310 Followers
·
Follow

Unauthorized access to all user information leaks

Now is the Mid-Autumn Festival in China. I returned to school from school. Today is the first day of the three-day holiday. I got up late on this day because I was so stressed that between school and work.I recorded only two interesting bugs, others did not write, LET’S GO

Image for post
Image for post
Workflow

Recon

I used my shell script at the beginning to do Recon. Even though this script is not well written, I still like to use it.

Image for post
Image for post
Recon.sh

Thank you very much for sharing and gave me a lot of help.@TomNomNom @Behrouz Sadeghipour

This site has five subdomains, the port is only 80 an

d 443, I checked censys.io and so on and only got very little information. At this time I find out the Logic flaw and successfully got a account takeover (I didn’t have Submit it because there is no interesting idea)

I checked 2 subdomains

api.redacted.com
console.redacted.com

As you can see from the name, one is the api site and the other is the management site.Both sites open are 404 NOT FOUND,I used WFUZZ for directory brute forcing

started on api.redacted.com

Image for post
Image for post

I am very happy to see this result.After the visit, I discovered the monitoring system (JavaMelody)This is the first time I have met this, so I am looking around for ways to make further exploit.

I found this thing and leaked some endpoints.But there is no sensitive information,In addition to system information, etc.

Image for post
Image for post

Then I found this

Image for post
Image for post

Yes, it leaks sensitive information such as accesskey, which allows me to log in to the account, but it is only a -time access record.If I want more, I need to find other points again.I just wondered if this site exists or is there another console.redacted.com?

Advanced on console.redacted.com

I visited console.redacted.com/monitoring Found the same result,I also started searching around again.At first I found an endpoint to calculate the user’s transaction amount….But when I requested
After that, I was redirected to the administrator login page.So I started searching again. Then I Found this page console.redacted.com/monitoring?part=sessions…

Image for post
Image for post

Boom I guess the administrator’s session ID, so I wrote this seesion into my cookie.And requested the above endpoint,This is my successful acquisition of sensitive information from the user.But the new problem has once again appeared, and the endpoint record in the access record disappears.I thought for a moment and took a cup of coffee. When I came back, my mother told me that it was already 12 o’clock and let me go to bed early.

What? 12 o’clock?I re-read the error and other information was refreshed, then I found the time filter at the top.I understand that this point only records the access log of the day, so I set the time to ALL, I found more information, more seesion, more errors, more endpoints. . . .

Image for post
Image for post
Image for post
Image for post

Yep, I successfully got a critical vulnerability!!!

My twitter @C1h2e11

./Logout

Written by

{7*7}

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store