Knowledge learning cannot rise to reality, it is true that it cannot! ! ! !
What is ultra vires?
The concept of overreach vulnerability
Privilege violation vulnerability is a very common logical security vulnerability. It is because the server has too much trust in the data operation request made by the client, ignoring the judgment of the user's operation authority, resulting in modifying the relevant parameters to have the functions of adding, deleting, checking, and modifying other accounts, resulting in an unauthorized loophole. There are currently two types of overreach: horizontal overreach (horizontal overreach) and vertical overreach (vertical overreach). The overreach is generally divided into horizontal overreach and vertical overreach. Horizontal override means that different users under the same authority can access each other. Vertical override means that users with low authority can access users with higher authority. The test idea is that low-privilege users override the functions of high-privilege users. For example, ordinary users can use administrator functions.
Common Escalation Vulnerabilities
1. Violation of authority by modifying GET parameters (https://www.uedbox.com/post/9900/)
2. Modify POST parameters to exceed authority (https://www.uedbox.com/post/9549/)
3. Modify the cookie pass parameter to exceed the authority (https://www.uedbox.com/post/12566/) Grab the pass parameter can be in the browser, APP, application program (exe) There is another type called unauthorized access, strictly speaking In terms of the above, this is not an unauthorized vulnerability, but it is often encountered in daily testing (as long as you enter the correct URL, you can directly access it, for example, /admin is the default login, after login, you will jump to user.php, and then you can directly access user. php, I found that you directly have background authority) https://www.uedbox.com/post/12151/ Web Offensive and Defense Business Security Practical Guide (by Chen Xiaoguang, Hu Bing, Zhang Zuofeng, etc.) It is recommended to download the PDF to watch
ultra vires testing process
What is an overreach vulnerability
There are loopholes in the authorization check of the application, so that after the attacker obtains the low-privilege user account, he can use some methods to bypass the permission check and access or operate the high-privilege function that he did not have the right to access.
What are the types of ultra vires loopholes?
It is generally divided into parallel overreach, vertical overreach and cross overreach (crossover means that it can be both parallel and vertical)
What is the difference between parallel override and vertical override?
Parallel overreach refers to overreaching under the same authority, such as overriding other users with the same authority
And the vertical overreach means that those with low authority can access those with high authority, such as the administrator with unauthorized operation
What is the difference between ultra vires and escalation of authority here?
Violation of authority refers to improper authority control caused by logical loopholes, while escalation of authority generally refers to insufficient authority on the server after getting the shell
How to test level override
See if the operation of user A can affect user B, grab the data packet to modify the parameters, and see if you can successfully modify or view other user information
Where do unauthorized vulnerabilities generally appear?
Generally in some order pages, login pages, modify data pages, etc.
General ultra vires test will involve those parameters
Similar to ID, user, uid and other identity identification classes to pass parameters
What kind of ultra vires
Modify the id when modifying the data
Traverse the order id in the order
When changing the password, modify the id, user, and modify other people's passwords
Where are the parameters beyond authority generally found?
May be in GET, POST, COOKIE
Is unauthorized testing limited to WEB pages?
In apps, web pages, and applications
Is there time limitation after overreach?
generally no
How to judge which parameters can be overridden?
Parameters of identity classes such as Id and user may be able to exceed authority
Will unauthorized parameters be encrypted?
Yes, some parameters in the cookie may be encrypted and passed
What is unauthorized access
Addresses that require security configuration or authority authentication are flawed, and can be accessed directly after entering the correct address
What is the difference between unauthorized access and ultra vires
Unauthorized access can be accessed directly (no permission is required), and unauthorized access needs to modify parameters to execute (requires low permission)
Where does unauthorized access usually occur
Generally in the background page of the web page, there may be unauthorized access in some later-developed pages
How to Find Unauthorized Access Vulnerabilities
Scan the path, directly access the sensitive directory, maybe you can directly access the background
What kind of vulnerability and danger level does the ultra vires belong to?
Exceeding authority is a logical loophole. Generally, parallel overreaching can be regarded as a medium risk, and vertical or crossing can be regarded as a high risk.
What if all the passed parameters are encrypted?
Then you have to find a way to try out his encryption method. If you don’t know how to encrypt, it’s basically impossible to test the overreach here.
Are privilege violations common?
Very common, and logical vulnerabilities, missed scanning tools can not scan out, basically the first test target in a highly secure environment
What is a logical loophole?
