IceCMS is a content management system based on Spring Boot+Vue front-end and back-end separation.
IceCMS version v2.0.1 has an unauthorized access level, located at the administrator delete article. By replacing the token, ordinary users can achieve the permission of the administrator user, which is used to delete the article, and the deletion of the article is identified by the ID, and the ID of the article can be modified to delete the corresponding article.
Vulnerability points: http://localhost:8181/article/DelectArticleById/{Article ID}
Let's start by creating two articles One test one, one test two, And record both article ids 1000002190 1000002189
Delete an article and capture the packet
Log out of the administrator account, log in to the common user account, and capture packets to obtain the token of the common user
token of the administrator user: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwic3ViIjoiMyIsImV4cCI6MTcwMzg2MTEzMywianRpIjoiMDY4OGEzNzktYmQ5Ni00ODdjLTg1YjktMGNmNWFmYzY0NDc0In0.YMUSh3Qyz8Lrfk1HLltMUXpYEwykzytorJRr4L3OiE4
token of a common user: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwic3ViIjoiMzc2IiwiZXhwIjoxNzAzODYyNDkxLCJqdGkiOiIxYjQ3NTJiMS04N2U1LTRlYTMtYTNlYi1kZjc5YjE0Njk5OWIifQ.hINA6EHjO47E0F1gfGLZT8CwIedr_Qrwg97SL575WXQ
Replace the administrator token with a common token And to modify we need to remove that article ID Then succeed It proves that the authority was exceeded