[18683] 2018-05-31_漏洞挖掘-越权
<html><head>
<title>漏洞挖掘-越权</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0,viewport-fit=cover">
<style>
*{margin:0;padding:0;max-width:100%;box-sizing:border-box;}html{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;line-height:1.6}img{z-index:999;position:relative;max-width:100%;margin:10px 0;}body{-webkit-touch-callout:none;font family:-apple-system-font,BlinkMacSystemFont,"Helvetica Neue","PingFang SC","Hiragino Sans GB","Microsoft YaHei UI","Microsoft YaHei",Arial,sans-serif;color:#333;letter-spacing:.034em}h1,h2,h3,h4,h5,h6{font-weight:400;font-size:16px;line-height:36px;}a{color:#576b95;text-decoration:none;-webkit-tap-highlight-color:rgba(0,0,0,0)}td,th{word-wrap:break-word;padding:5px 10px;border:1px solid #DDD;}table{margin-bottom:10px;border-collapse:collapse;display:table;width:100%!important;}.appmsg_skin_default .rich_media_area_primary{background-color:#fff}.appmsg_skin_default .rich_media_area_primary .weui-loadmore_line .weui-loadmore__tips{background-color:#fff}.rich_media_area_primary{padding:20px 16px 12px;background-color:#fafafa}@media (max-width:375px){.rich_media_area_primary{padding:20px 60px 15px 60px}.rich_media_area_extra{padding:0 60px 21px 60px}}@media (min-width:1024px){.rich_media_area_primary_inner,.rich_media_area_extra_inner,body{max-width:677px;margin-left:auto;margin-right:auto}.rich_media_area_primary{padding-top:32px}}.rich_media{padding:20px;}.appmsg_skin_default .rich_media_area_primary{background-color:#fff}.appmsg_skin_default .rich_media_area_primary .weui-loadmore_line .weui-loadmore__tips{background-color:#fff}@media screen and (min-width:1024px){.rich_media_area_primary_inner,.rich_media_area_extra_inner{max-width:677px;margin-left:auto;margin-right:auto}.rich_media_area_primary{padding-top:32px}}.rich_media_content{overflow:hidden;color:#333;font-size:17px;line-height:37px;;word-wrap:break-word;-webkit-hyphens:auto;-ms-hyphens:auto;hyphens:auto;text-align:justify;position:relative;z-index:0}.rich_media_content *{max-width:100%!important;box-sizing:border-box!important;-webkit-box-sizing:border-box!important;word-wrap:break-word!important}.rich_media_content p{clear:both;min-height:1em}.rich_media_content em{font-style:italic}.rich_media_content fieldset{min-width:0}.rich_media_content .list-paddingleft-1,.rich_media_content .list-paddingleft-2,.rich_media_content .list-paddingleft-3{padding-left:2.2em}.rich_media_content .list-paddingleft-1 .list-paddingleft-2,.rich_media_content .list-paddingleft-2 .list-paddingleft-2,.rich_media_content .list-paddingleft-3 .list-paddingleft-2{padding-left:30px}.rich_media_content .list-paddingleft-1{padding-left:1.2em}.rich_media_content .list-paddingleft-3{padding-left:3.2em}.rich_media_content .code-snippet,.rich_media_content .code-snippet__fix{max-width:1000%!important}.rich_media_content .code-snippet *,.rich_media_content .code-snippet__fix *{max-width:1000%!important}.rich_media_title{font-size:22px;line-height:42px;;line-height:1.4;margin:10px 0;padding-bottom:10px;border-bottom:1px solid #e7e7eb;}@supports(-webkit-overflow-scrolling:touch){.rich_media_title{font-weight:700}}.rich_media_meta{display:inline-block;vertical-align:middle;margin:0 10px 10px 0;font-size:15px;line-height:35px;;line-height:35px;;line-height:35px;;line-height:35px;;-webkit-tap-highlight-color:rgba(0,0,0,0)}.rich_media_meta.icon_appmsg_tag{margin-right:4px}.rich_media_meta.meta_tag_text{margin-right:0}.rich_media_meta_list em{font-style:normal}.rich_media_meta_text{color:rgba(0,0,0,0.3)}p{margin:0;}.msgBox{margin-top:20px;padding-top:20px;padding-left:50px;overflow:hidden;border-top:2px dashed #09a2ff;}.msg{padding-top:7px;clear:both;}.msgBody{float:right;width:100%;margin-left:55px;padding-bottom:15px;border-bottom:1px