Vulnerability mining diary 1: There is a login bypass vulnerability in a certain system of the enterprise src

Language 2023-08-12 19:26:56 views: null

(1) Vulnerability description 

This loophole is a logical loophole, which refers to a logical loophole in the business implementation of the developer during the development process. The reason for the logical loopholes is that some developers, in the development process, the first consideration is how to realize the function, especially for some new developers, it is a difficult problem for them to realize a certain business. without considering safety.

This login bypass vulnerability occurs during the authentication process. The reason for this login bypass vulnerability is that the development uses the status code as a parameter for login identification. After the user enters the account number and password, click submit, the data is sent to the back-end server, the server queries the database, uses different status codes to indicate different responses, and then sends these status codes to the front-end, after the front-end accepts, according to the status code, Give whether to log in.

If the attacker intercepts the data packet during the process, and then modifies the status code of the data packet to the correct login status code, in this case, no matter what account and password the user enters, just intercept the response data packet and modify the status code of the data packet In order to give the login status code, authentication is useless.

(2) Vulnerability process description:

  1. Enter the website https://xxx.com in the url, first use the password account admin, password: 123456, log in, and find that the user does not exist, here you can test the blasting account

2. Press F12 to enter the debugger, check the js code, and find that the web page has passed the status code, and judge whether it is passed.

Among them, 200 is successfully passed, 201 is the user does not exist, 202 is the password is incorrect,

3. Next, try to log in to bypass, or admin-123456, click to log in, then use bp to intercept the data packet, then right click, select intercept, select the response to the interception request, and click release

4. Modify the data packet, the code field should be the status code, change it to 200, the is_admin field should be to judge whether it is an administrator authority, or simply change it to 1, and the nick_name field should be the user name, because the previous login with admin shows that the user is not It exists, and the nick_name field has no value. The high probability is the user name. To be on the safe side, assign nick_name to admin, as shown in the figure. After the modification is complete, click Release

4. Click to release, then close the bp interception, return to the browser, and find that it has successfully entered the background. It turns out that there is nothing in this URL, and it should be abandoned.

Guess you like

Origin blog.csdn.net/weixin_49349476/article/details/132204463
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com