Talking about web application permissions problems-vulnerability warning-the black bar safety net

2011-12-28T00:00:00
ID MYHACK58:62201132730
Type myhack58
Reporter 佚名
Modified 2011-12-28T00:00:00

Description

Before knowing about web permissions there might be a problem, but in reality the test encountered is relatively small, today met on record: a warrior please don't waste your valuable time

A, longitudinal Stripping of the right to

In General the site has many users, divided into different permissions, more common is the ordinary user and the system administrator account, the longitudinal mention of the right is from the common user to enhance their own permissions for the system administrator.

Using burp suite to filter the submitted data package, to obtain the following data

user%5Baccount%5D=reporter&user%5Bname%5D=Reporter&user%5Bpassword%5D=admin123&user%5Bpassword. confirm%5D=admin123&user%5Bmail%5D=reporter@example.com&user%5Broles%5D=REPORT+ADMINISTRATORS&user%5BallowLoginIp%5D=...& amp;user%5BallowScanIp%5D=...& amp;user%5BmaxTask%5D=5 0 0

This data package is mainly implemented to update the user's personal information, which can be seen in the account field for the account name, The name field is displayed for the user name, password for password, the most important should be the roles field, as can be seen is the user's role. This is a normal account, so modify the role field contents, for TEMPLATE+ADMINISTRATORS(already know the Administrator role represents)the submission of data, returns a success message. At this point log off the account, log back in, found that the normal account has become the system administrator, to achieve the longitudinal Stripping of the right to operate, according to the results you can guess:

The main function of the realization of the Modify user information function, according to the information submitted, use the update sql statement to update user information update user set role=newrole where account=newaccount, you can update the user's permissions, but this permission is to use the hidden fields stored in the client, the author, can be modified, before the update operation not to submit to the operation of the user permissions checks, it is determined whether to modify the user's permissions, causing all users can modify the permissions.

Repair method: the main is to not use hidden fields to save the user permissions, it should be included in the session, or the ordinary user to modify the information, does not contain a permissions field, a separate production of the Modify User Information page, and only system administrators have the right to operate.

Second, the lateral Stripping of the right to

The so-called lateral extraction of the right, that is, obtained with their permission role, the same account password, with its permission.

The same the above data packet

user%5Baccount%5D=reporter&user%5Bname%5D=Reporter&user%5Bpassword%5D=admin123&user%5Bpassword. confirm%5D=admin123&user%5Bmail%5D=reporter@example.com&user%5Broles%5D=REPORT+ADMINISTRATORS&user%5BallowLoginIp%5D=...& amp;user%5BallowScanIp%5D=...& amp;user%5BmaxTask%5D=5 0 0

The account field modified to test with a reporter for the same level of permissions the account of such reporter account, you can modify the test account basic information, it is very simple. Keep up with surface longitudinal to mention the rights situation is substantially similar to, and just modify the different fields.

Repair method: the feel of using the session to save the login account name in the update user operation, extracts the session in the account name, as the update where the rear of the unique condition can be achieved only update the account information.

Three, if the said permission problems, there may be a is that there is no authority to judge of the time, a background page does not do is logged in judgment, anyone who knows the url can access, don't know what people have this problem, I started to write page, you've made this mistake..., this is also the most dangerous. It is also possible that the page No for the user's role to judge, only a determination of whether the user login, if the login can access, so if you are a system administrator function page, an ordinary user can direct the url to access, the problem is still very serious.

Summary: so look for a permission problem, perhaps very important, the various method of in fact sometimes is in order to obtain certain privileges, such assql injectionsometimes is get to the background user name and password to log in to the backend to find uploaded shell; the Cookie trick is to bypass the verification into the background; xssto steal cookies is to be able to achieve the administrator functions, etc., if direct permission is a problem, possible to omit many steps, for the penetration to say it's one step. Want to me like“web programmer”pay attention to permissions in the web Management Application.