The first part : Ultra vires loophole

1. What is ultra vires loophole ？

seeing the name of a thing one thinks of its function , Ultra vires vulnerability is due to design defects on the permissions of the application is not good . To put it more generally , Is the user A Users can be viewed in some way B Personal information , Or you can see the Administrator C And use the Administrator C Authority .

2. classification

Ultra vires loopholes are mainly divided into horizontal ultra vires and vertical ultra vires . Let's talk about their differences .

The level is beyond authority ： An attacker is trying to access some resources of a user with the same permissions as him . Let's take a simple example , user A Save your personal information in this app , And through the relevant parameters directly get , user B On the page where personal information is saved , Input A User's parameters , I can see directly A User's personal information .

Why does this happen ？ We know that usually , The functional flow of an application is ： land => Submit a request => Verify permissions => Database query => Return results . If permission verification is not well done , There will be ultra vires .

Vertical ultra vires ： Also known as privilege escalation attack , for example , user A By construction URL Go straight to the Administrator B The page of , And you can use the Administrator B Some unique permissions of ( Additions and deletions ).

Take a real example :

For example, direct object references , In this case, you can override the authority by directly modifying the parameters , for example , I want to see A User information , Direct will URL The parameter after is changed to A The user's is OK . Here's an example , Now log in to Zhang San , Grab the bag as shown below :

You will now 5 Change it to 2, And then send the packet , We find that users become 1 了

  There's also a function , Multi step implementation , Verify the user's identity only in the first step , Nothing else , In this way, the attacker directly skips the first step , Do the following .

And if the authentication is not perfect , It's possible that without logging in , Know sensitive pages URL You can directly access .

What's included ？

For example, by hiding URL The way , adopt URL Implement access control , This is the most unreliable , If the attacker guesses the background path , Take a break directly .

3. Repair suggestions

For the level of ultra vires ：

(1) Add user attributes for accessing and manipulating objects , When accessing and operating the target object , The server verifies the user properties of the session and object , Read and operation can only be performed after the verification is passed .                      

(2) The page carries on the strict access authority control as well as carries on the authority inspection to the access role .

For vertical ultra vires ：

(1) Take the default rejection mechanism , Take role-based access control , Access to various functions , Different roles have different access rights , When users access functions , Verify that the user's current permissions are the same as the specified permissions , If you are a slave , Access denied .

The second part : Logical loopholes ( hot )

1. Common logic loopholes

Transaction payment , Password change , Password back , Modify beyond authority , Ultra vires inquiry ,, Break through various logical loopholes such as restrictions

Unsafe object references refer to the lack of access control for parallel permissions

A,B Both are ordinary users , Their personal data should be kept confidential ,

A If the information is B Users take advantage of the lack of program access control to view , This is the relationship between parallel permissions .

The lack of functional level access control refers to the lack of vertical access control

A It's the average user ,B It's the administrator ,B The login access of the page requires a password and token.

A The account number can be directly input into the management page URL Bypass the administrator login restrictions and view the administrator page , This is the time A,B It's a vertical relationship .

2. Mining of logical loopholes

Basic steps :

1, First try to operate the process correctly , Record all data packets with different retrieval methods

2, Analyze packets , Find valid data section

3, Speculative data construction method

4, Construct packet validation

for instance , Add to cart , Can I modify the purchase quantity , Change to a negative number , Can the price of goods be modified ;

When confirming the shopping cart information , Can I modify the quantity of goods to be negative , Is it possible to break through the restriction of discount ;

Enter freight , Can it be modified ;

After confirming the order , Can you directly modify the payment amount , Can you jump directly to the successful transaction without payment ;

3. Exploitation of logical vulnerabilities

Brute force cracking of user credentials ：

Four or six digit numbers , No verification code required , direct burp Blast ;

Four or six digit numbers , Need captcha , But the verification code was not revoked in time , It can also be direct burp Blast ;

Four or six digit numbers , Need captcha , But the verification code was not revoked in time , It can also be direct burp Blast ;

If the verification is not very tested ,burp Grab the bag , Add special characters after the mobile phone number to bypass the first defense

defense ---- Filter the number of times it is submitted

defense ---- Just try more than three times , Just join the blacklist

Return voucher ：

burp When I grab the bag ,url Return the captcha and token, Timestamp md5, modify token by 1 or 0, Bypass credentials .

Password recovery vulnerability ：

The outline is shown in the figure below ：

Generally, it is through verification , Verify email , Verify phone number , And so on .

