Ultra vires
If A user's rights to user B's operation rights authority data, the A less than B, if successful operation, it is called unauthorized operation.
For example, ordinary users to modify permissions to complete the operation within the high (super administrator) account range
The reason is ultra vires vulnerability formed the background using unreasonable authority validation rules caused.
Generally prone to loopholes in unauthorized privileges page (requires login page) add, delete, change, check the place, when the user information within these pages permission to operate,
Background needed for the current user's permissions to verify, to see whether they have permission to operate, giving a response, and if the rule is too simple check is prone to unauthorized vulnerability.
Therefore, it should comply with the rights management:
1. Use the principle of least privilege user empowerment;
2. Use reasonable (strict) permission validation rules;
3. Use background login state as a condition for permission to judge, quick to do blind with a distal passed in conditions;
Level ultra vires the same level
Lucy account login
View profile
http://192.168.50.100/pikachu/vul/overpermission/op1/op1_mem.php?username=lucy&submit=%E7%82%B9%E5%87%BB%E6%9F%A5%E7%9C%8B%E4%B8%AA%E4%BA%BA%E4%BF%A1%E6%81%AF
Lucy in the login state, modify someone else's name to view information
http://192.168.50.100/pikachu/vul/overpermission/op1/op1_mem.php?username=lili&submit=%E7%82%B9%E5%87%BB%E6%9F%A5%E7%9C%8B%E4%B8%AA%E4%BA%BA%E4%BF%A1%E6%81%AF
查看后端的代码,只是判断了是不是登录态, 并没有验证登录者和登录者查看的信息一致
所以要设置 权限id一致性
垂直越权 不同级别
超级管理员 admin 123456 登录 有查看所有用户 添加用户选项
创建新用户 yyy 抓包 并发送到reperter
登录pikachu 000000 只有查看权限 没有增加用户的权限
刷新 抓包 获取pikachu登录态的cookie值
并将第一个抓包的cookie值 替换掉
再次执行 就会发现 又会增加一个yyy用户