Introduction and actual combat
My little Xue is resurrected
Oops, I haven't updated in a few days. I just finished the homework after finishing the class. I didn't study for two days. I stab my heart hahaha. I watched the days pass by. The friends I know run fast and are also anxious.
Today's learning is overpowering, the difficulty is relatively simple, there is not too much bells and whistles, it is a little time-consuming and laborious.
Principle overview
If user A's authority is used to operate user B's data, A's authority is less than B's authority. If it can be successfully operated, it is called unauthorized operation. The reason for the unauthorized vulnerability is caused by unreasonable permission verification rules in the background.
General unauthorized vulnerabilities are prone to appear on the permission page (the page that needs to be logged in) where they are added, deleted, changed, or checked. When the user performs these operations on the information on the permission page, the background needs to verify the current user's permissions, see Whether it has the authority to operate, so as to give a response, and if the verification rules are too simple, it is prone to unauthorized loopholes.
Supplement: If there is a waf, priority is given to unauthorized vulnerabilities and logic vulnerabilities.
Get requests can be seen in the URL, and POST can only be seen in the data packet.
Unauthorized classification
Parallel override
User A and user B belong to the same level of users, but they cannot operate each other's personal information. If user A overrules B user's personal information, it is called parallel overrun operation.
Vertical override
The user A's authority is higher than that of the user B, and the situation where the user B's authority over the user A's authority is called vertical authority.
Actual test
pikachu平台
水平越权
修改URL中姓名就可以绕过
是因为没有判断session的问题
垂直越权
有一个超级管理员操作账号,和一个普通管理员账号
管理员添加用户时抓包存到重发器
抓一个普通用户的包
用普通用户的cookie的phpsessID去执行已知的管理员页面的操作
这种越权前提是知道管理员一些核心页面
defense
Need to determine whether to log in, and then determine whether the account session level is 1, if not satisfied, intercept