Access control
Lab: Unprotected admin functionality
This lab has an unprotected admin panel.
Solve the lab by deleting the user
carlos.
目录爆破,在robots.txt 有个没做访问控制的管理面板
Lab: Unprotected admin functionality with unpredictable URL
This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application.
Solve the lab by accessing the admin panel, and using it to delete the user
carlos.
管理面板路径很难爆破,但是写在 js 里面了
1 | var isAdmin = false; |
Lab: User role controlled by request parameter
This lab has an admin panel at
/admin, which identifies administrators using a forgeable cookie. Solve the lab by accessing the admin panel and using it to delete the user
carlos. You can log in to your own account using the following credentials:
wiener:peter
改cookie: Admin=true
Lab: User role can be modified in user profile
This lab has an admin panel at
/admin. It’s only accessible to logged-in users with aroleidof 2. Solve the lab by accessing the admin panel and using it to delete the user
carlos. You can log in to your own account using the following credentials:
wiener:peter
登录个人账号,来到修改邮件处看看
请求包
1 | { |
流量包返回
1 | { |
修改返回包 roleid 为 2 无果,应该是 apikey 有校验,直接把 “roleid”: 2 加到请求包里发送
1 | { |
返回包修改角色id成功
1 | { |
Lab: URL-based access control can be circumvented
This website has an unauthenticated admin panel at
/admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports theX-Original-URLheader. To solve the lab, access the admin panel and delete the user
carlos.
访问 /admin
1 | "Access denied" |
一些应用程序支持非标准标头,例如X-Original-URL或X-Rewrite-URL以便允许使用标头值中指定的 URL 覆盖请求中的目标 URL。
很多网站前端(load balancer、CDN、缓存、网关或反向代理)会对 URL 做路由/访问控制;后端应用服务器也会对请求路径做业务处理和授权检查。问题出在这两层对“哪个 URL 是最终要处理的”理解不一致,某些代理/重写组件会把原始(或重写后的)请求路径放在 X-Original-URL 这类自定义头里,供后端参考或做内部路由。如果后端把这个头当作可信来源并直接使用,就把控制权交给了客户端,攻击者向前端请求一个允许访问的路径(例如 /),同时在请求头里插入 X-Original-URL: /admin。如果前端只基于第一层路径返回允许的响应(比如返回 200 的页面),而后端在没有再次做授权验证的情况下读取并使用 X-Original-URL 作为“真实路径”去执行敏感操作(例如删除用户),就会绕过前端对 /admin 的限制。
发送带有指向不存在资源的 X-Original-Url 标头的请求
1
2
3
4
5GET / HTTP/2
X-Original-Url: /aaa
返回
HTTP/2 404 Not Found返回404说明后端系统正在处理来自
X-Original-URL标头,尝试处理 /aaa 路径然后尝试访问受限的 admin
1
2GET / HTTP/2
X-Original-Url: /admin带参数的请求
1
2GET /?username=carlos HTTP/2
X-Original-Url: /admin/delete
通常,管理面板或管理相关功能仅供本地网络上的客户端访问,因此可能存在滥用各种代理或转发相关的 HTTP 标头来获取访问权限的情况, 那可以伪造 xff 为 127.0.0.1 试一试
Lab: Method-based access control can be circumvented
This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials
administrator:admin. To solve the lab, log in using the credentials
wiener:peterand exploit the flawed access controls to promote yourself to become an administrator.
尝试换另一种请求方法
1 | GET |
Lab: User ID controlled by request parameter
This lab has a horizontal privilege escalation vulnerability on the user account page.
To solve the lab, obtain the API key for the user
carlosand submit it as the solution. You can log in to your own account using the following credentials:
wiener:peter
改 id ,水平越权
Lab: User ID controlled by request parameter, with unpredictable user IDs
This lab has a horizontal privilege escalation vulnerability on the user account page, but identifies users with GUIDs.
To solve the lab, find the GUID for
carlos, then submit his API key as the solution. You can log in to your own account using the following credentials:
wiener:peter
id 是GUID格式,但是在博客里泄漏了作者的 id,复制替换。
Lab: User ID controlled by request parameter with data leakage in redirect
This lab contains an access control vulnerability where sensitive information is leaked in the body of a redirect response.
To solve the lab, obtain the API key for the user
carlosand submit it as the solution. You can log in to your own account using the following credentials:
wiener:peter
虽然直接替换id会重定向到登录页面,但是 302 响应泄漏了敏感数据
Lab: User ID controlled by request parameter with password disclosure
This lab has user account page that contains the current user’s existing password, prefilled in a masked input.
To solve the lab, retrieve the administrator’s password, then use it to delete the user
carlos. You can log in to your own account using the following credentials:
wiener:peter
返回包能看到用户密码,id改成管理员的越权看管理员的密码。
Lab: Insecure direct object references
This lab stores user chat logs directly on the server’s file system, and retrieves them using static URLs.
Solve the lab by finding the password for the user
carlos, and logging into their account.
查看聊天记录,下载的话是 2.txt,遍历数字可以下载别人的聊天记录,里面有密码
Lab: Multi-step process with no access control on one step
This lab has an admin panel with a flawed multi-step process for changing a user’s role. You can familiarize yourself with the admin panel by logging in using the credentials
administrator:admin. To solve the lab, log in using the credentials
wiener:peterand exploit the flawed access controls to promote yourself to become an administrator.
想要升级管理员要填信息,第二步确认信息。但是第二步没做身份校验,直接用这个请求升级管理员
Lab: Referer-based access control
This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials
administrator:admin. To solve the lab, log in using the credentials
wiener:peterand exploit the flawed access controls to promote yourself to become an administrator.
对 /admin 强制执行访问控制 ,但是这个提权接口 /admin-roles?username=wiener&action=upgrade 仅检查 Referer标头。如果 Referer标题包含主要 /adminURL,则允许该请求
所以我们直接用这个接口,把 Referer 头改成来自 url+/admin
本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。
