能非常高效的验证XSS。另外再举个例子,就是用TramperIE来实现的。
见图:


结果是:

对于这里采用的时间的插件,手工去修改的话是不可能写入脚本,这个时候通过Post上来的数据,直接改了,就会出现XSS。




--------------------------我是超级无敌帅气的分割线----------------------------
下载:TamperIE (http://www.bayden.com/dl/TamperIESetup.exe)

TamperIETamperIE is an Internet Explorer Browser Helper Object which allows tampering with HTTP requests from Internet Explorer 5 and above.  If you haven't installed it yet, you can get it here.
WARNING: This tool makes it simple to do very bad things to poorly written code.  Malicious use of this tool against third-parties is a violation of federal, state, and local laws.  Be smart.
TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers.  Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent.
SSL? TamperIE works inside IE itself, before data is placed on the wire; this means that it works fine even against SSL secured sites.
Need more power? You might find the Fiddler HTTP Debugging Proxy more powerful, as it supports an automated scripting engine.
Using TamperIEFor this example, you can follow along here:  http://www.bayden.com/sandbox/shop/
Visiting the sample URL above presents a simple web-based shopping cart.

Wow, what a great tablet!  But $1995 seems kinda pricey, doesn't it?  Hrm... What to do?
Click the TamperIE icon on the toolbar.
   

Ensure the topmost checkbox is checked, like so:
   
Close the dialog.
Now, in the page, click Order! and the TamperIE editing dialog is shown.
           
Control
Function
URL Editbox
This box contains the URL which is being requested from the server.  This field is editable.  So, for instance, you can change the
Send Altered Data
This button will send the edited HTTP request to the specified URL.
Send Original Data
This button will send the unedited HTTP request to the original URL.
Cookies
This tab presents a read-only view of the cookies which are being sent to the server.You can edit your cookies by editing the cookie file on disk or using a great browser plugin like CookieSpy.
Raw Headers
This tab presents a read/write view of the custom HTTP headers which are being sent to the server.  These are rarely used by web pages, but can be useful in some circumstances.  For instance, sometimes web sites will not check authorization if "secret" HTTP headers are present in the request.
Raw Post
This tab presents a read/write view of the HTTP POST body which is being sent to the server.  This is where TamperIE shines.Many web applications are coded very poorly, and implicitly trust data sent by the POST body.  Some corporations mistakenly think that if the HTTP Header "Referer" is correct, the POST data must have been generated securely.  Wrong.
PrettyPost
This tab presents a "pretty" read/write view of the HTTP POST body.  POSTs are generally URL encoded, and this editing grid allows easy tampering.  More on this in a moment.
Notice anything interesting about the POST data?
        

Hrm... A coincidence?  Let's see...  Click on the PrettyPost tab.
        
The POST form data is neatly broken down into name/value pairs in the grid.  See the Price field?  Click it to set focus to it.
The Value dropdown box to the right of the Edit Field label contains a number of pre-built attack strings which are known to cause problems for many web-based applications.  These vulnerabilities include SQL injection, buffer overflow, cross-site scripting, etc.
            

Note: If you'd like to customize this list, simply create a file named hackstrings.txt in the folder which contains ietamper.dll.  This file should contain one attack string per line.
In this case, however, we're not trying to crash the server, we're trying to get a discount on a computer.  Change the 1995.00 value to 10.00
Click the Raw Post tab to see the change reflected in the raw post data:
        
Click the Send Altered Data button at the top-right of the dialog box.  The TamperIE dialog will close and the tampered request will be sent to the server.
        
Note: SSL-encryption would have done nothing to foil this attack, since the data is being altered by the original submitter.  The vulnerability here is that the web site is blindly trusting a POST instead of performing a database lookup.  Amazingly, a huge number of shopping carts work this way, either for the actual product, or for the shipping cost.
TamperIE Control PanelThe TamperIE Control Panel allows you to control when you are prompted to tamper with requests.
Start the TamperIE Control Panel referenced in the IE toolbar.  (If the icon isn't visible, right-click the IE toolbar, and choose Customize).
        
The following dialog will appear:
        

Option
Function
Tamper with HTTP POSTs
Show the TamperIE dialog when a form is submitted with METHOD=POST
Tamper with HTTP GETs
Show the TamperIE dialog whenever a HTTP GET is performed.
Tamper with GET requests for the following files
Show the TamperIE dialog whenever a HTTP GET is performed and the resource address ends with the specified text.For instance, given the filter in the above screenshot, the following URL requests will match:
     www.washingtonpost.com/article.html?q=12311
     www.banker.com/payee.html?id=321312&amt=1231
     www.bayden.com/register.asp?product=TamperIE
     www.microsoft.com/passport/register.asp#FAQ
etc...
If this box contains a *, all GET requests will match the filter.
Only tamper with GETs with Query string parameters
Show the TamperIE dialog only when a HTTP GET is performed and there is query string data in the URL.  Query string data is found in the URL after the ? character.  For instance, in this Google hit, query data is shown in Red.http://www.google.com/search?hl=en&q=hacker
