dashed #e0e0e0;}.userHeadImg{float:left;margin-left:-50px;}.userHeadImg img{width:40px;height:40px;margin-right:10px;border-radius:3px;}.userName{color:#888888;line-height:24px;font-size:14px;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;line-height:34px;;margin:5px 0 5px 0;height:24px;}.replyBody,.autherBody{color:#565656;font-size:15px;}.replyIcon{border-left:4px solid #33ab01;margin-right:5px;}.ad{text-decoration:none;color:#d6d4d4;font-size:12px;line-height:32px;;}.msgBodyReply{padding-top:5px;}.userName span{float:right;color:#afafaf;font-size:14px;}code{text-align:left;font-size:14px;display:block;white-space:pre;display:-webkit-box;display:-webkit-flex;display:flex;position:relative;}.code-snippet__fix{font-size:14px;margin:10px 0;display:block;color:#333;position:relative;background-color:rgba(0,0,0,0.03);border:1px solid #f0f0f0;border-radius:2px;display:-webkit-box;display:-webkit-flex;display:flex;padding-left:25px;line-height:26px}.code-snippet__fix code{text-align:left;font-size:14px;display:block;white-space:pre;display:-webkit-box;display:-webkit-flex;display:flex;position:relative;font family:Consolas,"Liberation Mono",Menlo,Courier,monospace}.code-snippet__comment,.code-snippet__quote{color:#afafaf;font-style:italic}.code-snippet__keyword,.code-snippet__selector-tag,.code-snippet__subst{color:#ca7d37}.code-snippet__number,.code-snippet__literal,.code-snippet__variable,.code-snippet__template-variable,.code-snippet__tag .code-snippet__attr{color:#0e9ce5}.code-snippet__string,.code-snippet__doctag{color:#d14}.code-snippet__title,.code-snippet__section,.code-snippet__selector-id{color:#d14}.code-snippet__subst{font-weight:normal}.code-snippet__type,.code-snippet__class .code-snippet__title{color:#0e9ce5}.code-snippet__tag,.code-snippet__name,.code-snippet__attribute{color:#0e9ce5;font-weight:normal}.code-snippet__regexp,.code-snippet__link{color:#ca7d37}.code-snippet__symbol,.code-snippet__bullet{color:#d14}.code-snippet__built_in,.code-snippet__builtin-name{color:#ca7d37}.code-snippet__meta{color:#afafaf}.code-snippet__deletion{background:#fdd}.code-snippet__addition{background:#dfd}.code-snippet__emphasis{font-style:italic}.code-snippet__strong{font-weight:bold}.account_avatar{width:40px;height:40px;padding:0;}.account_info{display:-webkit-box;display:-webkit-flex;display:flex;-webkit-box-align:center;-webkit-align-items:center;padding:20px 0;align-items:center}.flex_bd{padding-left:14px;}.account_nickname{display:inline-block;vertical-align:middle;line-height:1.2;color:#576b95;font-size:14px}.account_desc{overflow:hidden;text-overflow:ellipsis;display:-webkit-box;-webkit-box-orient:vertical;-webkit-line-clamp:1;color:rgba(0,0,0,0.3);font-size:14px;line-height:1.2;padding-top:.4em}.msg_source_url{text-align:left;word-break:break-all;margin-top:20px;}.msg_source_url a{padding-right:10px;}.msg_source_url .url_text{color:#a8a8a8;}.video-desc{font-size:14px;margin-top:15px;color:#6c6c6c;}.msg_source_url{text-align:left;}.original_primary_card_tips{color:rgba(0,0,0,0.3);line-height:1.4;font-size:15px;}.weui-flex__item{margin-bottom:20px;padding:20px 16px;margin-top:16px;line-height:1.4;align-items:center;background-color:#f7f7f7;border-radius:8px;position:relative;}.original_primary_desc{color:rgba(0,0,0,0.5);font-size:14px;padding-top:4px;width:auto;overflow:hidden;text-overflow:ellipsis;}.msgBodyReplyList{border-top:1px solid #e1e1e1;margin-top:10px;}.msgBodyReplyListTop{border-top:0;}.reply_like_num{float:right;font-size:14px;color:#c7c7c7;}.msgData{margin-top:20px;color:#626262;}.msgData span{font-size:14px;padding-right:15px;}.msgData .likes{float:right;padding-right:0;}.js_text_content p{font-size:18px;line-height:38px;;}.rich_media_meta_link{font-size:15px;}blockquote {padding-left: 10px;border-left: 3px