Two logical vulnerabilities in one login point – edusrc

Time:2022-5-13

Recently, it’s almost the same as the basic vulnerability study. It’s actually fighting on edusrc. At the beginning, it’s engaged in some information leakage, submitted more than a dozen, and finally passed one We won’t touch the information leakage. It’s boring

 

There was also a pit in the test of this school. The unified platform address found at the beginning was abandoned after logging in. At that time, I thought it was not necessary to use this background. Then, after an hour or two, when I was doing asset collection, I found the same login point, but the directory was different. I found that the data of dog day was universal, but the login page jumped after modification was really fake

 

The first vulnerability: the judgment of changing password is not rigorous

This is often referred to as the logic loophole, which changes the user password The function point is at the forgot password on the home page,

This exploit is conditional. You need a student number + bound mailbox Because I have a friend who goes to school in this school, I passed: site: XXX edu. Cn “my friend’s name” found him his student number He confirmed the mailbox through his QQ Of course, I didn’t contact him in this process

 

The use method is also very simple. Select the verification method – > confirm the account. When confirming the account, just enter the student number + bound email. When entering the authentication, grab the package when sending the verification code, and change the receiving email to your own

 

 

 

After entering the verification code and clicking next, the email is modified again. At this time, the background judges that the email should be sent + verification code, so you still need to write your own email

 

 

You don’t need to change it later. Just input the new password normally. After the change is completed, I said before. I jump to the abandoned login page, his mother I’ll have a long memory in the future

 

The second vulnerability: the authority given by the front end is too large Modify the return package This is an arbitrary password change. You can change whoever you want to change

It can be regarded as the extension of the first vulnerability. I tested it again on the basis of the previous test. I tested the return package of successful login and the return package of failure. Let’s have a look

Return package of successful login

 

 

 

 

 

 

 

Return package of login failure

 

 

 

I want to log in directly beyond my authority, but there is a loginid in this that cannot be bypassed, so the content of successful login cannot be displayed normally However, a value called isfirstlogin was found here. On his login page, he saw that the first login will force the password to be changed. The returned false here means that it is not the first time. What if it is changed to true?

{

  "isBindPhoneFlag":true,

  "loginId":"0d288066c83211eb9f2c55dbec8ac3d2",

  "Isfirstlogin": false, "phone": "****************************************************************

  "success":true,

  "username":"21914101016"
}

 

 

 

Here I refer to the successful login package. The content is scrawled, mainly in isfirstlogin. I successfully jump to the home page and change the password

 

 

 

 

 

Even if it’s over here, the authority given by the above-mentioned thing is too large. Why do you say you put the big authority to modify the password on the front end? In fact, it can be expanded again. Obviously, there is an interface to modify the password, and this interface does not make any judgment. Therefore, you can catch a package when submitting the password modification

 

 

Try to modify the student number casually here, which can be modified successfully. There is no judgment on this interface, and I don’t know how to describe it

 

 

 

To sum up: careful, or fucking careful Test everything, check the contents of the return package, controllable parameters, and parameters that feel problematic in the return package Try it all, there will always be unexpected gains

 

Recommended Today

[new function] interpretation of open search multi-channel recall Technology

Introduction: multiple recall refers to the strategy of using different strategies, features or simple models to recall part of the candidate sets respectively, and then mixing these candidate sets for subsequent sorting models. This paper will introduce how the multiple recall technology on the open search platform can deeply improve the search effect. background The […]