To become the most beautiful boy on the site, you only need to step GetShell!

Others 2021-03-31 15:50:08 views: null

1. Introduction to unauthorized vulnerabilities

 

In the author's work, the most mysterious and powerful loophole among the logic loopholes is the unauthorized access loophole - a loophole that is so strong that if it exists, an ordinary user can also control the user data of the entire website.

 

The formation of unauthorized vulnerabilities is mainly due to the fact that when developers add, delete, modify, and query data, they over-believe the data requested by the client and omit the determination of authority . Therefore, testing ultra vires is a process of struggling with developers.

 

2. The harm of ultra vires loopholes

 

Think about it, an ordinary user, such as a name hat (a user) to register a user with the most common permissions on the website, the user found that the website has unauthorized access vulnerabilities, at this time through the vertical Unauthorized control of the modification and viewing of website data, manipulation of various user website information; horizontal unauthorized access to user privacy information, modification or deception of other users as a user. Regardless of whether it is vertical or horizontal ultra vires, once a customer discovers this loophole, he can have more ways to maximize the use of the loophole .

3. Classification of unauthorized vulnerabilities

 

According to the difference of "authority", ultra vires vulnerabilities can be divided into two types, namely vertical ultra vires (vertical ultra vires) and horizontal ultra vires (equal ultra vires). Simple understanding: vertical ultra vires can access high rights with low rights, and horizontal ultra vires can access each other with the same rights.

 

Vertical ultra vires, access high authority with low authority. In a more popular understanding, low permissions can be regarded as an ordinary user to access a page or operation with permissions. For example, the website of a store is usually managed and modified by the store or the administrator on the website . After the URL of the website that requires store permission is obtained, if ordinary store employees can access the website, If a series of operations are successfully performed, it can be judged as a vertical override . For example, an ordinary store clerk modifies operations such as product listing, price modification, and financial settlement that can only be entered in the store.

 

Horizontal ultra vires, mutual access with the same authority. A more popular understanding, such as Qzone, at the same general level, if an ordinary user A can access the "hidden space" page of another ordinary user B, and even the "dynamic release" page, User A can use B's identity to post some indescribable or false fraudulent information, and it can be judged as a horizontal ultra vires .

 

The above is the difference and application of these two vulnerabilities.

 

4. Principle of ultra vires property

 

The production of ultra vires is mainly due to the fact that the developer has less judgment on permission verification during the development process, or the logic is not rigorous enough , which leads to the production of the vulnerability.

 

For example, in a certain website, when the server and client are performing cookie verification, they only verify the cookie when the account has been logged in, and the subsequent operations are not assigned its cookie for operation; or simply in a certain functional module Do not add identity verification (Cookie), etc.

 

So, what should you do as a developer?

 

When interacting with the server, the client carries a cookie that identifies the user's identity. After the server's session is successfully matched with the identity in the cookie, the user can be allowed to perform related operations (the relationship between cookie and session-- > One bullet, one bullet). In addition to cookies, some parameters may be included in the request. Under a closer look, there may be unique values ​​for identifying information for testing. One thing to say is that the transmitted parameters are not necessarily in the request parameters, and there may also be links and other locations.

 

5. Vulnerability mining exercise

 

Unauthorized vulnerabilities are generally classified as logical vulnerabilities. Therefore, in the process of digging, we rarely find the vulnerabilities accurately through tools. What is more important is the use of more detailed thinking by R&D staff or security engineers. Go and dig in.

 

Horizontal ultra vires mining ideas

 

 

  • Step 1: First determine whether there are parameters in the request. If there are no parameters and only use cookies for identity verification, you cannot override the authority horizontally;

  • Step 2: If there are other parameters in the request in addition to cookies, and some of the values ​​in the parameters may be unique values ​​for identifying information (such as employeeID, departmentID, ID, etc.), there may be horizontal overriding of authority. The reason for ultra vires may be a parameter like employeeID, and the server did not make a judgment on whether it is the employee ID corresponding to the cookie.

 

Vertical ultra vires mining ideas

 

 

  • Step 1: First, see if you can construct or find a URL page that can only be accessed by the administrator. This page is generally not accessible to ordinary users, and only the administrator knows it. It can be constructed through code audit or penetration experience;

  • Step 2: After finding the URL page, construct a malicious HTTP request to send the server. As long as the server does not directly reject it or can be bypassed, when the service returns to the page, vertical unauthorized penetration has been achieved.

 

In summary, vertical ultra vires is mainly on the server side, and the authentication of each requested permission is not rigorous enough, and it lacks the judgment of the user's identity. The user's authority judgment may only be made on the menu. As long as the malicious user guesses the URL of other pages, he can access or control the data or pages owned by other people, so as to achieve the purpose of increasing the authority. .

 

6. Unauthorized repair suggestions

 

6.1 Horizontal ultra vires loopholes

 

① Do not use self-value-added level permissions parameters, use id encryption, random numbers or GUIDs, but search engines or attackers can also use this random number and connection to perform operations.

 

②The web layer checks the user authority who initiated the request, just as obtained from the session information.

 

③The ownerId field is added to the database table, and it is added as a where statement condition when adding, deleting, modifying and querying, that is, each information adds a field for the publisher, and the modified person must be the same person as the published person before they can be accessed.

 

6.2 Vertical ultra vires loopholes

 

①Add authorization verification for url resources.

Guess you like

Origin blog.csdn.net/qq_43422918/article/details/115325093
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com