作者:辛巴大佬
前面几天的内容:
今天是edusrc漏洞挖掘第八天,还是老规矩。继续对edusrc排名第一的伤害交通大学进行漏洞挖掘。
在进行资产探测的时候,发现一个资产地址,如果点击访问会跳转到jc统一登录地址,通过路径扫描发现还有一个校外用户登录页面。
在点击登陆的时候,有个请求的接口地址让我觉得可能会存在问题:
数据包如下:
POST /ums/ums/getRole HTTP/1.1Host: user.xxxxxxx.sjtu.edu.cnAccept: application/json, text/plain, */*Accept-Encoding: gzip, deflate, brAccept-Language: zh-CN,zh;q=0.9Content-Length: 0Origin: https://user.xxxxxxx.sjtu.edu.cnReferer: https://user.xxxxxxx.sjtu.edu.cn/ums/user/index.htmlSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="112", "Google Chrome";v="112", "Not:A-Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "macOS"
响应包返回了数据内容:
HTTP/1.1 200 OKAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Credentials: falseAccess-Control-Allow-Headers: X-Requested-With,Content-TypeAccess-Control-Allow-Methods: PUT,POST,GET,DELETE,OPTIONSAccess-Control-Allow-Origin: https://user.xxxxxxx.sjtu.edu.cnConnection: keep-aliveContent-Type: application/json; charset=utf-8Date: Tue, 07 Feb 2023 10:40:42 GMTEtag: W/"4d4-d17bqK52VNY2JQ4ODTzgbhOimVQ"Server: nginxStrict-Transport-Security: max-age=31536000; includeSubDomainsX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-Nginx-Debug-Variables: host:user.xxxxxxx.sjtu.edu.cn,request_uri:/ums/ums/getRole,X-Powered-By: ExpressX-Xss-Protection: 1; mode=blockContent-Length: 2721{"code": 100,"msg": "请求成功","extend": {"returnMsg": [{"roleId": "10","name": "用户联络员","energyValid": "0","imsValid": "0","meetingValid": "1","visitorValid": "1","limsValid": "1","param01": null,"param02": "1","param03": "3"},{"roleId": "11","name": "运行管理员","energyValid": "1","imsValid": "1","meetingValid": "1","visitorValid": "1","limsValid": "1","param01": null,"param02": "2","param03": "1"},{"roleId": "13","name": "系统管理员","energyValid": "1","imsValid": "1","meetingValid": "1","visitorValid": "1","limsValid": "1","param01": null,"param02": "3","param03": "1"},{"roleId": "3","name": "物业管理员","energyValid": "1","imsValid": "0","meetingValid": "1","visitorValid": "1","limsValid": "1","param01": null,"param02": "4","param03": "2"},{"roleId": "7","name": "全校老师","energyValid": "0","imsValid": "0","meetingValid": "1","visitorValid": "0","limsValid": "0","param01": null,"param02": "5","param03": "1"},{"roleId": "8","name": "全校学生","energyValid": "0","imsValid": "0","meetingValid": "0","visitorValid": "0","limsValid": "0","param01": null,"param02": "6","param03": "1"},{"roleId": "9","name": "用户","energyValid": "0","imsValid": "0","meetingValid": "1","visitorValid": "1","limsValid": "1","param01": null,"param02": "7","param03": "3"}]}}
对POST /ums/ums/getRole的getRole进行fuzz
最后发现接口信息泄漏:
看见了信息,但是没有看见管理员密码,又fuzz出来一个参数:adminlist
三个密码都没解出来,最后给了4分
写在最后,漏洞挖掘交流群满四百人了,想加入的加我微信拉:
微信号:hkxinba
里面提供交大资产,和漏洞挖掘交流,有兴趣的一定要加入!
原文始发于微信公众号(绿帽子安全团队):edusrc漏洞挖掘第八天|我一眼就看出你这响应不对劲
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论