Unauthorized access to all user information leaks

C1h2e1

Now is the Mid-Autumn Festival in China. I returned to school from school. Today is the first day of the three-day holiday. I got up late on this day because I was so stressed that between school and work.I recorded only two interesting bugs, others did not write, LET’S GO

Workflow

Recon

I used my shell script at the beginning to do Recon. Even though this script is not well written, I still like to use it.

Recon.sh

Thank you very much for sharing and gave me a lot of help.@TomNomNom @Behrouz Sadeghipour

This site has five subdomains, the port is only 80 an

d 443, I checked censys.io and so on and only got very little information. At this time I find out the Logic flaw and successfully got a account takeover (I didn’t have Submit it because there is no interesting idea)

I checked 2 subdomains

api.redacted.com
console.redacted.com

As you can see from the name, one is the api site and the other is the management site.Both sites open are 404 NOT FOUND,I used WFUZZ for directory brute forcing

started on api.redacted.com

I am very happy to see this result.After the visit, I discovered the monitoring system (JavaMelody)This is the first time I have met this, so I am looking around for ways to make further exploit.

I found this thing and leaked some endpoints.But there is no sensitive information,In addition to system information, etc.

Then I found this

Yes, it leaks sensitive information such as accesskey, which allows me to log in to the account, but it is only a -time access record.If I want more, I need to find other points again.I just wondered if this site exists or is there another console.redacted.com?

Advanced on console.redacted.com

I visited console.redacted.com/monitoring Found the same result,I also started searching around again.At first I found an endpoint to calculate the user’s transaction amount….But when I requested
After that, I was redirected to the administrator login page.So I started searching again. Then I Found this page console.redacted.com/monitoring?part=sessions…

Boom I guess the administrator’s session ID, so I wrote this seesion into my cookie.And requested the above endpoint,This is my successful acquisition of sensitive information from the user.But the new problem has once again appeared, and the endpoint record in the access record disappears.I thought for a moment and took a cup of coffee. When I came back, my mother told me that it was already 12 o’clock and let me go to bed early.

What? 12 o’clock?I re-read the error and other information was refreshed, then I found the time filter at the top.I understand that this point only records the access log of the day, so I set the time to ALL, I found more information, more seesion, more errors, more endpoints. . . .

Yep, I successfully got a critical vulnerability!!!

My twitter @C1h2e11

./Logout

C1h2e1

Written by

C1h2e1

{7*7}

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade