修改HTTP Post/get数据利器TamperIE（升级版）

bzcyer · 发表于 2011-3-9 11:17:03

@author Bzcyer

@ http://www.bzcyer.com/

安全测试中，中间者攻击是一个很常用的手段。采用TamperIE 可以模拟这个过程，主要是工作原理是截获HTTP Post/get数据，然后篡改Post/get数据，提交各类异常信息。
就最近几天工作中使用Tramper做的一些实际测试例子介绍下。
1.XSS（cross-site scripting）
曾经，测试出登录的地方有XSS的问题，主要是通过httpwartch看数据，然后手工拼地址，再往拼的地址中扔脚本。如：
http://192.168.1.129/member.do?method=customerLogon&mail=bzcyer@gmail.com&pws=222222

http://192.168.1.129/member.do?method=customerLogon&mail=>"'><img src="javascript:alert('XSS')">&pws=222222
使用TramperIE，可以非常简单的实现这点，如图：
在登录的时候，Post上来的数据：

讲用户名改成脚本：

然后send altered data。
用TramperIE能非常高效的验证XSS。另外再举个例子，就是用TramperIE来实现的。
见图：

结果是：

对于这里采用的时间的插件，手工去修改的话是不可能写入脚本，这个时候通过Post上来的数据，直接改了，就会出现XSS。

--------------------------我是超级无敌帅气的分割线----------------------------
下载：TamperIE (http://www.bayden.com/dl/TamperIESetup.exe)

TamperIETamperIE is an Internet Explorer Browser Helper Object which allows tampering with HTTP requests from Internet Explorer 5 and above.  If you haven't installed it yet, you can get it here.
WARNING: This tool makes it simple to do very bad things to poorly written code.  Malicious use of this tool against third-parties is a violation of federal, state, and local laws.  Be smart.
TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers.  Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent.
SSL? TamperIE works inside IE itself, before data is placed on the wire; this means that it works fine even against SSL secured sites.
Need more power? You might find the Fiddler HTTP Debugging Proxy more powerful, as it supports an automated scripting engine.
Using TamperIEFor this example, you can follow along here:  http://www.bayden.com/sandbox/shop/
Visiting the sample URL above presents a simple web-based shopping cart.

Wow, what a great tablet!  But $1995 seems kinda pricey, doesn't it?  Hrm... What to do?
Click the TamperIE icon on the toolbar.

Ensure the topmost checkbox is checked, like so:

Close the dialog.
Now, in the page, click Order! and the TamperIE editing dialog is shown.

Control	Function
URL Editbox	This box contains the URL which is being requested from the server. This field is editable. So, for instance, you can change the
Send Altered Data	This button will send the edited HTTP request to the specified URL.
Send Original Data	This button will send the unedited HTTP request to the original URL.
Cookies	This tab presents a read-only view of the cookies which are being sent to the server.You can edit your cookies by editing the cookie file on disk or using a great browser plugin like CookieSpy.
Raw Headers	This tab presents a read/write view of the custom HTTP headers which are being sent to the server. These are rarely used by web pages, but can be useful in some circumstances. For instance, sometimes web sites will not check authorization if "secret" HTTP headers are present in the request.
Raw Post	This tab presents a read/write view of the HTTP POST body which is being sent to the server. This is where TamperIE shines.Many web applications are coded very poorly, and implicitly trust data sent by the POST body. Some corporations mistakenly think that if the HTTP Header "Referer" is correct, the POST data must have been generated securely. Wrong.
PrettyPost	This tab presents a "pretty" read/write view of the HTTP POST body. POSTs are generally URL encoded, and this editing grid allows easy tampering. More on this in a moment.

Notice anything interesting about the POST data?


Hrm... A coincidence?  Let's see...  Click on the PrettyPost tab.

The POST form data is neatly broken down into name/value pairs in the grid.  See the Price field?  Click it to set focus to it.
The Value dropdown box to the right of the Edit Field label contains a number of pre-built attack strings which are known to cause problems for many web-based applications.  These vulnerabilities include SQL injection, buffer overflow, cross-site scripting, etc.


Note: If you'd like to customize this list, simply create a file named hackstrings.txt in the folder which contains ietamper.dll.  This file should contain one attack string per line.
In this case, however, we're not trying to crash the server, we're trying to get a discount on a computer.  Change the 1995.00 value to 10.00
Click the Raw Post tab to see the change reflected in the raw post data:

Click the Send Altered Data button at the top-right of the dialog box.  The TamperIE dialog will close and the tampered request will be sent to the server.

Note: SSL-encryption would have done nothing to foil this attack, since the data is being altered by the original submitter.  The vulnerability here is that the web site is blindly trusting a POST instead of performing a database lookup.  Amazingly, a huge number of shopping carts work this way, either for the actual product, or for the shipping cost.
TamperIE Control PanelThe TamperIE Control Panel allows you to control when you are prompted to tamper with requests.
Start the TamperIE Control Panel referenced in the IE toolbar.  (If the icon isn't visible, right-click the IE toolbar, and choose Customize).

The following dialog will appear:

Option	Function
Tamper with HTTP POSTs	Show the TamperIE dialog when a form is submitted with METHOD=POST
Tamper with HTTP GETs	Show the TamperIE dialog whenever a HTTP GET is performed.
Tamper with GET requests for the following files	Show the TamperIE dialog whenever a HTTP GET is performed and the resource address ends with the specified text.For instance, given the filter in the above screenshot, the following URL requests will match: www.washingtonpost.com/article.html?q=12311 www.banker.com/payee.html?id=321312&amt=1231 www.bayden.com/register.asp?product=TamperIE www.microsoft.com/passport/register.asp#FAQ etc... If this box contains a , all* GET requests will match the filter.
Only tamper with GETs with Query string parameters	Show the TamperIE dialog only when a HTTP GET is performed and there is query string data in the URL. Query string data is found in the URL after the ? character. For instance, in this Google hit, query data is shown in Red.http://www.google.com/search?hl=en&q=hacker