嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读这篇文章,了解它的主要内容。 文章看起来是关于安全漏洞的分析。作者发现了三个主要的漏洞:信息泄露、开放重定向和图片上传导致的重定向。第一个漏洞是通过改变请求方法从POST到GET,从而获取了团队成员的信息。第二个漏洞是通过修改URL参数来实现重定向。第三个漏洞则是通过上传包含恶意脚本的SVG图片来实现重定向。 接下来,我需要将这些内容浓缩到100字以内。要确保涵盖所有三个漏洞,并且表达清晰简洁。可能需要使用一些技术术语,但保持整体易懂。 最后,检查一下字数是否符合要求,并确保没有使用任何不需要的开头语句。 </think> 文章描述了三个安全漏洞:信息泄露、开放重定向和图片上传导致的重定向。通过改变请求方法获取团队成员信息、修改URL参数实现重定向以及上传恶意SVG图片实现重定向。 2026-3-13 17:50:40 Author: infosecwriteups.com(查看原文) 阅读量:3 收藏
NOTE: The Write Up is hunting and The Write up Focus on 2 Bugs ,information disclosure , Open Redirect Get Your Coffee and Lets go If You Liked The Write up Don’t Forget 50 Clapped And Thank you
First Bug (Information disclosure) Target Overview #1
My target is a program for documents. You can write anything in the documents and you can invite many people with different roles:
Viewer = Can only see documents and chat
Editor = Can change anything in documents only
Get Mado’s stories in your inbox
Join Medium for free to get updates from this writer.
Manager = Can change anything in documents and any member with a lower role
My Technique For Exploit :
I made the documents viewer available to everyone (public link). When I visit the link as a user outside the team, the attacker cannot see any information or anything here
But when I open the team chat, I can see all messages from all users in the team. I will write a message, send it, and catch the request to understand how it works
Press enter or click to view image in full size
I changed the request method from POST to GET. The server Give me information in response about users in the team, even though I don’t have permission to see all team members
Press enter or click to view image in full size
Here, the server give me all the emails, Names of users in the team after changing the request from POST to GET
Second Bug ( URL Bypass = Open Redirect ) Target Overview #2
Target for writing your daily tasks, with roles and the ability to invite people with different roles. After recon, I found the MCP server endpoint
Press enter or click to view image in full size
I saw The URL :
APP_ICON=HTTPS://BLABLABLA.COMI changed the URL to evil.com, like:
APP_ICON=HTTPS://EVIL.COM
BUT IT DIDN'T WORK
I tried to bypass:
HTTPS://[email protected] => NOT WORK
HTTPS://BLABLABLA.COM?Evil.com => NOT WORK
HTTPS://BLABLABLA.COM/Evil.com => NOT WORK
//evil.com => WORKING
The last payload worked. Now anyone who clicks on MCP CU PROXY gets redirected
to Evil.com.
Now if you look at my mouse on the MCP Proxy , check the bottom left side the redirect link to evil.com
Press enter or click to view image in full size
The Third Bug ( Upload image = Open Redirect ) Target Overview #3
Target for writing your daily tasks, with roles and the ability to invite people with different roles
When I tried the target as an attacker, I saw the team chat and noticed that anyone can upload images. I attempted XSS, but it didn’t work. , I tried Open Redirect, but through image upload
I am try
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<script>
window.location.replace("https://evil.com");
</script>
<circle cx="50" cy="50" r="40" fill="red" />
<text x="50" y="55" text-anchor="middle" fill="white">Click</text>
</svg>Now, when anyone open the chat and see the image, if the victim click on it, they get redirected to evil.com
Press enter or click to view image in full size
The Results:
And I want to say that a bug doesn’t have to appear immediately if it doesn’t work in one place, the same scenario might lead to another bug elsewhere
Press enter or click to view image in full size
If You Want To Reach Me All My Contact Info is Here : click_Here
If You Want Read More Blogs Check The Link : 0xMado-Gitbook
……………Thank You For Reading and I hope This Was helpful………………
如有侵权请联系:admin#unsafe.sh