A logical loophole is caused by a problem with the business logic. It may not be a loophole by itself, but it is a loophole for the business logic. For example, if an ordinary user modifies the administrator password, it is essentially executing a SQL statement, which is not a loophole, but In terms of business, there is a problem. It is not a problem at the technical level, but at the logical level. Logical loopholes are the most common and easiest loopholes in penetration testing projects (many security-oriented ones) The company can only dig this kind of food, because SQL|XSS|CSRF and the like cannot be dug at all).
Recommend this book, it is recommended to download the PDF to watch: Web Attack and Defense Business Security Practical Guide
What is the difference between ultra vires and escalation of authority
Ultra vires refers to improper authority control due to logical loopholes.
Privilege escalation generally refers to insufficient permissions on the server after getting the SHELL.
How to Test for Escalation Vulnerabilities
For penetration testing, you can perform packet capture operations on some requests, or check the URL address of the request, modify the value of key parameters and check the returned results to make a preliminary judgment. Then you can register two trumpets to assist each other to determine whether there is any unauthorized access.
Common functions of unauthorized and high-volume functions include: checking orders based on order numbers, checking account information based on user IDs, modifying/retrieving passwords, etc.
After entering the shooting range and seeing the webpage
It is found that there are registration and login boxes, and there is no verification code, it should be possible to try to blast~
Click on the registration page, the user registers so many windows, it is impossible to try XXS
<scritp>alert(1)</scritp>
The injection was successful, and a high-risk vulnerability on the shooting range web page was obtained
But this has nothing to do with today's ultra vires
So back to the topic, to carry out unauthorized reproduction
Horizontal overreach
Create an aa account, then exit the packet capture, and found that there is still a vulnerability of weak password blasting
View cookie information of aa
realname=aa dlcs=6 username=aa bumen=aa loginname=aa danwei=aa shenfen=2 UserID=1
Common bb account, use synchronous aa
realname=bb dlcs=4 username=bb loginname=bb
UserID=107
Suppose I have an account of bb, but I know that there is an account of aa, and I don't consider the method of blasting to get the password and then control it.
Considering that the cookie of bb is overridden to aa, and then modifying aa tries to modify the password of aa and tamper with the contents of aa.
First log in to the bb account to capture the packet
It is found that the page can display realname, username, and can control who is UserID
In the bb interface, choose to modify the data and capture the packet at the same time
Change realname and username to aa, and change UserID to 106
I found out that I entered the aa account
And the modification information is all aa, then first modify a password, and then click the button to modify
If you capture the packet, you will find that although username=aa, the cookie still belongs to bb.
If you don’t change the cookie in time at this time, if you put the package directly, although it will show that the modification is successful, and the cookie in the next package is still bb, and then put the package, you will find that you are back to the interface of bb to modify the data, exit bb, and try to use the new change aa password
You will find that the password has not been changed at all. Think about going back to the step of capturing packets after changing the aa password, and modifying the cookie
realname=aa,username=aa,userID=106
The page returned this time is still aa
Exit and log in again with the modified aa password, and then it succeeds
But I thought about it again, this is so troublesome, you need to know the realname, username and UserID of the other party
Instead of looking like this, it’s easier to crack the password after knowing the account name
In that case, this ultra vires has no meaning! ! !
There should be some way, I assume I only have one aa account, after I log in to aa, I capture the packet and change the UserID to 107, and nothing else changes
After releasing the package, it is found that although the account number belongs to aa, the information of bb is modified
Then I will change the password and answer of bb (you can also change it casually). Then click Modify Capture Packet
It is found that the cookie information is still aa, continue to change the userID to 107 (bb), and put the package
In the back, as long as it is aa cookie, the userID is changed to 107 until you log out
Use the new password to log in to bb again, and find that the login is successful! !
So this is horizontal overreach
When there is only one account on a platform, you can capture the ID of the package in your own account, so that although the user is still yourself, you can see information that is not other users, and you can tamper with the information of this ID. This is level overreach! !
vertical override
It can be found that whether it is aa or bb in the caught package, admin is equal to 0, and shenfen is 2. Try to change the number. After several attempts, only when both are changed, admin=1, shenfen=1 can be changed. to get to admin mode,
Of course, every time you capture a packet, you have to change the cookie
BWSsoft%5F2010=realname=bb&phone=bb&CookieDate=&admin=1&wxlb=&danwei=bb&shenfen=1&UserID=107&bumen=bb&loginname=bb&dlcs=8&username=bb&wxqy=
You can see what you want to see when you enter the background.
Again, this is a shooting range, only talking about skills, not allowed to rise to life
I'm in, I'm not responsible