Location>code7788 >text

Record a small pass for edu

Popularity:663 ℃/2024-10-14 15:24:23

Record a small pass for edu

fofa query a random point of a virtual simulation training system, there are multiple unauthorized, logical vulnerabilities, and there is a file upload vulnerability leads to getshell, retrieved almost a dozen schools in use

It feels easier to start with a virtual simulation system, a system that may be used by many schools

fofa syntaxtitle="Virtual Simulation && status_code=200" This will collect a lot of virtual simulation systems and then locate specific systems based on the characteristics e.g. js filenamebody = "/web/editor/"

image-20241012215029350

 

1. Check digit multiplexing leads to bypassing audit login

This logic flaw is pretty outrageous, haven't come across it before

Provide account registration function, after registration, you can use the account password to log in (need to audit), you can also cell phone verification code to log in directly, but if you do not register to fill out the complete information, the account directly logged in the account is a guest account, there is no authority

First register an account 10086/test123456_

image-20241012215620470

Register here to fill in the information, you need to get a cell phone verification code (later inadvertently found that there is no verification code here)

image-20241012215650886

Login with registered account password, prompting that the account is under review, unable to login

image-20241012220101599

When the audit is not passed, login with the verification code of the cell phone number, click to get the verification code will be prompted to have been registered, and will not send the verification code again

image-20241011195447423

However, the verification code can be reused, and you can log in directly with the code you just registered with.

image-20241012221445006

Successful login, click on the upper right corner to enter the teaching space, successful access, permission check is OK!

image-20241012221301604

 

leaks

findsomething found an interface /pubapi/userinfo that literally looks at user information

image-20241012213017888

access, return no user id, meaning that the lack of user id parameters, common general is id, uid, uuid, userId, userid, xxid these

Splice on the uid=, returned the user_token of the user, and tested the id is sequential, that is to say, through this interface can be traversed to obtain the user's token of the whole station

The token is used for authentication, so it's easy to say, look for the interface and then add the obtained token for utilization

Unauthorized creation/uploading of hands-on training resources

Looking at the burp request packet, there is an authentication field Authorization

image-20241012222935791

Throw it to jwt to decrypt it, there's not much valuable information, here uid=0 should be a default value

image-20241012223027927

The value of Authorization was found to be passed/pubapi/authorizeThe access_token returned by the interface

image-20241012223637256

An interface for creating hands-on training resources was found, prompting theRequires UtGuess Ut is user_token.

Add the Ut field with the value that was just passed through the/pubapi/userinfoThe token of the teacher's account that was obtained, created successfully

image-20241012224007090

 

 

 

Sending it again reveals that the labid is sequential and can be traversed

image-20241012224415728

View user hands-on training resources

/eapi/console/myresource?type=1&page=1&limit=20

Replace the token with whichever user's can see which user's resources and ids

image-20241012224515641

Unauthorized deletion of hands-on training resources

Since the labid is sequential, this causes traversing the recourseid to delete all resources

/eapi/console/delrecourse?type=1&recourseid=

image-20241012234801535

Deleting a non-existent one will result in a deletion failure

image-20241012234839201

3. Bucket traversal

The interface to get user_token above returned the address of the avatar, which was found to be the storage bucket

image-20241012230650561

Accessing the url and deleting the path behind the domain leaks all the keys to the storage bucket

The key splice to the back allows access to view/download the file

/{key}

image-20241012232651292

When you go to the backend, there is an upload course standard in the course creation function point.

image-20241012233814215

Uploaded php, no filtering, directly uploaded successfully and returned the file address

image-20241012234244958

Access to the returned address, parsed successfully

image-20241012234137132

I found a total of three upload interfaces in the backend, some of which do filtering and some of which don't

 

No illegal infiltration