1. Basic steps :

* First try the correct password retrieval process , Record all data packets with different retrieval methods

* Analyze packets , Find valid data section

* Speculative data construction method

* Construct packet validation

2. A simple case ：

1, Mailbox validation ：

Generally, after clicking the link in the email, you will jump to the page of password repair , This requires the analysis of the link token constructed ,

Consider a timestamp md5、 User name or mailbox and random string md5 etc. , Generally, it is similar to the following links ：

php?u=xiaoming&token=MTIzQHFxLmNvbQ==

php?id=374&token=2ad64bf14c714dbce88c7993663da7da

When the corresponding link is constructed, the password of any user can be reset

2, SMS verification ：

SMS retrieval is generally 4 Bit or 6 Bit verification code , Guess violently

3, No need to verify , Directly modifying ：

Skip selecting the retrieval method when changing the password , Directly access the page to modify the password

4, Local validation ：

Enter a verification code at will , open Burp Grab the bag ,forward, Grab the return package , There may be one in the return bag token Field ,

if token The value of is 1 Then jump to the change password page , So just modify the return package

5, The server returns the verification code to the browser ：

When you click get verification code , The server will send the verification code to the browser , Just grab the bag

6, The verification code appears directly in url in ：

When you click to obtain the verification code, the request link sent directly contains code, Or directly in the source code .

7, Secret protection problem ：

Answer the security question , Sometimes some answers are in html Source code

8, Retrieve logical errors ：

If a malicious user A use 15123333333 Retrieve password , At this time, the verification code is received but not used

At this time, the malicious user A Then the victim B Get your phone number and password back

user A stay B Fill in the verification code you received in the verification form , send out

At this time, the page of changing password jumps to modify the user B Password

9, No old password authentication required ：

Change Password , It is found that you do not need to enter the original old password , Set the new password directly ,

It exists directly at this time csrf Loophole , Construct links , Directly modify

php?token=2&username=test&password=tst

4. Payment loopholes

By modifying the transaction amount 、 Number of transactions, etc., so as to exploit loopholes , Such as Burp Modify the transaction amount 、 Make the number of transactions negative or infinite, etc .

1、 During the payment process, the payment amount in the data package can be modified directly

The amount back end is not verified , There is no signature in the delivery process , As a result, the amount can be tampered with at will .

2、 There is no negative limit on the number of purchases , Unlimited number of purchases ,

When infinite, the program may handle errors , So as to achieve 0 Amount payment

3、 Request replay , Realization ” One purchase for this receipt ”

4、 Other parameters interfere

Directly modify the payment amount in the data package during payment , Realize the purchase of large amount of goods with small amount of money

Modify purchase quantity , Make it negative , You can buy a negative quantity of goods , So we can deduct the negative integral , That is to add points ,

Or make the number of purchases unlimited , When infinite, the program may handle errors , So as to achieve 0 Amount payment

Request replay , Replay request after successful purchase , Can be realized " One purchase for this receipt "

4. Basic case ： Case a

Member registered user ：

test

test

Verification Code 0566

The login password has no verification code , You can directly brutally crack the user name and password

Because the server didn't destroy it in time , You can use burp Bulk registration

There may be logical loopholes in each parameter , Modify the parameters , See if you can submit successfully .

burp Send to blasting , Variable ,username,password,email

Then load 3 A dictionary , Batch registration , Is there any , Found that the response is 200, Prove that this vulnerability exists

At this time, all users can log in

Change Password ：

1234567

1234567

Blocking packets , Look at the parameter values , Found that when we modify the user to someone else's , Then it can be modified successfully , At this time, ultra vires loopholes arise .

Voting system ：

We grab bags , Delete cookie Information , Or is it ip Address judgment

And then use burp Run the dictionary

5. Case 2

Backstage address , visit , Prompt: you cannot directly access , View the source code , Found that the backstage is referer Judge ,

This is easy to bypass ,burp Grab the bag , Then go to the background page ,

Then find the data backup , find referer,

Then ordinary users , add to referer Fake address ,

Then I saw script Limit , We use chrome, Don't allow script, Then revisit

Just break through , This cannot be used firebox

6. Parameters are beyond authority

Address management office , Modify any harvest information , Cause the disclosure of sensitive information

Address management --- modify ---burp Catch the packet get link --- There is one address_id, It corresponds to the address of the consignee id-- Replace the parameter with any value --- At this time, I found that the address of the consignee had changed , Modified the information of the consignee .

Suggestion is , Verify the permission of users to modify and view addresses , Avoid ultra vires , If you exceed your authority , Direct error page you , Or exit the account

Create an account , Email needs to be activated to log in --- Click resend -burp Grab the bag , stay uid It's about , Modify parameter value , You can send a mailbox bomb .

Repair suggestions ：

Limit the number of times to send activation messages

Information of other users beyond their authority :

Login capture cookie Information , There's a cell phone number in Cookie

This is the time , We modify cookie Mobile number in , View other users' information

Parameters are beyond authority :

Direct access to a page , You can see the order number of other users

Registered project , Return the registration information of all users

When I register with someone else's email , Burst out other people's information ,

We just need other people's users , That's all right.

Of service charge :

Click repayment , then get Grab the bag , Modify the parameters , by 0 perhaps 1, Just bypass , Repayment succeeded .

The integral value becomes negative