作者: Agopayignipsy    时间: 2013-3-29 14:00
顶一下
作者: Mesimix    时间: 2013-4-11 23:34
看帖看完了至少要顶一下哦~
作者: Notskynow    时间: 2013-4-16 19:01
顶起顶起顶起
作者: 游离状态的猫    时间: 2014-4-5 19:04
众里寻他千百度,蓦然回首在这里!
作者: 三寸日光。    时间: 2014-8-12 10:16
非常好,顶一下占位编辑
作者: ◆◇硪蕙俖    时间: 2014-9-7 07:27
还不错哦,如果再能多分享一些就perfect了!
作者: 花裙的少女    时间: 2014-9-23 15:29
向楼主学习
作者: 那种倒影成月。    时间: 2015-3-12 13:43
我也来顶一下..
作者: 岁月飘逝╰    时间: 2015-3-22 20:47
非常好,顶一下占位编辑
作者: ミ曲线﹏    时间: 2015-3-23 21:20
不错 支持一个了
作者: 致命朱丽叶    时间: 2015-7-14 12:53
打酱油的人拉,顺便赚点金币
作者: 劳资就是小清新    时间: 2015-9-1 16:36
很有借鉴意义,先收藏了,谢谢楼主。
作者: 七度光    时间: 2015-12-25 21:41
前排支持下了哦~
作者: ≈烟波流传    时间: 2016-3-25 17:42
very good.
作者: 鸡毛令箭    时间: 2016-5-16 10:15
看了LZ的帖子,我只想说一句很好很强大!
作者: 魅力眼线男づ    时间: 2016-5-20 14:17
不错 支持一个了
作者: O丶ne丨柒夜彡    时间: 2016-5-26 19:05
very good.
作者: 三重门。    时间: 2016-10-9 09:37
以我的经验来看,楼主的想法是可以执行的~
作者: 七墓凉    时间: 2016-10-27 17:54
向楼主学习
作者: 海沫深@    时间: 2017-1-11 15:27
不错 支持一个了
作者: 花心筒    时间: 2017-1-23 09:38
好帖是需要鼓励的~
作者: 不做帝王妾    时间: 2017-1-25 20:56
路过 帮顶 嘿嘿
作者: 救生圈    时间: 2017-2-9 11:25
向楼主学习
作者: 买节操v    时间: 2017-2-13 14:46
很有见地的探讨,先收藏着~
作者: 祝;我    时间: 2017-3-14 12:01
鼎力支持!!
作者: 北船余音    时间: 2017-5-10 15:42
前排支持下了哦~
作者: 随心    时间: 2017-5-14 19:05
顶不错 支持下
作者: 畏光    时间: 2017-5-22 20:41
向楼主学习
作者: 喘生@    时间: 2017-6-14 13:22
鼎力支持!!
作者: 我们再爱一遍丶    时间: 2017-6-17 21:53
学习下我只是路过,不发表意见……
作者: 李珊    时间: 2017-6-30 11:04
前排支持下了哦~
作者: 旧城人凉    时间: 2017-8-9 21:06
学习下我只是路过,不发表意见……
作者: 蓝风    时间: 2017-8-10 18:38
看了LZ的帖子,我只想说一句很好很强大!
作者: 清泊    时间: 2017-11-7 18:28
有空一起交流一下。
作者: 爱...    时间: 2017-11-24 17:15
路过 帮顶 嘿嘿
作者: 瑹歌    时间: 2017-12-1 09:12
没人回帖。。。我来个吧!
作者: 海内比邻    时间: 2017-12-25 11:43
向楼主学习
作者: 不成功也成仁    时间: 2018-5-6 08:00
打酱油的人拉,顺便赚点金币
作者: 我要专一了    时间: 2018-8-23 20:29
非常好,顶一下占位编辑
作者: 黛尽青丝@    时间: 2018-8-27 16:07
不错 支持一个了
作者: 鸢卿漓殇    时间: 2018-8-28 17:46
打酱油的人拉,顺便赚点金币
作者: 采女孩的大蘑菇    时间: 2018-9-10 09:19
确实不错,顶先
作者: 我不是壞女孩    时间: 2018-9-11 14:52
这么强,支持楼主,佩服
作者: 感情洁癖者i    时间: 2018-9-20 09:09
不错 支持一个了
作者: 我命本喜    时间: 2018-9-30 11:25
非常好,顶一下占位编辑
作者: 魅╰美。    时间: 2019-1-8 20:38
不错 支持一个了
作者: 掐死时间    时间: 2019-1-31 17:23
前排支持下了哦~
作者: 顾痣    时间: 2019-3-13 08:16
路过 帮顶 嘿嘿
作者: 四叶星光    时间: 2019-7-5 13:45
很有借鉴意义,先收藏了,谢谢楼主。
作者: 源泉    时间: 2019-7-13 22:36
好帖是需要鼓励的~
作者: 叛逆、、、    时间: 2019-7-15 19:25
看帖要回,回帖才健康,在踩踩,楼主辛苦了!
作者: 龟兔    时间: 2019-8-23 22:52
确实不错,顶先
作者: 迷惑    时间: 2019-9-7 08:08
看起来好像不错的样子
作者: 深海苏眉鱼    时间: 2019-10-27 16:16
前排支持下了哦~
作者: 彼岸蔷薇    时间: 2020-1-25 14:37
我了个去,顶了
作者: BABY衣    时间: 2020-11-9 11:24
其实,很多情况下都是这样的,习惯就好。
作者: 、唱忐忑    时间: 2020-12-1 16:09
鼎力支持!!
作者: 漫长的青春。    时间: 2020-12-18 14:02
以我的经验来看,楼主的想法是可以执行的~
作者: 入花庭    时间: 2021-1-29 10:51
very good.



欢迎光临 思步网 (http://www.step365.com/) Powered by Discuz! X3.2