Login any user by discovering hidden parameter values

0x01 Introduction

I have been feeling unwell recently and have not had time to reply to many of the masters’ friend requests on WeChat and messages on public accounts. I hope you can forgive me.

I have always believed that the essence of vulnerability mining lies in information collection, such as: subdomains, hidden interfaces, hidden parameters, etc. Below I will share an experience of discovering hidden parameters to enable arbitrary user login.

0x02 Vulnerability Background

A crowd-testing project authorized the penetration of a target subdomain, which we call target.com.

0x03 Vulnerability Discovery Process

Use bbot to collect the target subdomains. Regarding subdomain collection, I recommend a good article: https://blog.blacklanternsecurity.com/p/subdomain-enumeration-tool-face-off, which compares the industry's top subdomain enumeration tools.

We got a live domain name like this: big-data.target.com. For such a domain name, I usually use fuzzdomain to blast similar domain names, and the settings are as follows.

We blasted out a domain name: manage-data.target.com, which opened port 443 and the access page was a login box.

Since the page has no anti-brute force cracking mechanism, we tried brute force cracking on it but failed to crack out the account and password. However, due to the existence of username enumeration, we successfully cracked out a cadmin account.

Observe the login message, as follows: {“username”:”cadmin”,”password”:”123456″}

at this time, change 123456 to true, and perform brute force cracking on the password parameter. The dictionary is the English word dictionary collected by yourself.

A parameter soap was successfully blasted out, and its return package successfully returned its username and password.

Why do I have such an idea? Because before this, I have dug up a lot of random user logins. I compared their parameters. Most of the parameters contain user names, and the other parameters are mostly different, but their parameter values are mostly true, 1, or 0.

0x04 Manufacturer Feedback

Received the highest rating and a bug bounty of 4,000 yuan.

If you are a long-termist, welcome to join my Knowledge Planet. Let's move forward together. It will be updated daily and operated in a refined manner. You can join by scanning the QR code on WeChat and paying. If you are not satisfied, you can get an unconditional refund in the App within 72 hours.
A classmate asked me if I have any coupons. Here are 100 coupons worth 100 yuan. Once they are used up, no more coupons will be issued this year.