飞道的博客

Go代码审计学习(一)

344人阅读  评论(0)

网上有关Go的代码审计好少哇,能找到的文章也不多,害,没办法也得学

Vulnerability-goapp

建议用docker启动靶机,靶机漏洞都很简单的,很明显一眼就能找到

完全是为了设计漏洞而设计漏洞,来分析一下

https://github.com/Hardw01f/Vulnerability-goapp

docker-compose up

/assets/

就是一个静态文本目录页面

	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))

/ 根目录

func sayYourName(w http.ResponseWriter, r *http.Request) {
   
	r.ParseForm()
	fmt.Println(r.Form)
	fmt.Println("path", r.URL.Path)
	fmt.Println("scheme", r.URL.Scheme)
	fmt.Println("r.Form", r.Form)
	fmt.Println("r.Form[name]", r.Form["name"])
	var Name string
	for k, v := range r.Form {
   
		fmt.Println("key:", k)
		Name = strings.Join(v, ",")
	}
	fmt.Println(Name)
	fmt.Fprintf(w, Name)
  // 解析表单内容,不做任何处理就直接返回
  // 所以这里就满足反射型xss的条件了
}

 

/login

登录页,就是一些检查,成功就返回 /top

if r.Method == "GET" {
   
		if cookie.CheckSessionID(r) {
   
			http.Redirect(w, r, "/top", 302)
		} else {
   
			t, _ := template.ParseFiles("./views/public/login.gtpl")
		}
	} else if r.Method == "POST" {
   
if isZeroString(r.FormValue("mail")) && isZeroString(r.FormValue("passwd")) {
   
			if id != 0 {
   	// id存在
				if name != "" {
    // name存在
				} else {
   	// name不存在
					t, _ := template.ParseFiles("./views/public/error.gtpl")
				}
			} else {
   	// id 不存在
				t, _ := template.ParseFiles("./views/public/error.gtpl")
			}
		} else {
   	// passwd mail为空
			fmt.Println("username or passwd are empty")
			outErrorPage(w)
		}
	} else {
   
		http.NotFound(w, nil)
	}

 

/new

注册页,这里其实是可以在跳转 /top的时候可以 xss

if CheckUserDeplicate(r.FormValue("mail")) {
   
			if RegisterUser(r) {
   
        
				http.SetCookie(w, cookieSID)
				http.SetCookie(w, cookieUserName)
				p := Person{
   UserName: name}
				t, _ := template.ParseFiles("./views/public/success_register.gtpl")
				t.Execute(w, p)
			}
_, err = db.Exec("insert into user (name,mail,age,passwd) value(?,?,?,?)", r.FormValue("name"), r.FormValue("mail"), age, r.FormValue("passwd"))
// r.FormValue 和 r.Form 的区别就是 FormValue拿第一个同名的值,也就是不能覆盖


/top

同样是从 cookie中拿到 userName,然后没做任何处理的返回

userName, sessionID, userID, err := cookie.GetUserIDFromCookie(r)
	if sessionID == "" {
   
		t, _ := template.ParseFiles("./views/public/error.gtpl")
	} else {
   
		if r.Method == "GET" {
   
			if userID != 0 {
   

				http.SetCookie(w, cookieUserID)
				http.SetCookie(w, deleAdminID)
				p := Person{
   UserName: userName}
				t, _ := template.ParseFiles("./views/public/top.gtpl")
				t.Execute(w, p)
	}
<ul id="nav">
  <li><div class="username">{
   {
   .UserName}}</div></li>
  <li><a href="/top">Home</a></li>
  <li><a href="/profile">Profile</a></li>
  <li><a href="/timeline">TimeLine</a></li>
  <li><a href="/post">Post</a></li>
  <li><a href="/hints">Hints</a></li>
  <li><a href="/db">DB</a></li>
  <li><a href="/logout">Logout</a></li>
<ul>

/profile

后台同样是存在多处的xss,原因同 /top,没做任何处理拿到 userName直接返回

这里还存在存储xss,同样是没做任何处理就存数据库,读也是一样

_, err = db.Exec("update vulnapp.userdetails set address = ?, animal = ?, word = ? where uid = ?", address, animal, word, uid)


	var userImage, address, animal, word string
	res, err := db.Query("select userImage,address,animal,word from vulnapp.userdetails where uid=?", uid)


/profile/edit/upload

任意文件上传,和php利用方式不同,没有像一句话马这种东西,而且访问也是通过路由访问,而不是文件路径

这里也没对文件名检测,所以可以任意位置上传文件,但是好像没啥用,权限给的0666,没有执行权限

file, handler, err := r.FormFile("uploadfile")
			defer file.Close()
			f, err := os.OpenFile("./assets/img/"+handler.Filename, os.O_WRONLY|os.O_CREATE, 0666)
			defer f.Close()

/post /timeline

一个留言板,存储型xss,同样是直接就可以叉

postText := r.FormValue("post")

			fmt.Println(reflect.TypeOf(postText))

			StorePost(uid, postText)

			http.Redirect(w, r, "/post", 301)
_, err = db.Exec("insert into vulnapp.posts(uid,post) values (?,?)", uid, postText)

/timeline/searchpost

存在SQL注入

testStr := "mysql -h mysql -u root -prootwolf -e 'select post,created_at from vulnapp.posts where post like \"%" + searchWord + "%\"'"

// 直接闭合掉 %" 就行
// paidx0%" and if(2>1,sleep(3),1)#

/adminconfirm /adminlogin /adminusers

SQL注入,闭合就行,同上

commandLine := "mysql -h mysql -u root -prootwolf -e 'select adminsid from vulnapp.adminsessions where adminsessionid=\"" + adminSessionCookie + "\";'"

cmd := "mysql -h mysql -u root -prootwolf -e 'select adminid from vulnapp.admins where mail=\"" + requestMail + "\" and passwd=\"" + requestPasswd + "\";'"

cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + userName.Value + "\");'"


CSRF

csrf基本都是,因为都没有对数据提交来源做检测,只有修改确认密码这里做了检测

也就是说我们可以用burpsuit生成一个csrf的临时假服务器去伪造用户执行命令

func ConfirmPasswdChange(w http.ResponseWriter, r *http.Request) {
   
	if r.Method == "POST" {
   
		if cookie.CheckSessionID(r) {
   
			if r.Referer() == "http://localhost:9090/profile/changepasswd" {
   
				_, _, uid, err := cookie.GetCookieValue(r)
				if err != nil {
   
					fmt.Printf("%+v\n", err)
				}

				newPasswd := r.FormValue("passwd")
				confirmPassword := r.FormValue("confirm")
				fmt.Println(newPasswd, confirmPassword, uid)

转载:https://blog.csdn.net/weixin_49656607/article/details/128291716
查看评论
* 以上用户言论只代表其个人观点,不代表本网站的观点或立场