作者:辛巴大佬
前面几天的内容:
今天是edusrc漏洞挖掘第八天,还是老规矩。继续对edusrc排名第一的伤害交通大学进行漏洞挖掘。
在进行资产探测的时候,发现一个资产地址,如果点击访问会跳转到jc统一登录地址,通过路径扫描发现还有一个校外用户登录页面。
在点击登陆的时候,有个请求的接口地址让我觉得可能会存在问题:
数据包如下:
POST /ums/ums/getRole HTTP/1.1
Host: user.xxxxxxx.sjtu.edu.cn
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 0
Origin: https://user.xxxxxxx.sjtu.edu.cn
Referer: https://user.xxxxxxx.sjtu.edu.cn/ums/user/index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
响应包返回了数据内容:
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: X-Requested-With,Content-Type
Access-Control-Allow-Methods: PUT,POST,GET,DELETE,OPTIONS
Access-Control-Allow-Origin: https://user.xxxxxxx.sjtu.edu.cn
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 07 Feb 2023 10:40:42 GMT
Etag: W/"4d4-d17bqK52VNY2JQ4ODTzgbhOimVQ"
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Nginx-Debug-Variables: host:user.xxxxxxx.sjtu.edu.cn,request_uri:/ums/ums/getRole,
X-Powered-By: Express
X-Xss-Protection: 1; mode=block
Content-Length: 2721
{
"code": 100,
"msg": "请求成功",
"extend": {
"returnMsg": [
{
"roleId": "10",
"name": "用户联络员",
"energyValid": "0",
"imsValid": "0",
"meetingValid": "1",
"visitorValid": "1",
"limsValid": "1",
"param01": null,
"param02": "1",
"param03": "3"
},
{
"roleId": "11",
"name": "运行管理员",
"energyValid": "1",
"imsValid": "1",
"meetingValid": "1",
"visitorValid": "1",
"limsValid": "1",
"param01": null,
"param02": "2",
"param03": "1"
},
{
"roleId": "13",
"name": "系统管理员",
"energyValid": "1",
"imsValid": "1",
"meetingValid": "1",
"visitorValid": "1",
"limsValid": "1",
"param01": null,
"param02": "3",
"param03": "1"
},
{
"roleId": "3",
"name": "物业管理员",
"energyValid": "1",
"imsValid": "0",
"meetingValid": "1",
"visitorValid": "1",
"limsValid": "1",
"param01": null,
"param02": "4",
"param03": "2"
},
{
"roleId": "7",
"name": "全校老师",
"energyValid": "0",
"imsValid": "0",
"meetingValid": "1",
"visitorValid": "0",
"limsValid": "0",
"param01": null,
"param02": "5",
"param03": "1"
},
{
"roleId": "8",
"name": "全校学生",
"energyValid": "0",
"imsValid": "0",
"meetingValid": "0",
"visitorValid": "0",
"limsValid": "0",
"param01": null,
"param02": "6",
"param03": "1"
},
{
"roleId": "9",
"name": "用户",
"energyValid": "0",
"imsValid": "0",
"meetingValid": "1",
"visitorValid": "1",
"limsValid": "1",
"param01": null,
"param02": "7",
"param03": "3"
}
]
}
}
对POST /ums/ums/getRole的getRole进行fuzz
最后发现接口信息泄漏:
看见了信息,但是没有看见管理员密码,又fuzz出来一个参数:adminlist
三个密码都没解出来,最后给了4分
写在最后,漏洞挖掘交流群满四百人了,想加入的加我微信拉:
微信号:hkxinba
里面提供交大资产,和漏洞挖掘交流,有兴趣的一定要加入!
原文始发于微信公众号(绿帽子安全团队):edusrc漏洞挖掘第八天|我一眼就看出你这响应不对劲
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论