It is difficult to dig the certificate station in web assets, especially if there is no account password to access the backend or unification, so the idea was changed to focus on information gathering and collecting remote assets.
i. xx university srping actuator unauthorized
A vast amount of c-section, found such an asset
A university group of subjects, some of you may have seen it and given up, but he is not using a static component, fingerprinting as follows, try it
Scan the directory and detect /xx-api, then fuzz /xx-api and detect /xx-api/actuator.
Here heapdump can not be downloaded, tried a lot of methods do not work, this time to submit the most vulnerable low-risk 1rank or harm is not enough, then focus on the env this interface
I found the xxl-job-admin interface, which is not under the original domain, so it's hard to find it directly.
Direct access via default password
The follow up is a successful take down of a high risk vulnerability via a historical vulnerability command execution
Second, XX University A different kind of code spraying
Admin weak password, logic flaws tried to no avail, but seeing that you can log in through your email, the following thought process came to mind
Using the Forgot Password feature, have the other party send us an email, and the account that the other party sends the email to is most likely the administrator or teacher account
Get to the mailbox
Successful password spraying login via this email address
View a large amount of sensitive student information below
At this point, we've already harvested one medium-risk vulnerability, but redeeming certificates requires two medium-risk to start, so we'll just have to keep looking.
Where you view student information you can see a GET request, generally this request has a high level of unauthorized access/vertical overreach
Log out of the account, directly access this url, you can directly view the student sensitive information, direct vertical transgression, medium risk +1, get the certificate
III. Horizontal overreach at XX University
Find a registration function of the system, come to the enterprise information, click on the information to modify the grab bag
Seeing an id value, changing the id to someone else's value also returns 200
Find the registration place, verify it, found a few more places with the same information, verified the level of transgressions, you can also register two numbers to verify the
This station in many places have userid, companyid words, other interfaces to modify the id to pass the reference return package will prompt the operation of ultra vires, guess is that there is an ultra vires vulnerability is repaired, try to continue to find the ultra vires point, medium risk certificate +1
IV. Any user password reset for XX University nb
Certificate station there are times than the quick eye, the following direct display
Front Desk Forgot Password Function
Reset by directly entering your username and password
Direct modification success
High Risk Certificates +1, more than a quick eye, through the syntax of their own remote asset location, from the release of this new certificate to the submission of this vulnerability in less than 5 minutes.