【转载】【漏洞分析】How I made 25000 USD in bug bounties with reverse proxy

我是怎样用反向代理服务器赚取25000美元的 bug 赏金的

A proxy server is a go‑between or intermediary server that forwards requests for content from multiple clients to different servers across the Internet. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers.

代理服务器是一个中间服务器,它将来自多个客户机的内容请求转发到 Internet 上的不同服务器。反向代理服务器是一种代理服务器,它通常位于私有网络中的防火墙之后,并将客户机请求发送到适当的后端服务器。反向代理提供了额外的抽象和控制级别,以确保客户机和服务器之间网络流量的顺利流动。

Basic reverse proxy 基本的反向代理

Why is used?

为什么要使用?

  • Load balancing 负载平衡 — A reverse proxy server can act as a “traffic cop,” sitting in front of your backend servers and distributing client requests across a group of servers in a manner that maximizes speed and capacity utilization while ensuring no one server is overloaded, which can degrade performance. If a server goes down, the ー反向代理服务器可以充当“交通警察”,位于后端服务器之前,以最大限度提高速度和产能利用率的方式在一组服务器之间分发客户端请求,同时确保没有一个服务器超载,这会降低性能。如果服务器宕机,则load balancer 负载均衡器 redirects traffic to the remaining online servers. 将流量重定向到剩余的在线服务器
  • Web acceleration 网页加速 — Reverse proxies can compress inbound and outbound data, as well as cache commonly requested content, both of which speed up the flow of traffic between clients and servers. They can also perform additional tasks such as SSL encryption to take load off of your web servers, thereby ー反向代理可以压缩入站和出站数据,以及缓存通常要求的内容,这两者都加快了客户端和服务器之间的通信流。他们还可以执行额外的任务,如 SSL 加密,以减轻您的 web 服务器的负载,从而boosting their performance 提高他们的表现.
  • Security and anonymity 安全和匿名 — By intercepting requests headed for your backend servers, a reverse proxy server protects their identities and acts as an additional defense against security attacks. It also ensures that multiple servers can be accessed from a single record locator or URL regardless of the structure of your local area network. ー反向代理服务器通过拦截发往后端服务器的请求,保护这些请求的身份,并作为额外的防御安全攻击的工具。它还确保可以从单个记录定位器或 URL 访问多个服务器,而不管局域网的结构如何

So basically I escalated a REVERSE PROXY to 2 SQLi and 3 RCE on the internal servers and a couple of other issues. There was information disclosure and other problems found.

所以基本上我在内部服务器上将反向代理升级为2 SQLi 和3 RCE,还有其他一些问题。有信息披露和其他问题被发现。

To find the reverse proxy you can use Burp or DNSBIN better to catch the DNS request.

要找到反向代理,你可以使用 Burp 或 DNSBIN 更好地捕捉 DNS 请求。

You need to modify the requests like this

您需要像这样修改请求

GET / HTTP/1.1
Content-Length: 95
Content-Type: application/x-www-form-urlencoded

GET/HTTP/1.1 Content-Length: 95 Content-Type: application/x-www-form-urlencoded

to

GET http://burpcollaborator_url HTTP/1.1
Content-Length: 95
Content-Type: application/x-www-form-urlencoded

1.1 Content-Length: 95 Content-Type: application/x-www-form-urlencoded. GET HTTP://burpcollaborator_url /HTTP/1.1 Content-Length: 95 Content-Type: application/x-www-form-urlencoded

Then you need to check the DNS responses, but filter a lot of WAF and manual pingbacks you get because most of the time is false positive

然后您需要检查 DNS 响应,但过滤大量的 WAF 和手动 pingback,因为大多数时候是假阳性

If you get a DNS response only and not a HTTP one, don’t give up. It means other ports on the same internal portal might be accessible, just not 80 or 443. Or some internal sites cannot be shown by the reverse proxy. You might need to trick with adding an url or subdomain that pretends to be valid.

如果你得到的只是 DNS 响应而不是 HTTP 响应,不要放弃。这意味着可以访问同一个内部门户上的其他端口,而不是80或443。或者一些内部站点无法通过反向代理显示。你可能需要添加一个欺骗的 url 或子域,假装是有效的。

Once you get access to an internal asset, you need to use the reverse proxy and test it like it’s an external website

一旦您获得了对内部资产的访问权,您需要使用反向代理并将其当作外部网站进行测试

Burp trick to be able to browse the internal site from the browser 打嗝的技巧,能够浏览内部网站从浏览器

Of course is a big are to explore and many bypass combinations to try like:

当然是大有探索和许多旁路组合去尝试的样子:

GET https://external_site.com@internal_site:4566 HTTP1/1 etc

Https://external_site.com@internal_site:4566 http/1/1等

I believe this are is not fully explored, even if the bug type is not new. Probably similar issues can be found with another name or attacks work with other techniques. Like a reverse proxy can also be exploited via another url parser issue etc. But I encourage everyone to look more here.

我相信这是没有充分探讨,即使错误类型不是新的。也许类似的问题可以用另一个名字找到,或者用其他技术进行攻击。像反向代理一样,也可以通过另一个 url 解析器问题等加以利用。但我鼓励大家多看看这里。

The attacker just needs to create a special URL (/img/..%2faccount/attacker/), so Nuster applies an “aggressive caching” rule, still, the web app returns a response of self XSS (it sees ‘/account/attacker/`). The response with an XSS payload will be cached by Nuster (with the key: Host + /img/..%2faccount/attacker/), so the attacker will be able to misuse this cache to XSS attack other users of the web application.From the self-XSS, we’ve got a usual XSS.

攻击者只需要创建一个特殊的 URL (/img/。.% 2faccount/攻击者/) ,因此 Nuster 应用了“侵略性缓存”规则,但 web 应用程序仍然返回一个 self XSS 响应(它看到的是“/account/攻击者/”)。带有 XSS 有效负载的响应将由 Nuster (键: Host +/img/)缓存。.% 2 faccount/攻击者/) ,因此攻击者可以滥用此缓存来攻击 web 应用程序的其他用户。从 self-XSS 中,我们得到了一个常用的 XSS。