威胁行为者能够绕过访问控制器并获取对目标的访问权限
递归克隆此当前仓库
```
git clone --recurse-submodules https://github.com/qeeqbox/authentication-bypass
```
使用 Python 运行 webapp
```
python3 authentication-bypass/vulnerable-web-app/webapp.py
```
在浏览器中打开 webapp 127.0.0.1:5142
Right-click on the page and open Developer Tools, find the hidden variable named debug in the post form
Change the variable debug from 0 to 1, this hit log in
You are logged as admin
## 代码
当用户在向 login 路由发送的 POST 请求中使用用户名和密码登录时,会检查一个名为 debug 的隐藏变量,如果其为 1,则
```
if parsed_url.path == "/login" and "username" in post_request_data and "password" in post_request_data:
ret = self.check_creds(post_request_data['username'][0],post_request_data['password'][0])
if isinstance(ret, list) and ret[0] == "valid":
self.send_content(302, self.gen_cookie(ret[1],60*15)+[('Location', URL)], None)
self.log_message("%s logged in" % post_request_data['username'][0])
return
elif isinstance(ret, list) and ret[0] == "password":
if "debug" in post_request_data:
if post_request_data["debug"][0] == "1":
self.send_content(302, self.gen_cookie(ret[1],60*15)+[('Location', URL)], None)
self.log_message("%s logged in" % post_request_data['username'][0])
return
self.send_content(401, [('Content-type', 'text/html')], self.msg_page(f"Password is wrong".encode("utf-8"), b"login"))
return
elif isinstance(ret, list) and ret[0] == "username" or isinstance(ret, list) and ret[0] == "error":
self.send_content(401, [('Content-type', 'text/html')], self.msg_page(f"User {post_request_data['username'][0]} doesn't exist".encode("utf-8"), b"login"))
return
```