IceCMS is a content management system based on Spring Boot+Vue front-end and back-end separation.

IceCMS version v2.0.1 has an unauthorized access level, located at the administrator delete article. By replacing the token, ordinary users can achieve the permission of the administrator user, which is used to delete the article, and the deletion of the article is identified by the ID, and the ID of the article can be modified to delete the corresponding article.

Vulnerability points: http://localhost:8181/article/DelectArticleById/{Article ID}

Let's start by creating two articles One test one, one test two, And record both article ids 1000002190 1000002189

Delete an article and capture the packet

Log out of the administrator account, log in to the common user account, and capture packets to obtain the token of the common user

token of the administrator user: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwic3ViIjoiMyIsImV4cCI6MTcwMzg2MTEzMywianRpIjoiMDY4OGEzNzktYmQ5Ni00ODdjLTg1YjktMGNmNWFmYzY0NDc0In0.YMUSh3Qyz8Lrfk1HLltMUXpYEwykzytorJRr4L3OiE4

token of a common user: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIiwic3ViIjoiMzc2IiwiZXhwIjoxNzAzODYyNDkxLCJqdGkiOiIxYjQ3NTJiMS04N2U1LTRlYTMtYTNlYi1kZjc5YjE0Njk5OWIifQ.hINA6EHjO47E0F1gfGLZT8CwIedr_Qrwg97SL575WXQ

Replace the administrator token with a common token And to modify we need to remove that article ID Then succeed It proves that the authority was exceeded