solid #dbdbdb;color: rgba(0,0,0,0.5);font-size:15px;line-height:35px;;padding-top: 4px;margin: 1em 0;}.video_iframe{width:500px;height:400px;}.blockquote_info{color:#b5b5b5;margin-top:10px;}.playVideoWx{position:relative;display:block;}.icon_mid_play{position:absolute;z-index:9999;top:50%;left:50%;display:-webkit-box;display:-webkit-flex;display:flex;-webkit-box-align:center;-webkit-align-items:center;align-items:center;-webkit-box-pack:center;-webkit-justify-content:center;justify-content:center;width:48px;height:48px;background:rgba(237,237,237,0.9);border-radius:50%}.icon_mid_play:before{content:"";text-indent:-999em;display:inline-block;width:28px;height:28px;vertical-align:middle;background-size:cover;background-image:url("data:image/svg+xml;charset=utf8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24'%3E%3Cpath fill='%23151515' fill-rule='evenodd' d='M9.524 4.938l10.092 6.21a1 1 0 0 1 0 1.704l-10.092 6.21A1 1 0 0 1 8 18.21V5.79a1 1 0 0 1 1.524-.852z'/%3E%3C/svg%3E")}
</style>
<link href="https://www.juyifx.cn/config/css/wxArticle.css" rel="stylesheet"/>
</head>
<body>
<div class="rich_media">
<h1 class="rich_media_title" id="activity-name">
漏洞挖掘-越权
</h1>
<div id="meta_content" class="rich_media_meta_list">
<span id="copyright_logo" class="rich_media_meta icon_appmsg_tag appmsg_title_tag weui-wa-hotarea">原创</span>
<span class="rich_media_meta rich_media_meta_text">
crhua
</span>
<span class="rich_media_meta rich_media_meta_nickname" id="profileBt">
<a href="javascript:void(0);" class=" weui-wa-hotarea" id="js_name">
huasec </a>
<div id="js_profile_qrcode" class="profile_container" style="display:none;">
<div class="profile_inner">
<strong class="profile_nickname">huasec</strong>
<img class="profile_avatar" id="js_profile_qrcode_img" >
<p class="profile_meta">
<label class="profile_meta_label">微信号</label>
<span class="profile_meta_value">ihuahua04</span>
</p>
<p class="profile_meta">
<label class="profile_meta_label">功能介绍</label>
<span class="profile_meta_value">分享一些平时所学,励志成为一名安全研发。</span>
</p>
</div>
<span class="profile_arrow_wrp" id="js_profile_arrow_wrp">
<i class="profile_arrow arrow_out"></i>
<i class="profile_arrow arrow_in"></i>
</span>
</div>
</span>
<em id="publish_time" class="rich_media_meta rich_media_meta_text">2018-05-31</em>
</div>
<div id="js_tags"class="article-tag__list" style="display: none;" data-len="0">
<div class="article-tag-card__title">收录于话题</div>
<div class="article-tags">
</div>
</div><div id="weixin_content"><p><strong><span style="font-size:18px;line-height:38px;;">0x01 越权是什么?</span></strong></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"><span data-mce-style="font-size: 12pt;" style="box-sizing: border-box;font family: inherit;font-size: 12pt;"><span data-mce-type="bookmark" data-mce-style="overflow:hidden;line-height:0px" style="box-sizing: border-box;font family: inherit;overflow: hidden;line-height: 0px;"></span>不安全的直接对象引用允许攻击者绕过网站的身份验证机制,并通过修改指向对象链接中的参数值来直接访问目标对象资源,这类资源可以是属于其他用户的数据库条目以及服务器系统中的隐私文件等等。导致这种情况出现的原因是,系统在接受用户输入并利用输入信息获取对象之前没有对用户身份权限进行检测。<strong style="box-sizing: border-box;font family: inherit;font-weight: bold;"><span data-mce-type="bookmark" data-mce-style="overflow:hidden;line-height:0px" style="box-sizing: border-box;font family: inherit;overflow: hidden;line-height: 0px;"></span></strong></span></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"><strong><span style="font-size:18px;line-height:38px;;"> 0x02 越权漏洞分类</span></strong></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">分三类,如下<br/></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">1.垂直越权</span><br style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"/><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">这种类型的越权就是可以在不同身份之间越权,比如你是普通用户,但是可以越权到管理员,甚至超级管理员</span><br style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"/><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">2.