nuclei-templates/http/vulnerabilities/chanjet-tplus/chanjet-tplus-unauth-passre...

id: chanjet-tplus-unauth-passreset

info:
  name: Chanjet Tplus - Unauthorized Password Reset
  author: 0xr2r
  severity: high
  description: |
    There is an unauthorized administrator password modification vulnerability in UF Chanjet T+ RecoverPassword.aspx. An attacker can use this vulnerability to modify the administrator account password to log in to the backend.
  reference:
    - https://cn-sec.com/archives/1377207.html
    - https://www.chanjet.com
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="畅捷通-TPlus"
  tags: tplus,unauth,chanjet

http:
  - method: GET
    path:
      - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method={{randbase(6)}}"
      - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'tplus”应用程序中的服务器错误')"
          - "!contains(body_2, '>请重新登录')"
        condition: and
# digest: 4b0a00483046022100f5eca808b032b287bc1bda01b729dea7c22ac33bd895e774b32d70a0061160ee022100f7a9bbeac4f5efd5971f5dee9b8dcde9d95fd07f0d03e3949d816b4146d5f8d0:922c64590222798bb761d5b6d8e72950
Update and rename chanjet-tplus-unauth-update.yaml to chanjet-tplus-unauth-passreset.yaml 2024-03-09 10:47:53 +00:00			`id: chanjet-tplus-unauth-passreset`
Create chanjet-tplus-unauth-update.yaml 2024-02-28 04:17:17 +00:00
			`info:`
Update and rename chanjet-tplus-unauth-update.yaml to chanjet-tplus-unauth-passreset.yaml 2024-03-09 10:47:53 +00:00			`name: Chanjet Tplus - Unauthorized Password Reset`
Create chanjet-tplus-unauth-update.yaml 2024-02-28 04:17:17 +00:00			`author: 0xr2r`
			`severity: high`
updated matcher & Request method 2024-03-06 09:12:01 +00:00			`description: \|`
			`There is an unauthorized administrator password modification vulnerability in UF Chanjet T+ RecoverPassword.aspx. An attacker can use this vulnerability to modify the administrator account password to log in to the backend.`
Create chanjet-tplus-unauth-update.yaml 2024-02-28 04:17:17 +00:00			`reference:`
			`- https://cn-sec.com/archives/1377207.html`
			`- https://www.chanjet.com`
			`metadata:`
			`verified: true`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`max-request: 2`
metadata update 2024-03-11 07:05:49 +00:00			`fofa-query: app="畅捷通-TPlus"`
Update and rename chanjet-tplus-unauth-update.yaml to chanjet-tplus-unauth-passreset.yaml 2024-03-09 10:47:53 +00:00			`tags: tplus,unauth,chanjet`
Update chanjet-tplus-unauth-update.yaml 2024-02-28 04:28:47 +00:00
Create chanjet-tplus-unauth-update.yaml 2024-02-28 04:17:17 +00:00			`http:`
Update and rename chanjet-tplus-unauth-update.yaml to chanjet-tplus-unauth-passreset.yaml 2024-03-09 10:47:53 +00:00			`- method: GET`
Create chanjet-tplus-unauth-update.yaml 2024-02-28 04:17:17 +00:00			`path:`
Update and rename chanjet-tplus-unauth-update.yaml to chanjet-tplus-unauth-passreset.yaml 2024-03-09 10:47:53 +00:00			`- "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method={{randbase(6)}}"`
Create chanjet-tplus-unauth-update.yaml 2024-02-28 04:17:17 +00:00			`- "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"`

			`matchers:`
Update chanjet-tplus-unauth-update.yaml 2024-02-28 04:28:47 +00:00			`- type: dsl`
			`dsl:`
Update and rename chanjet-tplus-unauth-update.yaml to chanjet-tplus-unauth-passreset.yaml 2024-03-09 10:47:53 +00:00			`- "contains(body_1, 'tplus”应用程序中的服务器错误')"`
			`- "!contains(body_2, '>请重新登录')"`
			`condition: and`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 4b0a00483046022100f5eca808b032b287bc1bda01b729dea7c22ac33bd895e774b32d70a0061160ee022100f7a9bbeac4f5efd5971f5dee9b8dcde9d95fd07f0d03e3949d816b4146d5f8d0:922c64590222798bb761d5b6d8e72950`