水平越权</span><br style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"/><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">这种类型的越权就是越权其他用户,比如说你要查看一篇邮件。但是有越权漏洞,却可以查看其他人的邮件</span><br style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"/><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">3.上下文越权</span><br style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"/><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">上下文越权就是说在某个程序需要执行3个步骤,而你却可以跳过其中某个步骤</span></p><p><span style="font-size:18px;line-height:38px;;"><strong>0x03 挖掘方法</strong></span></p><ol style="list-style-type: decimal;" class=" list-paddingleft-2"><li><p>查询程序是否有分级处理(用户,代理,经销,管理员),这些用户是否拥有不同的功能?</p></li><li><p>检查cookie与参数中是否有权限验证机制</p></li><li><p>账户之间是否有不同的标识符</p></li><li><p><strong style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-weight: bold;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">使用不同权限的账号确定自己能够使用的功能,然后使用低权限的账号尝试访问高权限的功能</span></strong></p></li><li><p><strong style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-weight: bold;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);"><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);"><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">如果垂直越权不成功可以尝试水平越权,使用两个相同权限的账号,访问自己相同的资源。然后使用一个账号访问另一个账号的资源</span></span></strong></p></li></ol><p><strong><span style="color: rgb(51, 51, 51);">0x04 存在场景</span></strong></p><p><strong><span style="color: rgb(51, 51, 51);"></span></strong></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">以下情况是我遇到过的,欢迎补充。<br/></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">1、菜单url越权访问,不同角色账号访问系统菜单url不一样,互相访问并未做限制。</p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">2、订单/用户等信息遍历,未校验id是否归属于当前认证用户,修改id,能看到id对应的相关信息。</p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">3、找回/修改密码,修改密码阶段未校验用户真实性。</p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">4、交易流程,下单阶段未校验订单数量、价格。</p><p><strong><span style="font-size:18px;line-height:38px;;">0x05 小技巧</span></strong></p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">1、如果访问页面被403了,给请求的头里加一个X-Forwarded-For,设置值为127.0.0.1就可以绕过验证逻辑访问到页面了。</p><p style="box-sizing: border-box;font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;margin: 0px 0px 0.3em;color: rgb(51, 51, 51);font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;background-color: rgb(255, 255, 255);">2. 空值处理 针对多参数值匹配查询,如UserID=11&userIDCard=2321312。。。 获取用户数据的时候将任意字段置空,看看程序是否对空值有校验。</p><p><span style="font-size:18px;line-height:38px;;"><strong>0x06测试工具 </strong></span><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);"><br/></span></p><p><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">Authz <br/></span></p><p><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">Autorize</span></p><p><span style="font-size:18px;line-height:38px;;"><strong><span style="color: rgb(51, 51, 51);">0x07 案例</span></strong></span></p><p><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);"><span style="color: rgb(51, 51, 51);font family: 'Microsoft YaHei', 微软雅黑, ' WenQuanYi Micro Hei', 'Helvetica Neue', Arial, 'Hiragino Sans GB', 'WenQuanYi Micro Hei', 'Droid Sans Mono', 'Droid Sans Fallback', sans-serif;font-size:14px;line-height:34px;;font-style: normal;font-variant: normal;font-weight: normal;letter-spacing: normal;line-height: 20px;orphans: auto;text-align: start;text-indent: 0px;text-transform: none;white-space: normal;widows: 1;word-spacing: 0px;-webkit-text-stroke-width: 0px;display: inline !important;float: none;background-color: rgb(255, 255, 255);">(请扶墙)<strong>https://medium.com/bugbountywriteup/device-authorization-bypass-aa508c9193ed</strong></span></span></p>
</div>
</div>
</body>
</html>
页:
[1]